Lateral movement across networks remains one of cybersecurity’s most persistent challenges, particularly in an era dominated by ransomware attacks. The root cause isn’t a lack of awareness. Organizations have known about this vulnerability for years. The real culprit is complexity. As environments age and expand across cloud, on-premises, and hybrid infrastructures, the sheer difficulty of segmenting networks without breaking critical business operations has made lateral movement a winning strategy for attackers. Traditional microsegmentation approaches have promised solutions but delivered frustration, requiring massive professional services engagements and ongoing manual policy management that scales poorly, especially in OT environments where different protocols and legacy systems add another layer of difficulty.
In this episode, Benny Lakunishok, co-founder and CEO at Zero Networks, explains how their automated approach to microsegmentation addresses these challenges by putting a network bubble around every asset, from clients and servers to OT devices and cloud resources, without requiring agents or breaking existing environments. Joining him are Shaun Marion, vp and CSO at Xcel Energy, and Doug Mayer, vp and CSO at WCG.
Want to know:
- Why does complexity make lateral movement such a persistent problem despite years of awareness?
- How can microsegmentation be deployed at scale without becoming a massive science project?
- How does Zero Networks handle MFA and privileged access management across all asset types?
- What happens if there’s already a threat living in your environment during the learning phase?
- How to segment OT environments that use different protocols beyond standard IT systems?
- Can automated learning really create accurate policies without extensive human intervention?
- How does network segmentation fit into AI capabilities and hybrid cloud strategies?
- What’s the real-world experience of customers who’ve deployed automated microsegmentation?
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Zero Networks
Full Transcript
Intro
0:00.000
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today we’re talking with Zero Networks and what they’re doing in zero trust architecture. Now, the problem they’re addressing, it is a big one in the age of ransomware, kind of an age-old problem here is that lateral movement across your network is still a nightmare for most organizations.
Helping us find out why this is such a continuing problem are Shaun Marion, the VP and CSO over at Xcel Energy, and Doug Mayer, VP and CISO at WCG. So Shaun, let me start with you. Why is lateral movement still such a problem? We’ve known about it for forever.
Why are we still struggling with it?
[Shaun Marion] Complexity. I mean, it comes down to sheer complexity. You go across all of our environments, especially these aging environments, it’s just too complicated to separate those things, at least traditionally it has been, without breaking things.
And when you’re going to go to the business and weigh out security risk of all the times the business is going to win, especially when it comes to impacting operations. So complexity, I would say, is the keyword.
[Rich Stroffolino] Doug, what about for you? Is Shaun right on here with complexity or is there other issues that are keeping this a persistent issue for us?
[Doug Mayer] No, I agree with the complexity. As you start adding on the clouds and going to a hyper cloud environment, that complexity builds up. Again, like Shaun said, if you’re dealing with legacy environments, you have to deal with complexity and I think that’s where lateral movement does become a problem.
Set the table
1:33.700
[Rich Stroffolino] All right. Well, today we’re going to be talking with Benny Lakunishok, the CEO at Zero Networks. We are thrilled to have him on the show. Now, Benny, to start out, we need to answer some essential questions here. How do I explain the value of your solution to my CEO, what does your solution do, what does it not do and what is the pricing model?
Can you help us out set the table here?
[Benny Lakunishok] Sure. So real quick, we give you business resilience, which is the opposite of lateral movement because nothing can move in your environment. We do not break your environment. That’s what we do not give you. Or we do not burden you with a lot of manual work and labor that micro segmentation has historically and the legacy providers have been known for, which is, again, coming to what Shaun and Doug, what they said.
In the terms of the pricing model, it’s a fairly simple subscription model based on assets. Per asset you segment, you pay and depending on the asset type, the license is a bit more expensive or less. And of course, the bigger the organization, the less you pay per asset.
That’s the licensing model.
Discussion setup
2:34.000
[Rich Stroffolino] All right. So we have the preliminaries here. We know why we’re still having this problem. We’ve kind of gotten just a little taste of what Zero Networks is up to, but I’m sure you both have a lot of questions. So, Doug, let me come to you first here.
What other questions do you have about Zero Networks?
[Doug Mayer] I’d like to understand more about how they handle the MFA and the privilege access management. How do you adapt that to something you have existing?
[Benny Lakunishok] So first, just to understand, our micro-segmentation essentially puts a network bubble around every asset you want, every client server, OT/IoT cloud, Kubernetes. Whatever asset type you want, we can segment and put a default inbound block in front of it.
One of the features in that segmentation is to have certain ports kind of like TCP 22, so SSH or RDP or any other privileged port to have that always closed across their estate. And we, because we see both processes and users and identities, we know who is trying to connect that we now blocked on those ports.
And then we can push MFA with any identity provider you want. If you approve, we’ll open that port only for you. So we kind of bring, if you will, MFA to TCPAP. To any TCPAP connection you want is now MFA-able. So all of the legacy stuff you mentioned or anything really can get MFA-ed.
[Rich Stroffolino] Shaun, how about you? What other questions do you have about Zero Networks?
[Shaun Marion] Yes, maybe I’ll go back with the problem statement or at least mine. I know there’s multiple problems here when it comes to lateral movement. But if we talk about complexity, the complexity of deploying this, you talk about identities, you can put a bubble around an asset, ITOT, all of that.
How do you roll that out at scale and not make this a massive science project?
[Benny Lakunishok] So great question. One of the CTOs, one of the largest airlines in the US, actually said after 15 minutes of deploying, that’s it. So it’s a virtual appliance or appliance as you deploy. They are stateless. They know how to, in an agentless way, remotely connect to any asset type you want, again, Windows, Linux, Mac, Kubernetes, Pass, whatever, and manage them for APIs, each API is different, and use the controls already there.
Kind of think about living off the land defense that we orchestrate. So we use the Windows firewall, the Linux firewall, the Mac firewall, the MSG on the Pass, the CNI on the Kubernetes cluster. Whatever is there, we know how to manipulate with APIs, kind of like a hacker but in a safe, secure way, and use that control to give us the visibility and the control.
On top of that, that’s kind of the mechanism or the physics of how we do it.
We have automation. Without any AI, you can click in the UI and say these assets, whatever they are, I want to cement them. We put them in one month, by default one month of learning. We understand deterministically what’s going on and what should be open and we automate the policy creation.
We had one customer that cemented 15,000 assets in one month, one click without any human interaction.
[Shaun Marion] Maybe a follow on question, if I can. So you talk about you can determine based on identity. So how do you know that Benny cannot access this host on Port 22, but Doug can? Is that just through learning and seeing behaviors?
[Benny Lakunishok] So first of all, for the privilege ports, we don’t learn. We just say everything is evoked. There is no TCP access. I wanted to prove it’s you with a phone that separates you from malware, attackers, whatever, and then I’ll allow you to access.
So by default, these MFA policies we call them, just allowing any user in your IDP that you trust that has MFA. You can tighten those and say, well, actually, for that group of servers, I don’t touch elevating MFA. I also want to tighten it and say only that group of users from that group of machines.
And even you can say only with these processes, these source processes that they are trying to do, only then MFA.
[Shaun Marion] Got it.
[Doug Mayer] So let me add on to this. What happens if someone already has someone living off the land in that environment that you’re learning from? Do you see that and enable to help mediate your new customer?
[Benny Lakunishok] You mean if you have an existing control like a Windows Firewall configured?
[Doug Mayer] No, you have an existing threat.
[Benny Lakunishok] Does the living of the land attack? Okay. So yeah, our learning, there’s a bunch of things there, but our learning does take that into account, although most customers, you won’t have any attacker there. But we do know how to sift for various both detections and just known threat indicators of don’t learn that.
Plus, most lateral movement tactics happen on privileged ports. Guess what? Those we kind of never open. You have to MFA. So you scratch that off also.
Plus, even if we do learn, after everything I’ve said, we’ll learn something specific that they’re doing for a month and then they will try to move away from that, that will be blocked. So they won’t be able to. So generally, even if we are in a dirty environment with an attacker, most attack tactics will be cut off just with MFA, unrelated to learning.
The learning is ignoring that. And then maybe we’ll learn a few things, but those will be contained. You will not be able to move other than that.
[Doug Mayer] So additionally, when you learn off the land, how do you handle if there’s larger networks than versus smaller networks that you’re segmenting? Is there a capacity challenge that you run into?
[Benny Lakunishok] No, we get that a lot, but our architecture was built for scale. The virtual appliance I mentioned, one of those support 10,000. You add to 20,000. This just auto scales. We’ve scaled already to hundreds of thousands. So the architecture was built for scale.
In terms of the learning itself, that’s kind of the physics of how we remotely hook into things and monitor. And the automation itself, we know how to humanize rules, how to aggregate, how to group them so that we don’t open 50 rules per machine or per server.
We know how to aggregate them. Oh, this is something that’s happening across. It’s one rule, not a rule per machine. So we know how to do this in a way where let’s say for 10,000 machines, you will have actually potentially less than 1,000 rules. So it’s very manageable.
[Shaun Marion] So you’ve done this a few times now. You’ve done these deployments and multiple customers. A lot of us have tried to do some degree of segmentation throughout the years. Again, it just becomes very hard. So what advice would you have for a security team or the security leaders as they look to do this, as they start?
What should they do to get it right?
[Benny Lakunishok] You really have to look end to end and understand how would you operationalize this and there’s just a lot of details. And make sure that if you have a problem, focus on that problem to solve for that because perfect is the enemy of good in many times so don’t try to be too good, let’s say, from that perspective.
Obviously I’m biased, but with us, you can actually do more good with a lot less people and a lot less time. We don’t offer professional services. We give you an engineer to work with and no professional services and we can very quickly segment everything.
But if you are looking at any of the legacy vendors in the space, make sure you really understand what you want to do here. Try to minimize it because the amount of work is just enormous and that will multiply later on as well. That’s why we’ve built the automation to alleviate all of that.
[Shaun Marion] Yeah. So maybe building off of that, so when I think in the OT side, which can be a bit more just different, challenging, not always, but different for sure, so are you guys protecting access to that environment? Or actually, I mean, I’m sure you do that as far as access to the firewall.
Let’s say that it’s segmented off to some degree or whatever the case is, but once we get on to that network, you’re talking a lot of these devices communicating different protocols. So how do you guys manage that? Is it just protecting access to let’s say it’s some kind of OT environment or do you get even deeper into the OT environment to control access?
[Benny Lakunishok] We go deeper into the OT environment. We know how to integrate with switches and routers and put ACLs there, essentially on any switch and routers you’ll bring to us. And by the way, we supported a lot of the major vendors. And I said, but we also have this, so we will add support to put an ACL programmatically on that switch on order, as long as it supports it, to be able to segment those off individually and to segment things within the OT environment as well.
Yeah.
[Doug Mayer] So let me pivot you a little bit. With AI capabilities coming and segmentation being really important for AI guard rails, how do you see you’re fitting into that area where an organization might be leveraging the cloud more for AI capabilities?
How do you see you fit in there?
[Benny Lakunishok] So just to make sure I understand the question, when you say leverage the cloud for AI more, you mean SaaS native AI applications like a ChatGPT or a cloud?
[Doug Mayer] No, no. I mean like Azure, using Azure data in a center type of situations. How do you find yourself segmenting that environment to make companies more AI capable, you could say?
[Benny Lakunishok] I don’t know if we’d make them more AI capable. That’s up to them. But what we do in a hybrid situation, let’s say you have something on-prem, something cloud or multiple clouds even, we don’t care. We segment whatever it is so that you have one EY to see all of your assets in Azure, in AWS, in GCP, in Oracle, in on-prem and you see the connections between them in one place, in one view and also the rules that dictate who can connect where from a networking perspective in one place.
And also the automation does it across everything. So you have one place to segment and see all of your networking, network control, network security, if you will, in one place.
Now that you have this much more tight environment, your micro-segmented environment, regardless of how many fragments or pieces or cloud and on-prem it is, now you’re in a place where you can enable more things. Whether you want to innovate with AI or other things, that’s just you can do that.
You can also do that without, but you are at more risk, let’s say.
[Doug Mayer] So I get the sense that it’s more getting the basics in place so you can move into that AI capability and make that segment specific to that.
[Benny Lakunishok] Yes, yes. From that perspective, segmenting, it makes it easier.
[Shaun Marion] I remember the day we had these on our walls. We had these big plotted, printed network diagrams, but now it’s got to the point now you couldn’t get it on. I mean, you’d take up a whole building to get them up there. And so I’m curious, is it you’re just scanning the entire environment, looking for everything, classifying that as cars like this is a Windows device, this is that or do we need to provide you with data ahead of time?
Or is it a mix of the both to kind of get a good picture of the environment?
[Benny Lakunishok] By default, we don’t need anything. We’ll just hook into your asset repositories, your Azure, Azure AD, Classical Active Directory. We’ll hook into where all of your assets exist, Intune, whatever, Ansible, Jump, more asset repositories that we support.
We have more. See all of the assets and then get the permission to connect to them and understand what are they doing, what are the running processes, what type of connections just without scanning. We don’t scan, really. We just connect to stuff and get the metadata data of all of the connections live, by the way, agentless in real time without being in line.
So we don’t need any of that.
Now, if you want our rule engine, the automation, to be automating not in a generic way, but in a way that says you understand your environments and apps, let’s say you have that in your CMDB, whatever it is. And if we sync with your CMDB, we automatically create labels, automatically create tools based on your labels, based on your application environment.
So the automation engine knows how to adapt if you sync your CMDB, when you just, in a click, you set it up with us essentially.
[Rich Stroffolino] All right. Well, Benny, lots of great questions. Thank you so much for all of your answers.
Last question
14:53.600
[Rich Stroffolino] But is there one thing that we didn’t ask about that we need to know?
[Benny Lakunishok] One question we get a lot or not question, I would say comment that this is too good to be true. This is what I keep hearing. We literally have a slide deck on that. And I would say, yes, I heard Shaun laughing because that’s what he probably felt in his head.
And I kind of, “Oh, Benny can read my mind.” So I encourage everyone that’s thinking the same that wants to get serious about stopping lateral movement for good to go to our website, zeronetworks.com, go to the middle of the home page. You don’t need to scroll much.
See 10 videos of customers that went on the mic and said, “I didn’t believe it and I’ve segmented my entire environment in a few clicks.” That’s what I encourage you to do and would love to potentially help anyone that needs to solve for that.
Outro
15:44.600
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. Like Benny said, to learn more, head on over to zeronetworks.com. And if you have any feedback for this show or for our panelists, feedback@CISOSeries.com. A huge thanks to Shaun and Doug for helping us learn more about what Zero Networks is doing, digging into all of the important details.
And thank you, Benny, for being game and for your time to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends and leave us a review. All company showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOSeries.com or just email us at info@CISOSeries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.