Perimeter

12/29/2017
10:30 AM
Dave Klein
Dave Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoiding Micro-Segmentation Pitfalls: A Phased Approach to Implementation

Micro-segmentation is very achievable. While it can feel daunting, you can succeed by proactively being aware of and avoiding these roadblocks.

It's official: micro-segmentation has become "a thing." Enterprise security experts are declaring that 2018 is the year they are going to do it, and do it right. The irreversible movement of critical workloads into virtualized, hybrid cloud environments demands it. Audits and industry compliance requirements make it imperative. News stories of continued data center breaches, in which attackers have caused severe brand and monetary damage, validate it.

Customers tell us (and independent studies confirm) that east-west data center traffic now accounts for most enterprise traffic — as much as 77% by some estimates. As a result, traditional network and host-based security, even when virtualized, doesn't provide the visibility, security controls, or protection capabilities to secure what has become the largest attack surface of today's enterprise computing environments. Furthermore, point solutions offered by cloud and premises vendors come up short and add layers of complexity most enterprises can't afford.

Attackers know this and are exploiting it. (The recent Equifax breach is a prime example.) Today's attacks are not only for direct gain, but are often launched to covertly harness portions of an enterprise's compute power to commit other crimes. We've seen a shift from "bot-herding" tens of thousands of individual end user computing resources to targeted direct attacks on hybrid cloud data centers, whose compute power far exceeds that acquired by traditional means. Not only is it easier, but hijackers can accomplish their ends more quickly and efficiently in a hybrid environment, given the dearth of native security controls and the average length of dwell time before detection.

Security is ultimately — and contractually — a shared responsibility between the provider and the user. Enterprises must shift their attention from intrusion prevention to securing the workloads and applications themselves.

The Micro-Segmentation Dilemma
In view of this sense of urgency, and agreement that micro-segmentation solves this problem, why is it such a daunting challenge? In conversations with people at dozens of organizations that have tried to implement micro-segmentation, we've uncovered some of the more common pitfalls.

Lack of visibility: Without deep visibility into east-west data center traffic, any effort to implement micro-segmentation is thwarted. Security professionals dealing with this blind spot must rely on long analysis meetings, traffic collection, and manual mapping processes. Too many efforts lack process-level visibility and critical contextual orchestration data. The ability to map out application workflows at a very granular level is necessary to identify logical groupings of applications for segmentation purposes.

All-or-nothing segmentation paralysis: Too often, executives think they need to micro-segment everything decisively, which leads to fears of disruption. The project looks too intimidating, so they never begin. They fail to understand that micro-segmentation must be done gradually, in phases.

Layer 4 complacency: Some organizations believe that traditional network segmentation is sufficient. But ask them, “When was the last time your perimeter firewalls were strictly Layer 4 port forwarding devices?” Attacks over the last 15 years often include port hijacking – taking over an allowed port with a new process for obfuscation and data exfiltration. Layer 4 approaches, typical of most point solutions, amount to under-segmentation. They do not adequately limit attack surfaces in dynamic infrastructures where workloads are communicating and often migrating across segments. Attackers exploit open ports and protocols for lateral movement. Effective micro-segmentation must strike a balance between application protection and business agility, delivering strong security without disrupting business-critical applications.

Lack of multi-cloud convergence: The hybrid cloud data center adds agility through autoscaling and mobility of workloads. However, it is built on a heterogeneous architectural base. Each cloud vendor may offer point solutions and security group methodologies that focus on its own architecture, which can result in unnecessary complexity. Successful micro-segmentation requires a solution that works in a converged fashion across the architecture. A converged approach can be implemented more quickly and easily than one that must account for different cloud providers’ security technologies.

Inflexible policy engines: Point solutions often have poorly thought-out policy engines. Most include "allow-only" rule sets. Most security professionals would prefer to start with a "global-deny" list, which establishes a base policy against unauthorized actions across the entire environment. This lets enterprises demonstrate a security posture directly correlated with compliance standards they must adhere to, such as HIPAA. 

Moreover, point solutions usually don't allow policies to be dynamically provisioned or updated when workflows are autoscaled, services expand or contract, or processes spin up or down — a key reason enterprises are moving to hybrid cloud data centers. Without this capability, micro-segmentation is virtually impossible. 

Given these obstacles, it's understandable why most micro-segmentation projects suffer from lengthy implementation cycles, cost overruns, and excessive demands on scarce security resources, and fail to achieve their goals. So, how can you increase your chances of success?

Winning Strategies for Successful Micro-Segmentation
Done right, micro-segmentation is very achievable. It starts with discovery of your applications and visually mapping their relationships. With proper visibility into your entire environment, including network flows, assets, and orchestration details from the various platforms and workloads, you can more easily identify critical assets that can logically be grouped via labels to use in policy creation. Process-level (Layer 7) visibility accelerates your ability to identify and label workflows, and to implement micro-segmentation successfully at a deeper, more effective level of protection.

Converged micro-segmentation strategies that work seamlessly across your entire heterogeneous environment, from on premises to the cloud, will simplify and accelerate the rollout. When a policy can truly follow the workload, regardless of the underlying platform, it becomes easier to implement and manage, and delivers more effective protection. 

Autoscaling is one of the major features of the new hybrid cloud terrain. The inherent intelligence to understand and apply policies to workloads as they dynamically appear and disappear is key. 

Finally, take a gradual, phased approach. Start with applications that need to be secured for compliance. Which assets are most likely to be targets of attackers? Which are most vulnerable to compute hijacking? Create policies around those groups first. Over time, you can gradually build out increasingly refined policies down to the micro-service, process-to-process level. 

Related Content:

Dave Klein is Regional Director of Sales Engineering & Architecture at GuardiCore. He has over 20 years of experience working with large organizations in the design and implementation of security solutions across very large scale data center and cloud environments. At ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.