Segment Your Network for Stronger Security

Similar documents
Prestigious hospital. Outdated network.

Manufacturing security: Bridging the gap between IT and OT

User-to-Data-Center Access Control Using TrustSec Design Guide

Network Visibility and Segmentation

Best Practices in Securing a Multicloud World

Enhanced Threat Detection, Investigation, and Response

Office 365 Buyers Guide: Best Practices for Securing Office 365

Cisco Software-Defined Access

Cisco Start. IT solutions designed to propel your business

The threat landscape is constantly

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

align security instill confidence

ForeScout Extended Module for Splunk

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Reducing the Cost of Incident Response

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Trends and Challenges We now live in a data-driven economy A recent Gartner report discussing NetOps 2.0 stated, NetOps teams must embrace practices a

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Compare Security Analytics Solutions

Mobile County Public School System Builds a More Secure Future with AMP for Endpoints

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

with Advanced Protection

THE EVOLUTION OF SIEM

DDoS MITIGATION BEST PRACTICES

Building a Smart Segmentation Strategy

SIEM Solutions from McAfee

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Automated, Real-Time Risk Analysis & Remediation

Cisco Network Assurance Engine with ServiceNow Cisco Network Assurance Engine, the industry s first SDN-ready intent assurance suite, integrates with

FOR FINANCIAL SERVICES ORGANIZATIONS

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Subscriber Data Correlation

Network Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014

Cisco Software-Defined Access

Secure Network Access for Personal Mobile Devices

A Pragmatic Approach to HealthCare Security. Hans Mathys CSE, Cybersecurity, Cisco Switzerland

Cisco Security Enterprise License Agreement

McAfee epolicy Orchestrator

Cisco Stealthwatch Endpoint License

Encrypted Traffic Analytics

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

RSA NetWitness Suite Respond in Minutes, Not Months

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Architectural overview Turbonomic accesses Cisco Tetration Analytics data through Representational State Transfer (REST) APIs. It uses telemetry data

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Hidden Figures: Securing what you cannot see

Symantec Security Monitoring Services

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Stop Threats Before They Stop You

Carbon Black PCI Compliance Mapping Checklist

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

A Comprehensive CyberSecurity Policy

Optimizing your network for the cloud-first world

MITIGATE CYBER ATTACK RISK

securing your network perimeter with SIEM

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Securing BYOD with Cisco TrustSec Security Group Firewalling

Your network is your business lifeline. Protect it. LEVEL 3 ADAPTIVE NETWORK SECURITY

Service Provider Security Architecture

Cisco Ransomware Defense The Ransomware Threat Is Real

Cisco Network Admission Control (NAC) Solution

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

ForeScout ControlFabric TM Architecture

Transforming Security from Defense in Depth to Comprehensive Security Assurance

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Teradata and Protegrity High-Value Protection for High-Value Data

SECURING DEVICES IN THE INTERNET OF THINGS

Mastering The Endpoint

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

SECURING DEVICES IN THE INTERNET OF THINGS

SecureTrack. Supporting SANS 20 Critical Security Controls. March

The Why, What, and How of Cisco Tetration

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SIEM: Five Requirements that Solve the Bigger Business Issues

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

Identity Based Network Access

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

Transforming the Network for the Digital Business

Prevent and Detect Malware with Symantec Advanced Threat Protection: Network

Securing the Virtualized Environment: Meeting a New Class of Challenges with Check Point Security Gateway Virtual Edition

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Securing Your Microsoft Azure Virtual Networks

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context

Simplify PCI Compliance

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Automated Threat Management - in Real Time. Vectra Networks

Are we breached? Deloitte's Cyber Threat Hunting

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

Transcription:

Segment Your Network for Stronger Security Protecting Critical Assets with Cisco Security 2017 Cisco and/or its affiliates. All rights reserved. 2017 Cisco and/or its affiliates. All rights reserved.

The threat landscape continues to evolve. We know that perimeter defenses, however necessary, cannot do it all. Attackers will get into your network, and oftentimes, they will bypass the perimeter altogether. ZK Research estimates that 80% of breaches originate inside the network, not through the perimeter. According to Cisco principal engineer TK Keanini, Threat actors are not breaking in anymore. They are simply logging in. 80% of breaches originate inside the network, not through the perimeter. So what can we do about it? One essential way to protect your network from intruders is through network segmentation. In fact, several of the most high-profile data breaches in recent years could have been prevented this way. 2 2017 Cisco and/or its affiliates. All rights reserved.

Network Segmentation can secure critical assets, but it has its shortcomings Segmentation involves the partitioning of your network into various zones. You restrict access for each zone to only those users, applications, and devices that require it to run the business. That way, if attackers slip into the network undetected, they will be able to access only a small portion of your data and assets, instead of gaining the keys to your entire kingdom. Network segmentation has been around for a long time, but many organizations have forgone implementing it because traditional methods have some key shortcomings, said Keanini. The main challenge of conventional network segmentation is that it is impractical to implement and maintain in large corporate environments. Due to such shortcomings, VeraQuest Research found that only one in four companies employ an end-to-end segmentation strategy. Networks continue to modernize, digitize, and expand. How can we properly segment them to keep them secure without unnecessary cost and complexity? The answer lies in software-defined segmentation. 3 2017 Cisco and/or its affiliates. All rights reserved.

Software-defined segmentation changes the game Traditionally, network segmentation has been done through firewalls, virtual LANs (VLANs), and extensive access control lists (ACLs). But according to Keanini, In networks with thousands of users and multiple environments, such as the cloud and specialized IoT networks, this quickly becomes nearly impossible to manage. Segmentation policies become outdated as users and assets are added to a network. To protect themselves effectively, organizations need to constantly adjust segmentation policies as the network evolves. Software-defined segmentation enforces policies based on user, application, or device instead of IP address. You can centrally manage policies across the network, so segmentation is more effective and can more easily adapt to changes in network topology. You can implement and alter segmentation policies without reconfiguring network devices, amounting to massive operational improvements. 4 2017 Cisco and/or its affiliates. All rights reserved.

Network as an Enforcer solution allows for better segmentation The Network as an Enforcer solution from Cisco embraces your existing network infrastructure to deliver better, more streamlined segmentation and security. The Network as an Enforcer consists of four main offerings: Cisco TrustSec technology, Cisco IOS NetFlow, Cisco Stealthwatch, and the Cisco Identity Services Engine (ISE). Cisco TrustSec technology Embedded in more than 40 Cisco product families and third-party offerings, Cisco TrustSec software-defined segmentation provides a role-based approach to policy enforcement. It does this by defining roles through security groups. Traffic from a set of network endpoints, users, or servers is assigned a security group tag (SGT) for enforcement. You don t have to whitelist IP addresses manually across every switch. A study by Forrester Consulting found that with Cisco TrustSec technology, customers can experience an 80 percent reduction in operational costs and a 98 percent reduction in time to implement policy changes. Cisco IOS NetFlow Cisco IOS NetFlow was created by Cisco to track network conversations. It delivers valuable details including the source, destination, timing, and protocol. It can tell who is talking to whom, with which device, from where, and for how long, and can measure how much data is exchanged. NetFlow is embedded in Cisco routers, switches, and other networking devices. It simply has to be turned on to begin delivering network insight. With TrustSec, you have no bandwidth restrictions versus the firewall approach. So we have less investment risk with TrustSec. And from an operational cost point of view, TrustSec is quite inexpensive. Cisco customer interviewed by Forrester Consulting 5 2017 Cisco and/or its affiliates. All rights reserved.

The guest network should never talk to internal services like budgetary and personnel systems Stealthwatch can tell us if this happens. 76% of IT professionals say visibility is their biggest security challenge, according to the Ponemon Institute. Cisco Stealthwatch Once NetFlow is turned on, the data needs to be collected and analyzed so security teams can easily digest and understand it. The Cisco Stealthwatch solution collects and analyzes large amounts of NetFlow data to provide a comprehensive picture of network activity. To create segmentation policies that do not impede security or hinder business productivity, you need to know exactly which users and devices are on your network, and what each of them is doing. The visibility provided by Stealthwatch is critical for building and testing segmentation policies, and monitoring their efficacy once in place. Passaic County Technical Institute 6 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Identity Services Engine (ISE) Cisco ISE is a secure access control platform used by more than 17,000 organizations to help ensure that only authorized users and devices can access their network infrastructure. Providing secure access requires insight into user and device details. ISE gathers this information to deliver valuable context that can be shared with other network and security solutions. ISE also serves as the controller for defining and enforcing segmentation policies through technologies like Cisco TrustSec softwaredefined segmentation. The Cisco solution gives us a precise way, from the wireless access point or the switch, to identify who is trying to access what. It allows us to place users in the right category and have the right policy to match information security demands. Mondi Group International 7 2017 Cisco and/or its affiliates. All rights reserved.

Segmentation ebook How do these technologies work together? Here s how these technologies work together to provide effective network segmentation: Organizations get in-depth network visibility from NetFlow and Stealthwatch, which is enhanced by user and device context from Cisco ISE. This combination is known as the Cisco Network as a Sensor solution. It plays a key role in helping organizations develop accurate segmentation policies. Hosts are segmented according to Cisco TrustSec SGTs. 8 2017 Cisco and/or its affiliates. All rights reserved. Cisco ISE uses TrustSec technology to define and enforce network segmentation policy, allowing or denying access to specific users, devices, applications, or whole areas of the network. Cisco Stealthwatch continues to monitor network and user behaviors. It alerts administrators if segmentation policies are violated so that they can be quickly reconfigured. When Stealthwatch identifies a security event that requires investigation or remediation, it can also automatically notify Cisco ISE to change the device or user policy to contain the threat.

Professional Services If you wish to simplify segmentation even further, Cisco also offers a service that can automatically segment the network on your behalf. This service builds segments based on Stealthwatch flow traffic analysis. It gets additional context from Cisco ISE, customer IP address management systems, and/or customer domain controllers. The service can then develop segmentation enforcement policies or build Stealthwatch host groups to segment assets based on various criteria. Contact Stealthwatch-CustomerSuccess@cisco.com for more information on this option. A practical process for segmentation Cisco s Keanini recommends the following process for implementing network segmentation: Model: Model your digital business. Try different segmentation policies and see the results without disrupting operations. Implement and enforce: Use the power of Cisco ISE and Cisco TrustSec technology to enact the segmentation models that fit your organization. Monitor: Use Stealthwatch to detect any network behavior that violates your segmentation policies either by mistake or with malicious intent. 9 2017 Cisco and/or its affiliates. All rights reserved.

Simplicity leads to improved security Cisco s network segmentation solutions bring many benefits to an enterprise. With these solutions, you can: Restrict the lateral movement of attackers across the network, thwarting a wide range of attacks such as malware and insider threats. Streamline network and security operations, resulting in a dramatic savings of time, cost, and resources. Better comply with industry and government regulations by walling off sensitive parts of the network from the rest of your environment. More easily digitize and expand your network infrastructure through cloud, personal device onboarding, and the Internet of Things (IoT). 10 2017 Cisco and/or its affiliates. All rights reserved.

Prestigious hospital, outdated network A large national hospital system was lagging far behind on security. It had a flat network without segmentation. Doctors, staff, students, and medical equipment all shared the same network, multiplying the attack surface and exposing the hospital to threats. The hospital system transformed its environment with the Cisco Network as an Enforcer solution. Now, even if attackers get in, their access is limited to one network segment. Read the full case study.. 11 2017 Cisco and/or its affiliates. All rights reserved.

Additional Resources Software-Defined Segmentation (video - 3:04 min.) Cisco TrustSec Technology for Network Segmentation (blog) For more information, contact stealthwatch@cisco.com. 12 2017 Cisco and/or its affiliates. All rights reserved.

2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 07/17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback