Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2015
10:45 AM
TK Keanini
TK Keanini
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Segmentation: A Fire Code For Network Security

New technologies like software-defined segmentation are making it easier to prevent a compromise from spreading by separating users and network resources into zones.

Cybersecurity panic seems to be on the rise in 2015. Hacked cars, compromised healthcare records and one of the largest breaches in U.S. history have left many people wringing their hands in anxiety.

This scenario reminds me of the reactions to the large fires of the industrial revolution and the changes that happened afterward. In 1871 a fire broke out in Chicago, America’s fastest growing city at the time. Aided by high winds, the fire jumped from building to building until roughly one third of the city was destroyed. The event received immense media attention, and large-scale fires would later affect other urban centers such as London and Boston.

At the time, many criticized the rush to industrialize or blamed the catastrophe on divine retribution for a lack of morality – sound familiar? Despite the panic, the ultimate solution to the problem was constructing buildings a little farther from each other, utilizing flame-resistant materials and implementing quick response to fires. Fire codes are meant to create an environment that limits the spread of a fire, and the concept is equally effective when applied to network security.

In many networks, there is little stopping an attacker from accessing everything once they are inside. Like a fire, they spread from area to area until nothing is left and all of the data is compromised. Network segmentation is akin to bringing your network up to code. By separating users and network resources into separate zones, it prevents a compromise from spreading. And just as the invention of automatic sprinklers and quick response systems made firefighting more effective, new technologies are making segmentation easier, smarter and more dynamic.

A new era of segmentation

In an unsegmented network, everyone can access everything. Engineers can access financial records, legal can access proprietary technology, and even third party contractors are sometimes given complete system access. While this may be convenient from an employee standpoint, it is a nightmare for security teams. All attackers have to do is subvert perimeter defenses – something they have become incredibly skilled at – and they have access to everything and the kitchen sink.

Network segmentation has been around for a long time, but many organizations have forgone implementing it because traditional methods have some key shortcomings. The main challenge of conventional network segmentation is that it is impractical to implement and maintain in large corporate environments. Traditionally, it requires the maintenance of extensive access control lists, which have to be updated across many different points of enforcement whenever a change occurs. In networks with thousands of users and multiple environments, such as the cloud and specialized IoT networks, this quickly becomes nearly impossible to manage. 

Also, traditional segmentation offers no practical way to monitor the effectiveness of policies. Identifying a misconfigured policy that allows traffic between zones that should be separated was difficult and adjusting it was time-consuming.

Software-defined segmentation has come a long way to address these issues. By abstracting access control and assigning it to user and machine identity information, instead of ever-changing IP addresses, management is much more intuitive and responsive. In addition, centralizing policy management and automatically pushing updates to all points of enforcement drastically reduces maintenance time and maintains policy integrity networkwide. Software-defined segmentation is better suited to controlling access in virtualized and cloud environments as well.

Every segment traversed is an opportunity to monitor and govern traffic. Having tools to model, validate and then segment the way in which your organization operates is the practice that will get us from the past to the future of network design and operations – the new methodology.

New segmentation needs new methodology

Even with all of the advantages of software-defined segmentation, there still exists the problem of intelligently crafting segmentation policies. Improperly designed policies can create security risk or cripple business functions by denying legitimate insiders access to critical resources.

To take full advantage of software-defined segmentation, a smart implementation and maintenance methodology is needed. Security architects can utilize the process of active segmentation to ensure proper segmentation is maintained without disruption to day-to-day business.

Like all great approaches to cybersecurity, active segmentation is a cyclical process that involves observation, orientation and adaptation to changing circumstances and environments. When used properly, active segmentation consists of:

  • Inventorying network assets and classifying them based on role or function
  • Gaining insight into user behavior and interactions on the network
  • Intelligently designing segmentation policies based on those insights
  • Enforcing the policies
  • Continuously evaluating policy effectiveness
  • Adjusting policies where necessary

One of the prerequisites of active segmentation is end-to-end network visibility. Without the ability to monitor network behavior and identify traffic patterns, crafting an effective segmentation plan is simply too difficult. You need to be able to inventory network assets and understand how users interact with them to avoid creating improper segmentation policies.

Using network visibility and monitoring tools, active segmentation provides two primary benefits:

First, administrators can model segmentation policies before implementing them. As users continue to operate normally on the network, any violation of proposed segmentation policies will trigger an alarm. This way, administrators can identify any business disruptions that might occur and adjust the model accordingly, which in turn makes the implementation of segmentation smoother.

Secondly, continuing to monitor the model allows for continuous evaluation of policy effectiveness. If a user violates intended segmentation, alerts are triggered and administrators can investigate and reconfigure the policy as necessary. New network hosts and systems can also be quickly identified and assigned the appropriate privileges. This approach ensures segmentation is properly maintained as the network grows and changes.

Bring your network up to code

As the threat landscape continues to evolve, network defenders need to give themselves as much leeway as possible. Similar to modern fire prevention, you cannot stop an event from ever happening, but the right amount of preparation can keep a small house fire from burning down the rest of the city.

Network segmentation has always been an important defensive measure, but it wasn't until recent technologies were developed that it could be effectively deployed in large enterprise networks. Software-defined segmentation facilitates adaptive segmentation in large environments, but it doesn't get rid of the guesswork. Instead of designing policies based on intuition alone, security architects should utilize active segmentation to ensure their policies are crafted intelligently, based on real-world observation and monitored for effectiveness.

Just as fire codes help prevent catastrophes, active segmentation can severely limit the reach of a breach and improve an organization’s security posture.

TK Keanini brings nearly 25 years of network and security experience to the CTO role. He is responsible for leading Lancope's evolution toward integrating security solutions with private and public cloud-based computing platforms. TK is also responsible for developing the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.