Defending the crown jewels: containment in the post-breach era

Technology

Sponsored by Illumio

One of the best illustrations I know for modern defence strategy didn’t happen in a cloud or data centre. It happened 25 years ago in London, during a diamond heist at the Millennium Dome.

The city was ringing in the year 2000 with fireworks – and a diamond exposition. At the heart of the Millennium Dome exhibition gleamed the Millennium Star, a flawless 203-carat diamond flanked by millions of dollars’ worth of other gems.

It didn’t take long for a criminal gang to hatch a plan: crash through the Dome with a bulldozer, smash the display cases and escape via speedboat down the Thames. Bold. Fast. Broad daylight.

But Scotland Yard was ready. Authorities didn’t know when or how, but they knew an attack was coming and that there wasn’t much they could do to prevent it. Officers posed as cleaners, vendors and tourists – armed, alert and waiting. When the bulldozer finally slammed through the wall, police swarmed in. Every attacker was caught, either inside the Dome, on the river or at their safe house. The heist was over before it began.

The lesson? It wasn’t strong locks or thick glass that saved the diamonds. It was containment of the threat: intelligence, readiness and the ability to act decisively once the attack was in motion.

Cyber-security must work the same way. Prevention matters. But assuming you can stop every attack is a foolish strategy in today’s world. The question is no longer if attackers will get in. It’s how well prepared you are and how you react when they do.

This isn’t fearmongering. It’s fact, and the data proves it (again and again). Despite years of investment in prevention, ransomware spreads and breaches continue to happen, often with catastrophic outcomes. For decades, organisations have been on the losing side of a cyber-security arms race. Even as cyber-security spending jumps again this year to $212 billion, the cost of cyber-crime is rising at the same rate – but to a much bigger number of $10.5 trillion, according to Cybersecurity Ventures.

Cyber-criminals have adapted, but defenders have not. Today, the most effective security posture starts with one very simple assumption: breach is inevitable. Success in this new reality hinges not on stopping every breach, but on how you react and how resilient you have become.

Welcome to the post-breach world

The post-breach world is real, and it’s here. Attackers have evolved their techniques, exploiting fundamental weaknesses – especially human error. But they’re doing it faster and more effectively than ever before. At the same time, they’re finding new opportunities to exploit, including misconfigurations, missing patches, excessive permissions and poor vulnerability management.

The defender’s most important tool is containment, and it changes everything. It transforms cyber-security’s binary focus – keeping attackers out – into a more nuanced strategy of cyber-resilience. It’s about stopping attackers in their tracks and strengthening your defences with every new attack.

Enhanced visibility with security graphs

Just as motion detectors and cameras reveal suspicious activity at home, defenders need tools to illuminate movement inside their digital environments. That’s where security graphs come in.

Security graphs provide a real-time, contextual map of the environment. They highlight relationships between clouds, users, devices, applications and data. In other words, they connect the dots, so that defenders can see the entire landscape and have an even better understanding than the attackers. With the help of AI and advanced analytics, security teams can detect lateral movement, expose hidden threats and identify vulnerabilities before they can cause lasting harm.

As Microsoft Threat Intelligence Vice President John Lambert famously put it, “the biggest problem with network defence is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

Security graphs don’t just show you the haystack; they allow you to find every needle in every haystack. They’re foundational to modern cyber-security. They help teams shift from reactive to proactive by prioritising what matters most and enabling faster, more informed decisions.

Containment in action: fast, focused, and fundamental

Containment works when it’s fast, focused and well-co-ordinated. Once an attacker breaches the perimeter, defenders need instant visibility to locate the intruder and limit their movement. Security graphs provide that visibility. Network segmentation adds another layer, isolating critical systems and preventing attackers from spreading laterally.

Layered with AI and automation, containment becomes even more powerful. These technologies reduce noise, filter out false positives and accelerate response times. When every alert isn’t a crisis, defenders can act with greater speed and confidence.

But containment isn’t a one-and-done initiative. It’s a continuous process, one that evolves with the threat landscape.

Compliance and containment: a new alignment

The regulatory landscape is shifting from prescriptive control lists to outcome-based frameworks focused on resilience. Whether it’s DORA, NIS2 or FSA Japan, modern rules are less concerned with how you prevent incidents and more focused on how you respond and recover.

Containment maps directly to this new focus. It’s not just good security, it’s increasingly required. Regulations now emphasise operational continuity and resilience. And increasingly, regulators are concerned about systemic resilience across entire industries, not just individual organisations. In this context, containment isn’t just a defensive tactic. It’s a compliance imperative.

Thriving in a post-breach world

The shift to a post-breach mindset demands a cultural and operational transformation. Security is no longer about preventing breaches. It’s about creating an environment where businesses can thrive despite them. This includes reducing downtime, enabling productivity and fostering resilience.

In the post-breach world, success is defined not by how effectively you can prevent threats, but how well you manage and contain them. Prevention is the door lock; containment is the entire security system.

The Millennium Dome heist failed because, while a bulldozer can always beat a lock, it can’t beat strategic containment. In cyber-security, we must do the same. The post-breach world isn’t a hypothetical future. It’s already here. The faster we embrace that reality, the more resilient we become. Not just to survive the breach but to ensure it doesn’t end in catastrophe.

Contain the breach with Illumio

By Andrew Rubin, CEO and co-founder, Illumio

As Founder, CEO and board member of Illumio, Andrew is responsible for the overall strategy and vision of the company. With deep expertise in segmentation, network security and regulatory and compliance management, Andrew serves as the executive sponsor of many of Illumio’s largest worldwide customers, including Citi, HSBC, Salesforce and Microsoft. Andrew frequently participates in panels, articles and podcasts for leading industry events and publications. He was named one of Goldman Sachs’ 100 Most Intriguing Entrepreneurs seven times and received Ernst & Young’s Entrepreneur of the Year 2024 (Bay Area).