Re-Thinking Cybersecurity

Global cybersecurity spending reached US$215 billion in 2024, yet reported incidents increased by 75% from the previous year, highlighting a fundamental flaw in traditional defense strategies. The focus must thus shift from simple threat detection to active breach containment, limiting the lateral movement of attackers to neutralize risk before it spreads.

“Every year we spend more money with more complex solutions and the problems just keep getting worse,” said Christer Swartz, Director of Industry Solutions, Illumio, during Mexico Cybersecurity Summit 2025.

The primary reason for the ineffectiveness of rising investments is that conventional tools focus on protecting the “health” of individual resources. The problem with this model is that by the time a security agent identifies a threat, it has often already compromised the system and begun to spread to other network assets. “The problem is not that one resource was there, it is that it has spread. So, this lateral movement is what we need to discover and enforce,” Swartz says.

All threats share a fundamental characteristic: “They all want to spread,” says Swartz. This propagation, known as lateral movement, is the common dependency that all threat actors exploit.

The problem is only growing. Cybercrime has established itself as the world’s third-largest economy, with an estimated GDP of US$9.5 trillion in 2024, says Illumio. This figure is surpassed only by the United States at US$27.5 trillion and China at US$17.5 trillion. With an average of 2,200 cybersecurity incidents reported daily worldwide, it is clear that the existing approach is not fully mitigating risks.

Security has historically been a secondary consideration in the development of digital infrastructure. When commercial activity began on the Internet in 1991, the priority was high availability, not security. This legacy has resulted in operating systems that, by default, keep numerous ports open in listening mode. “All modern OS will have open ports. Whether it is for screen sharing, for print sharing, DNS, or SSH, they are all open doors. And threats move across these open doors,” says Swartz. 

For example, a macOS or CentOS Linux system can have 13 open TCP ports, while Windows 10 has 10. These ports, using protocols like RDP, SMB, SSH, and LDAP, act as unsecured doors, offering attackers multiple pathways to propagate malware across workloads.

The Flaw of Siloed Visibility

Threats move through two primary vectors: the exploitation of human behavior, which remains the weakest link, and the use of open ports between workloads. While training can mitigate the first factor, it cannot eliminate it. Therefore, controlling the second vector — machine-to-machine movement — becomes critical.

Traditional security solutions such as Firewalls, EDR, XDR, and CNAPP operate in silos, providing localized visibility but not a global, unified view of the environment. Each tool protects its own domain, but lacks the ability to see or control traffic among these disparate domains.

Threat actors, however, do not see lists of isolated assets. They “think in graphs,” visualizing the network as an interconnected set of nodes and exploiting the paths of least resistance to reach high-value targets, says Swartz.

This is creating a new paradigm: breach containment through segmentation. Rather than relying solely on detection, this strategy assumes a breach will eventually occur and focuses on drastically limiting its impact. The Illumio Breach Containment Platform, for example, operates at the network layer of the cybersecurity stack to block lateral movement, which is the operational dependency of all threats.

This strategy relies on two pillars. The first is Unified Visibility, which involves ingesting telemetry data from the entire hybrid, multi-cloud infrastructure — including endpoints, data centers, containers, and IoT/OT — and enriching it with information from third-party tools like EDR, SIEM, CNAPP, and CMDB. This process creates a real-time, global dependency map, eliminating the visibility silos that attackers exploit.

The second is Proactive Segmentation to design and implement granular segmentation policies to contain unauthorized traffic. This means that even if a workload is compromised, the breach is isolated, preventing malware from spreading to other critical systems. A platform can apply these policies consistently across any environment, from bare-metal servers in a corporate data center to serverless functions in a public cloud.

By shifting the focus from a reactive posture of finding threats to a proactive strategy of containing breaches, organizations can invalidate the attackers' operational model. “Without the ability to move laterally, a threat is neutralized, transforming a potential catastrophe into a manageable incident,” says Swartz.