Building a Smart Segmentation Strategy

Similar documents
How to Use Segmentation to Secure Government Organizations

How to Use Micro-Segmentation to Secure Government Organizations

Securing Your SWIFT Environment Using Micro-Segmentation

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

The threat landscape is constantly

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Go Cloud. VMware vcloud Datacenter Services by BIOS

Best Practices in Securing a Multicloud World

Challenges and. Opportunities. MSPs are Facing in Security

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

The SD-WAN security guide

The Top 6 WAF Essentials to Achieve Application Security Efficacy

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

The Value of Automated Penetration Testing White Paper

CyberArk Privileged Threat Analytics

The security challenge in a mobile world

Transforming Security from Defense in Depth to Comprehensive Security Assurance

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Network Virtualization Business Case

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Segment Your Network for Stronger Security

Digital Workspace SHOWDOWN

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Shortcut guide to Web application firewall deployment

Next-Generation HCI: Fine- Tuned for New Ways of Working

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

ELIMINATING FIREWALL RULE PROLIFERATION

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The Problem with Privileged Users

Security. Made Smarter.

Copyright 2011 Trend Micro Inc.

Total Threat Protection. Whitepaper

How to Write an MSSP RFP. White Paper

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Popular SIEM vs aisiem

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Automating the Top 20 CIS Critical Security Controls

Integrated Access Management Solutions. Access Televentures

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Making the case for SD-WAN

Software-Defined Secure Networks. Sergei Gotchev April 2016

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Securing Your Virtual World Harri Kaikkonen Channel Manager

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

IC32E - Pre-Instructional Survey

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

IT & DATA SECURITY BREACH PREVENTION

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Protect Your Data the Way Banks Protect Your Money

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

All the resources you need to get buy-in from your team and advocate for the tools you need.

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Privileged Account Security: A Balanced Approach to Securing Unix Environments

align security instill confidence

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Cyber Security Stress Test SUMMARY REPORT

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Real-time Monitoring, Inventory and Change Tracking for. Track. Report. RESOLVE!

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

CS 356 Operating System Security. Fall 2013

Securing Digital Transformation

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

ANATOMY OF AN ATTACK!

Windows Server The operating system

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

SECURITY THAT FOLLOWS YOUR FILES ANYWHERE

CipherCloud CASB+ Connector for ServiceNow

Cisco Start. IT solutions designed to propel your business

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

The Business Case for Network Segmentation

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Retail Security in a World of Digital Touchpoint Complexity

White Paper. How to Write an MSSP RFP

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Teradata and Protegrity High-Value Protection for High-Value Data

Availability and the Always-on Enterprise: Why Backup is Dead

Tripwire State of Cyber Hygiene Report

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Office 365 Buyers Guide: Best Practices for Securing Office 365

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Modern Database Architectures Demand Modern Data Security Measures

Transcription:

Building a Smart Segmentation Strategy Using micro-segmentation to reduce your attack surface, harden your data center, and secure your cloud. WP201705

Overview Deployed at the network layer, segmentation was first developed to improve network performance. But as cybersecurity experts have become convinced that a perimeter first approach to security is not feasible, it s become increasingly clear that segmentation is also the foundation for securing the interior of your data center. In this guide, you ll learn: 1 2 3 4 5 Why interior segmentation inside your data center and cloud is so important The principles of smart segmentation How to build smart segmentation in 5 steps Real-world examples to help you plan How to get started Building a Smart Segmentation Strategy 2

Why do I need segmentation? Segmentation reduces your attack surface, frustrates intruders, and hardens your data center. It doesn t just increase your security, it makes other tools you probably already invest in perimeter firewalls, anti-virus, data loss prevention, end point security, etc. more effective, by limiting attacker movement and helping you qualify and understand the alerts that your detection systems generate. 2,260 breaches in 2015 alone Let s talk about breaches. When intruders breach your perimeter, they most often enter into a lowvalue environment your development environment, or user space. To steal valuable data or cause damage to your business, they first have to reach that data, and to do this they must move laterally through your environment. Unfortunately, intruders can often reach high-value targets today because most data centers are wide open. As intruders move through the data center, they must: constantly touch and manipulate servers access user accounts to increase their privileges use network connections to move between servers Dwell time: 145 Days Every one of those steps risks setting off an alarm, and in theory intruders only need to slip up once to get caught. But despite this risk, today intruders often reach high-value targets before they get caught. Why is that? Because data centers generally have a huge attack surface. This makes life easier for intruders by giving them a wealth of attack vectors to choose from, and harder for defenders by forcing them to spread their resources thin. Finally, it makes detection incredibly difficult, because with many attack vectors, detection tools generate thousands of alerts, many of which are false positives. Reducing the number of pathways that intruders can target makes things easier for defenders, and harder for attackers. It makes lateral movement harder, which makes intrusion harder. This is where smart segmentation comes in. Building a Smart Segmentation Strategy 3

Most organizations use as little as 3% of open pathways Every open port and active process in an environment opens a communications pathway that any other computer within that network segment could use with the right credentials. Organizations use these pathways to run their business, but there are far more open pathways than any organization uses. In fact, most organizations use as little as 3 percent of the open pathways between their servers. This means that most organizations could close as much as 97 percent of their interior attack surface without constraining their operations at all. Closing down these unnecessary open communication pathways: 1. makes your organization s job easier by letting you focus your other security resources (anti-virus, malware detection, etc.) on fewer open pathways; 2. makes intruders job harder by limiting their freedom of movement through the environment and increasing the risk that they set off an alarm; and 3. improves the quality of the detection tools you already invest in and saves you money and resources by helping your security teams focus on the alerts that matter the most. Building a Smart Segmentation Strategy 4

What is smart segmentation? Everyone today is talking about micro-segmentation, but there is relatively little discussion about what micro-segmentation is and how to use it to effectively and practically improve the security of your organization. In fact, micro-segmentation is only one type of segmentation (we ll discuss this more later). Most organizations don t deploy segmentation identically across their entire environment they match different types of segmentation to the different security requirements of the parts of their data center and cloud. This process deploying different types of segmentation throughout your environment to increase your security without impacting your business process is smart segmentation. To deploy smart segmentation, you should customize your approach to the particular threats and values of each part of your data center. There are several factors to consider when building your smart segmentation strategy: LABELING VISIBILTY HYBRID ADAPTIVE Building a Smart Segmentation Strategy 5

VISIBILITY Every smart segmentation strategy starts from visibility. You have to understand the environment you are protecting if you are going to be able to identify high-value assets and then optimize your security to protect them. You can t do this unless you understand the relationship between all of your servers the goal isn t simply a map; the goal is a map of the attack vectors an attacker could use. LABELING When moving segmentation from the perimeter, which is one-dimensional, into the interior of your data center, which is multi-dimensional, you can t use the same old one-dimensional firewall rules. Smart segmentation should define its policies in multiple dimensions; for instance, you could label each workload based on its Role, Application, Environment, and Location, and then apply policies based on those labels. This enables you to use flexible segmentation that can keep up with complexity of modern, dynamic data centers and clouds. HYBRID Data centers today are more hybrid than ever before: different operating systems, different hypervisors, containers, public and private cloud, and bare metal. You likely won t want to segment all of these areas at once, and you almost certainly won t want to use the same segmentation in each (often, organizations use fine-grained micro-segmentation only where it s most valuable, and more coarse-grained segmentation where appropriate). But you will want to make sure that whatever tool or set of tools you use to enable your segmentation will work in all of these environments. The last thing you want is to get halfway through a segmentation project, and then realize that you need to buy a different tool, and integrate it with your current tool, if you re going to segment that section of your compute. ADAPTIVE Smart segmentation isn t a set it and forget it solution. Your data center and cloud changes constantly, and your segmentation has to change with it to keep up. If your segmentation approach doesn t adapt to changes in your data center, your security could be out-of-date within days or hours. And from there, you will only get less secure. Building a Smart Segmentation Strategy 6

1 2 3 Smart segmentation in 5 steps There are five essential steps to building a smart segmentation strategy: Identify high-value assets. Protect the highest-value locations (key databases, your most important applications, stores of regulated information such as PCI- or HIPPAcompliant data) with fine-grained segmentation. For less valuable segments, more coarse-grained segmentation will be sufficient and less complex to implement. To do this, you first need to know where your high-value locations are. These could be databases with customer data, production versions of key applications that run your business, communications platforms used by your employees for sensitive conversations, or damage-prone industrial systems. Map your application dependencies. Map the communications pathways between your workloads, applications, and environments. Legitimate communications between your servers travel across these pathways, but attackers can use these pathways as well. Understanding which parts of your network are most connected will help you understand where segmentation can bring you the greatest benefit. Understand the types of segmentation. You ll want to use different types of segmentation in different locations, and to do that you ll need to understand your options. There are seven types of segmentation: a. Environmental segmentation, the coarsest form of segmentation, separates the environments within your data center. It is often used to isolate low-value environments (like dev) from the rest of your organization, so any intruder that breaches that environment will be prevented from moving laterally to higher value environments. This could also be used to segment systems assigned to different customers, so if one is compromised, the others will remain secure. It provides large decreases in attack surface, and is the easiest form of segmentation to implement. In most cases, one should deploy environmental segmentation across your entire data center. Building a Smart Segmentation Strategy 7

b. Location segmentation. Depending on your compute architecture, it may make sense to segment your workloads based on the data centers/clouds in which they operate. This could be useful if you operate in countries where you are required by law to store data locally, or if you have a particular data center that holds your most sensitive data, and want to limit the ability of devices from other data centers to access it. c. Application segmentation, also called application ringfencing, separates individual applications, preventing cross-application communications even within the same environment. Organizations often use application segmentation to give an added layer of security to their most valuable applications. In environments with many segmented applications, this greatly increases your security and throws up additional roadblocks for an intruder. d. Tier segmentation is even more fine-grained than application segmentation and divides the tiers within an application (e.g., the web, app, and DB tiers). Because many intruders will first enter data centers via the web tier, this level of segmentation further isolates them, forcing them to cross even more data center segments in their search for high-value data. e. Workload segmentation, also called micro-segmentation, focuses on individual workloads, ensuring that opening a port to a given workload does not create pathways to any other workload. This very fine-grained segmentation is most useful to protect high-value assets where restricting attacker movements is particularly important. f. Process and service segmentation, also called nano-segmentation, is the finest-grained form of segmentation and ensures that only active communications pathways are permitted. No unused paths are left open, even if they are going to servers in active communication with the host. g. User segmentation prevents credential hopping a common tactic wherein an intruder compromises a user s workload and combines that access with credentials that permit them access to a high-value application. This ensures that when a particular user is logged in to a workload, that workload is only permitted to contact servers that the user is permitted to access. Building a Smart Segmentation Strategy 8

4 Map your segmentation strategy based on your operational security requirements. You won t use the same segmentation throughout your environment. In general, you ll want to apply more fine-grained segmentation to your highvalue locations, and more coarse-grained segmentation to lower-value locations. To do this, identify the major portions of your data center and cloud that you want to protect first, then assign appropriate segmentation strategies to each one. 5 Set a timeline for the various states of your segmentation strategy. You may decide to begin with the lowest-risk environment first, so you can test out your approach without risking business interruption. Be sure to prioritize those high-value assets you identified in stage (2). Segmenting those assets will give you the greatest security increase for your trouble. Test and deploy your strategy. Since smart segmentation changes the data center itself, it s essential to make sure the strategy is aligned with the way the data center functions, and isn t breaking anything. The ability to test and model your segmentation strategy before you deploy it is an essential final step to deploying any security strategy. TIP: Quantitative and qualitative approaches Most organizations are using a largely qualitative approach to the process of identifying their high-value assets, calculating their attack surface, and then reducing that attack surface through segmentation. Quantifying the attack surface of your different applications and environments will help you develop a smart segmentation strategy that is optimized for your data center and cloud. Building a Smart Segmentation Strategy 9

Sample smart segmentation strategies For most data centers, we recommend: ENVIRONMENTAL SEGMENTATION to wall off the most exposed, least valuable environments (e.g., the development environment). APPLICATION SEGMENTATION to isolate applications in high-value environments. TIER SEGMENTATION to further protect high-value applications. MICRO OR PROCESS SEGMENTATION for core services or other particularly valuable workloads or clusters of workloads. Here are a few more ways you can optimize your segmentation strategy to secure specific characteristics of your data center and cloud: (1) Use environmental segmentation to separate out a development environment. This preserves the flexibility of the development environment, but contains its exposure so intruders that enter the environment can t jump over to high-value targets. Building a Smart Segmentation Strategy 10

(2) Segment large applications based on the role or tier of workloads (e.g., segmenting the web, database, and application servers from each other). This approach avoids the complexity of attempting to segment the entire application by workload or process, but still significantly reduces the ability of attackers to move freely through the application. (3) Cluster Hadoop processing traffic on a dedicated, non-routable network. Tier the application by making the internal processing machines the true high-value target accessible only from the external-facing machines, and controlling access to the externalfacing machines as you normally would. This forces attackers to take multiple steps to reach the valuable data inside your Hadoop cluster, giving you more opportunities to identify and stop them. (4) Use process and service segmentation to protect Active Directory. Rather than leaving pathways for the remaining fifty services exposed, use process and service segmentation to close the connections for all but the services you actually use, and to limit connectivity even for those services in use. Building a Smart Segmentation Strategy 11

How to get started Segmenting your compute starts with visualization. You must build that map; identify your most valuable assets; and then develop, test, and implement a segmentation strategy to defend them and shut down your attack surface. Building and implementing a segmentation strategy can be challenging, but Illumio can help. We can visualize your data center and cloud, and we can do it without needing to install anything. We can build your relationship graph, work with you to develop a segmentation strategy that makes sense for your environment, and then we can help you implement it. If you d like to get started, go to www.illumio.com for more information. Or, better yet, contact us for a live demo. About Illumio Follow Us Illumio, recently named to the CNBC Disruptor 50 list, stops cyber threats by controlling the lateral movement of unauthorized communications through its breakthrough adaptive segmentation technology. The company s Adaptive Security Platform visualizes application traffic and delivers continuous, scalable, and dynamic policy and enforcement to every baremetal server, VM, container, and VDI within data centers and public clouds. Using Illumio, enterprises such as Morgan Stanley, Plantronics, Salesforce, King Entertainment, NetSuite, Oak Hill Advisors, and Creative Artists Agency have achieved secure application and cloud migration, environmental segmentation, compliance and high-value application protection from breaches and threats with no changes to applications or infrastructure. For more information, visit www.illumio.com or follow @Illumio. Illumio Adaptive Security Platform and Illumio ASP are trademarks of Illumio, Inc. All rights reserved. Building a Smart Segmentation Strategy 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback