Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/29/2017
10:30 AM
Dave Klein
Dave Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoiding Micro-Segmentation Pitfalls: A Phased Approach to Implementation

Micro-segmentation is very achievable. While it can feel daunting, you can succeed by proactively being aware of and avoiding these roadblocks.

It's official: micro-segmentation has become "a thing." Enterprise security experts are declaring that 2018 is the year they are going to do it, and do it right. The irreversible movement of critical workloads into virtualized, hybrid cloud environments demands it. Audits and industry compliance requirements make it imperative. News stories of continued data center breaches, in which attackers have caused severe brand and monetary damage, validate it.

Customers tell us (and independent studies confirm) that east-west data center traffic now accounts for most enterprise traffic — as much as 77% by some estimates. As a result, traditional network and host-based security, even when virtualized, doesn't provide the visibility, security controls, or protection capabilities to secure what has become the largest attack surface of today's enterprise computing environments. Furthermore, point solutions offered by cloud and premises vendors come up short and add layers of complexity most enterprises can't afford.

Attackers know this and are exploiting it. (The recent Equifax breach is a prime example.) Today's attacks are not only for direct gain, but are often launched to covertly harness portions of an enterprise's compute power to commit other crimes. We've seen a shift from "bot-herding" tens of thousands of individual end user computing resources to targeted direct attacks on hybrid cloud data centers, whose compute power far exceeds that acquired by traditional means. Not only is it easier, but hijackers can accomplish their ends more quickly and efficiently in a hybrid environment, given the dearth of native security controls and the average length of dwell time before detection.

Security is ultimately — and contractually — a shared responsibility between the provider and the user. Enterprises must shift their attention from intrusion prevention to securing the workloads and applications themselves.

The Micro-Segmentation Dilemma
In view of this sense of urgency, and agreement that micro-segmentation solves this problem, why is it such a daunting challenge? In conversations with people at dozens of organizations that have tried to implement micro-segmentation, we've uncovered some of the more common pitfalls.

Lack of visibility: Without deep visibility into east-west data center traffic, any effort to implement micro-segmentation is thwarted. Security professionals dealing with this blind spot must rely on long analysis meetings, traffic collection, and manual mapping processes. Too many efforts lack process-level visibility and critical contextual orchestration data. The ability to map out application workflows at a very granular level is necessary to identify logical groupings of applications for segmentation purposes.

All-or-nothing segmentation paralysis: Too often, executives think they need to micro-segment everything decisively, which leads to fears of disruption. The project looks too intimidating, so they never begin. They fail to understand that micro-segmentation must be done gradually, in phases.

Layer 4 complacency: Some organizations believe that traditional network segmentation is sufficient. But ask them, “When was the last time your perimeter firewalls were strictly Layer 4 port forwarding devices?” Attacks over the last 15 years often include port hijacking – taking over an allowed port with a new process for obfuscation and data exfiltration. Layer 4 approaches, typical of most point solutions, amount to under-segmentation. They do not adequately limit attack surfaces in dynamic infrastructures where workloads are communicating and often migrating across segments. Attackers exploit open ports and protocols for lateral movement. Effective micro-segmentation must strike a balance between application protection and business agility, delivering strong security without disrupting business-critical applications.

Lack of multi-cloud convergence: The hybrid cloud data center adds agility through autoscaling and mobility of workloads. However, it is built on a heterogeneous architectural base. Each cloud vendor may offer point solutions and security group methodologies that focus on its own architecture, which can result in unnecessary complexity. Successful micro-segmentation requires a solution that works in a converged fashion across the architecture. A converged approach can be implemented more quickly and easily than one that must account for different cloud providers’ security technologies.

Inflexible policy engines: Point solutions often have poorly thought-out policy engines. Most include "allow-only" rule sets. Most security professionals would prefer to start with a "global-deny" list, which establishes a base policy against unauthorized actions across the entire environment. This lets enterprises demonstrate a security posture directly correlated with compliance standards they must adhere to, such as HIPAA. 

Moreover, point solutions usually don't allow policies to be dynamically provisioned or updated when workflows are autoscaled, services expand or contract, or processes spin up or down — a key reason enterprises are moving to hybrid cloud data centers. Without this capability, micro-segmentation is virtually impossible. 

Given these obstacles, it's understandable why most micro-segmentation projects suffer from lengthy implementation cycles, cost overruns, and excessive demands on scarce security resources, and fail to achieve their goals. So, how can you increase your chances of success?

Winning Strategies for Successful Micro-Segmentation
Done right, micro-segmentation is very achievable. It starts with discovery of your applications and visually mapping their relationships. With proper visibility into your entire environment, including network flows, assets, and orchestration details from the various platforms and workloads, you can more easily identify critical assets that can logically be grouped via labels to use in policy creation. Process-level (Layer 7) visibility accelerates your ability to identify and label workflows, and to implement micro-segmentation successfully at a deeper, more effective level of protection.

Converged micro-segmentation strategies that work seamlessly across your entire heterogeneous environment, from on premises to the cloud, will simplify and accelerate the rollout. When a policy can truly follow the workload, regardless of the underlying platform, it becomes easier to implement and manage, and delivers more effective protection. 

Autoscaling is one of the major features of the new hybrid cloud terrain. The inherent intelligence to understand and apply policies to workloads as they dynamically appear and disappear is key. 

Finally, take a gradual, phased approach. Start with applications that need to be secured for compliance. Which assets are most likely to be targets of attackers? Which are most vulnerable to compute hijacking? Create policies around those groups first. Over time, you can gradually build out increasingly refined policies down to the micro-service, process-to-process level. 

Related Content:

Dave Klein is Regional Director of Sales Engineering & Architecture at GuardiCore. He has over 20 years of experience working with large organizations in the design and implementation of security solutions across very large scale data center and cloud environments. At ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
CVE-2019-17367
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
CVE-2019-17393
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
CVE-2019-17526
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...