Building a Smart Segmentation Strategy

Transcription

1 Building a Smart Segmentation Strategy Using micro-segmentation to reduce your attack surface, harden your data center, and secure your cloud. WP201705

2 Overview Deployed at the network layer, segmentation was first developed to improve network performance. But as cybersecurity experts have become convinced that a perimeter first approach to security is not feasible, it s become increasingly clear that segmentation is also the foundation for securing the interior of your data center. In this guide, you ll learn: Why interior segmentation inside your data center and cloud is so important The principles of smart segmentation How to build smart segmentation in 5 steps Real-world examples to help you plan How to get started Building a Smart Segmentation Strategy 2

3 Why do I need segmentation? Segmentation reduces your attack surface, frustrates intruders, and hardens your data center. It doesn t just increase your security, it makes other tools you probably already invest in perimeter firewalls, anti-virus, data loss prevention, end point security, etc. more effective, by limiting attacker movement and helping you qualify and understand the alerts that your detection systems generate. 2,260 breaches in 2015 alone Let s talk about breaches. When intruders breach your perimeter, they most often enter into a lowvalue environment your development environment, or user space. To steal valuable data or cause damage to your business, they first have to reach that data, and to do this they must move laterally through your environment. Unfortunately, intruders can often reach high-value targets today because most data centers are wide open. As intruders move through the data center, they must: constantly touch and manipulate servers access user accounts to increase their privileges use network connections to move between servers Dwell time: 145 Days Every one of those steps risks setting off an alarm, and in theory intruders only need to slip up once to get caught. But despite this risk, today intruders often reach high-value targets before they get caught. Why is that? Because data centers generally have a huge attack surface. This makes life easier for intruders by giving them a wealth of attack vectors to choose from, and harder for defenders by forcing them to spread their resources thin. Finally, it makes detection incredibly difficult, because with many attack vectors, detection tools generate thousands of alerts, many of which are false positives. Reducing the number of pathways that intruders can target makes things easier for defenders, and harder for attackers. It makes lateral movement harder, which makes intrusion harder. This is where smart segmentation comes in. Building a Smart Segmentation Strategy 3

4 Most organizations use as little as 3% of open pathways Every open port and active process in an environment opens a communications pathway that any other computer within that network segment could use with the right credentials. Organizations use these pathways to run their business, but there are far more open pathways than any organization uses. In fact, most organizations use as little as 3 percent of the open pathways between their servers. This means that most organizations could close as much as 97 percent of their interior attack surface without constraining their operations at all. Closing down these unnecessary open communication pathways: 1. makes your organization s job easier by letting you focus your other security resources (anti-virus, malware detection, etc.) on fewer open pathways; 2. makes intruders job harder by limiting their freedom of movement through the environment and increasing the risk that they set off an alarm; and 3. improves the quality of the detection tools you already invest in and saves you money and resources by helping your security teams focus on the alerts that matter the most. Building a Smart Segmentation Strategy 4

5 What is smart segmentation? Everyone today is talking about micro-segmentation, but there is relatively little discussion about what micro-segmentation is and how to use it to effectively and practically improve the security of your organization. In fact, micro-segmentation is only one type of segmentation (we ll discuss this more later). Most organizations don t deploy segmentation identically across their entire environment they match different types of segmentation to the different security requirements of the parts of their data center and cloud. This process deploying different types of segmentation throughout your environment to increase your security without impacting your business process is smart segmentation. To deploy smart segmentation, you should customize your approach to the particular threats and values of each part of your data center. There are several factors to consider when building your smart segmentation strategy: LABELING VISIBILTY HYBRID ADAPTIVE Building a Smart Segmentation Strategy 5

6 VISIBILITY Every smart segmentation strategy starts from visibility. You have to understand the environment you are protecting if you are going to be able to identify high-value assets and then optimize your security to protect them. You can t do this unless you understand the relationship between all of your servers the goal isn t simply a map; the goal is a map of the attack vectors an attacker could use. LABELING When moving segmentation from the perimeter, which is one-dimensional, into the interior of your data center, which is multi-dimensional, you can t use the same old one-dimensional firewall rules. Smart segmentation should define its policies in multiple dimensions; for instance, you could label each workload based on its Role, Application, Environment, and Location, and then apply policies based on those labels. This enables you to use flexible segmentation that can keep up with complexity of modern, dynamic data centers and clouds. HYBRID Data centers today are more hybrid than ever before: different operating systems, different hypervisors, containers, public and private cloud, and bare metal. You likely won t want to segment all of these areas at once, and you almost certainly won t want to use the same segmentation in each (often, organizations use fine-grained micro-segmentation only where it s most valuable, and more coarse-grained segmentation where appropriate). But you will want to make sure that whatever tool or set of tools you use to enable your segmentation will work in all of these environments. The last thing you want is to get halfway through a segmentation project, and then realize that you need to buy a different tool, and integrate it with your current tool, if you re going to segment that section of your compute. ADAPTIVE Smart segmentation isn t a set it and forget it solution. Your data center and cloud changes constantly, and your segmentation has to change with it to keep up. If your segmentation approach doesn t adapt to changes in your data center, your security could be out-of-date within days or hours. And from there, you will only get less secure. Building a Smart Segmentation Strategy 6

7 1 2 3 Smart segmentation in 5 steps There are five essential steps to building a smart segmentation strategy: Identify high-value assets. Protect the highest-value locations (key databases, your most important applications, stores of regulated information such as PCI- or HIPPAcompliant data) with fine-grained segmentation. For less valuable segments, more coarse-grained segmentation will be sufficient and less complex to implement. To do this, you first need to know where your high-value locations are. These could be databases with customer data, production versions of key applications that run your business, communications platforms used by your employees for sensitive conversations, or damage-prone industrial systems. Map your application dependencies. Map the communications pathways between your workloads, applications, and environments. Legitimate communications between your servers travel across these pathways, but attackers can use these pathways as well. Understanding which parts of your network are most connected will help you understand where segmentation can bring you the greatest benefit. Understand the types of segmentation. You ll want to use different types of segmentation in different locations, and to do that you ll need to understand your options. There are seven types of segmentation: a. Environmental segmentation, the coarsest form of segmentation, separates the environments within your data center. It is often used to isolate low-value environments (like dev) from the rest of your organization, so any intruder that breaches that environment will be prevented from moving laterally to higher value environments. This could also be used to segment systems assigned to different customers, so if one is compromised, the others will remain secure. It provides large decreases in attack surface, and is the easiest form of segmentation to implement. In most cases, one should deploy environmental segmentation across your entire data center. Building a Smart Segmentation Strategy 7

8 b. Location segmentation. Depending on your compute architecture, it may make sense to segment your workloads based on the data centers/clouds in which they operate. This could be useful if you operate in countries where you are required by law to store data locally, or if you have a particular data center that holds your most sensitive data, and want to limit the ability of devices from other data centers to access it. c. Application segmentation, also called application ringfencing, separates individual applications, preventing cross-application communications even within the same environment. Organizations often use application segmentation to give an added layer of security to their most valuable applications. In environments with many segmented applications, this greatly increases your security and throws up additional roadblocks for an intruder. d. Tier segmentation is even more fine-grained than application segmentation and divides the tiers within an application (e.g., the web, app, and DB tiers). Because many intruders will first enter data centers via the web tier, this level of segmentation further isolates them, forcing them to cross even more data center segments in their search for high-value data. e. Workload segmentation, also called micro-segmentation, focuses on individual workloads, ensuring that opening a port to a given workload does not create pathways to any other workload. This very fine-grained segmentation is most useful to protect high-value assets where restricting attacker movements is particularly important. f. Process and service segmentation, also called nano-segmentation, is the finest-grained form of segmentation and ensures that only active communications pathways are permitted. No unused paths are left open, even if they are going to servers in active communication with the host. g. User segmentation prevents credential hopping a common tactic wherein an intruder compromises a user s workload and combines that access with credentials that permit them access to a high-value application. This ensures that when a particular user is logged in to a workload, that workload is only permitted to contact servers that the user is permitted to access. Building a Smart Segmentation Strategy 8

9 4 Map your segmentation strategy based on your operational security requirements. You won t use the same segmentation throughout your environment. In general, you ll want to apply more fine-grained segmentation to your highvalue locations, and more coarse-grained segmentation to lower-value locations. To do this, identify the major portions of your data center and cloud that you want to protect first, then assign appropriate segmentation strategies to each one. 5 Set a timeline for the various states of your segmentation strategy. You may decide to begin with the lowest-risk environment first, so you can test out your approach without risking business interruption. Be sure to prioritize those high-value assets you identified in stage (2). Segmenting those assets will give you the greatest security increase for your trouble. Test and deploy your strategy. Since smart segmentation changes the data center itself, it s essential to make sure the strategy is aligned with the way the data center functions, and isn t breaking anything. The ability to test and model your segmentation strategy before you deploy it is an essential final step to deploying any security strategy. TIP: Quantitative and qualitative approaches Most organizations are using a largely qualitative approach to the process of identifying their high-value assets, calculating their attack surface, and then reducing that attack surface through segmentation. Quantifying the attack surface of your different applications and environments will help you develop a smart segmentation strategy that is optimized for your data center and cloud. Building a Smart Segmentation Strategy 9

10 Sample smart segmentation strategies For most data centers, we recommend: ENVIRONMENTAL SEGMENTATION to wall off the most exposed, least valuable environments (e.g., the development environment). APPLICATION SEGMENTATION to isolate applications in high-value environments. TIER SEGMENTATION to further protect high-value applications. MICRO OR PROCESS SEGMENTATION for core services or other particularly valuable workloads or clusters of workloads. Here are a few more ways you can optimize your segmentation strategy to secure specific characteristics of your data center and cloud: (1) Use environmental segmentation to separate out a development environment. This preserves the flexibility of the development environment, but contains its exposure so intruders that enter the environment can t jump over to high-value targets. Building a Smart Segmentation Strategy 10

11 (2) Segment large applications based on the role or tier of workloads (e.g., segmenting the web, database, and application servers from each other). This approach avoids the complexity of attempting to segment the entire application by workload or process, but still significantly reduces the ability of attackers to move freely through the application. (3) Cluster Hadoop processing traffic on a dedicated, non-routable network. Tier the application by making the internal processing machines the true high-value target accessible only from the external-facing machines, and controlling access to the externalfacing machines as you normally would. This forces attackers to take multiple steps to reach the valuable data inside your Hadoop cluster, giving you more opportunities to identify and stop them. (4) Use process and service segmentation to protect Active Directory. Rather than leaving pathways for the remaining fifty services exposed, use process and service segmentation to close the connections for all but the services you actually use, and to limit connectivity even for those services in use. Building a Smart Segmentation Strategy 11

12 How to get started Segmenting your compute starts with visualization. You must build that map; identify your most valuable assets; and then develop, test, and implement a segmentation strategy to defend them and shut down your attack surface. Building and implementing a segmentation strategy can be challenging, but Illumio can help. We can visualize your data center and cloud, and we can do it without needing to install anything. We can build your relationship graph, work with you to develop a segmentation strategy that makes sense for your environment, and then we can help you implement it. If you d like to get started, go to for more information. Or, better yet, contact us for a live demo. About Illumio Follow Us Illumio, recently named to the CNBC Disruptor 50 list, stops cyber threats by controlling the lateral movement of unauthorized communications through its breakthrough adaptive segmentation technology. The company s Adaptive Security Platform visualizes application traffic and delivers continuous, scalable, and dynamic policy and enforcement to every baremetal server, VM, container, and VDI within data centers and public clouds. Using Illumio, enterprises such as Morgan Stanley, Plantronics, Salesforce, King Entertainment, NetSuite, Oak Hill Advisors, and Creative Artists Agency have achieved secure application and cloud migration, environmental segmentation, compliance and high-value application protection from breaches and threats with no changes to applications or infrastructure. For more information, visit or Illumio Adaptive Security Platform and Illumio ASP are trademarks of Illumio, Inc. All rights reserved. Building a Smart Segmentation Strategy 12