Little-Known Features of Illumio Core: Enhanced Data Collection

‍In this ongoing series, Illumio security experts highlight the lesser known (but no less powerful) features of Illumio Core.  

We’ve been using detection tools for decades. But the number of breaches and ransomware attacks continues to increase.  

Cyberattacks are changing and moving faster than ever. It’s impossible to detect and prevent all breaches, but we can stop their spread when they happen.

Illumio Zero Trust Segmentation (ZTS) stops the spread of breaches and ransomware attacks before they can get to your critical assets and data. Instead of trying to prevent or detect the next attack, Illumio ZTS locks the door on your network segments.

But what about the small number of ports that need to stay open so you can run your business? Illumio’s Enhanced Data Collection feature helps you monitor your traffic volumes to find anomalies and take action if needed. Keep reading to learn more about how this feature works and the value it can bring to your organization.

Threat detection isn’t enough to secure against breaches

Attackers are deploying malware and ransomware faster than detect-and-response tools can keep up. Zero-day threats, such as the MOVEit attacks by the Clop ransomware group, can quickly slip past detection tools and immediately spread through your network.  

If you don’t have a way to stop undetected breaches from spreading, attackers can access your most critical resources in minutes.

After the first workload gets compromised, attackers will immediately look for open sessions so they can spread to neighboring workloads. Ports commonly open and listening between workloads include RDP, SSH, and SMB. Any of these can easily be used by malware to deliver its payload to neighboring workloads, spreading across the infrastructure at exponential speed.  

Illumio ZTS stops all breaches from spreading at any scale, even if they’ve gone undetected by threat-hunting solutions. You can block the ports attackers use most often to breach networks, only allowing access to a small set of centralized management systems. This means that any successful breach will be isolated to its entry point and unable to move through the rest of the network.  

Instead of devoting resources to first detect a threat and then understand its intent, Illumio simply prevents threats from using sessions and open ports between workloads to spread. Illumio locks the doors before trying to understand why someone is trying to break them down.  

This ensures that a small, undetected security problem can’t silently escalate into a catastrophic incident.

Enhanced Data Collection: Securing ports that must stay open for business

If you block 100% of all ports everywhere, you are 100% safe from malware spreading through your network. But it also means you’re 100% unable to do business. For example, processing workloads will still need access to database workloads.  

How does Illumio monitor those small number of ports that have to stay open to make sure they’re not being misused?

Using the Enhanced Data Collection feature, Illumio virtual enforcement node (VEN) agents enforce the firewalling capabilities built into most modern operating systems. Because these VENs are deployed directly onto a workload, they’re also able to collect information about:

• Processes currently running on all managed hosts

• The volume of traffic used on open ports  

The Illumio policy compute engine (PCE) then displays and logs the number of bytes seen across specific open sessions of managed workloads.  

For example, if Port 53 is left open on a workload to enable DNS access, the VEN can collect metrics on the volume of traffic seen over that port. If the byte count shows small traffic volumes, as expected, this helps to ensure that this is valid DNS traffic. But if the count shows 10 gigabytes of traffic passing across that same port, this is a red flag that it's not valid DNS traffic. It could indicate that there’s an active DNS-tunneling threat.  

You can view the traffic volumes found by the Enhanced Data Collection feature and take action automatically. A security information and event management (SIEM) solution, such as Splunk, can harvest logs from Illumio. If it sees anomalous traffic volumes across open ports, it can use its security orchestration, automation, and response (SOAR) platform to automatically send API-driven instructions to Illumio to block these ports. Responding to traffic anomalies requires an automated response to avoid the lag time caused by a human needing to make a decision.  

How Enhanced Data Collection works

You can use Enhanced Data Collection in two ways:  

• Pairing Profiles: The VENs will start counting bytes for sessions on workloads as they are initially paired.  

• Workloads: Bytes will start being counted on workloads that are already deployed.

‍

The feature collects and logs traffic volumes for all traffic over an enforced session. You can then view this data in the Traffic option of Illumio’s PCE graphical user interface (GUI).

Enhanced Data Collection can detect threat behaviors without needing to intercept any traffic. Illumio detects traffic volumes entirely from the management plane by monitoring managed workload processes and those workloads’ expected behavior. This avoids the risk of creating a bottleneck in the data plane.  

Prepare for the next breach or ransomware attack with Illumio

Threat-hunting solutions are still an important part of a Zero Trust architecture. But to build your Zero Trust foundation, it’s crucial to have Zero Trust Segmentation.

Zero Trust shouldn’t make your network more complex; it should simplify it. Illumio ZTS delivers a simple solution to a complex security challenge.  

To learn more about using Enhanced Data Collection, contact us today for a free consultation and demo.