A guest blog, by Milton Keath, of Guardicore:
With the details of the hacks like Colonial Pipeline coming out we are seeing the need for dialogue on new ideas. Which is why I am writing this blog on Micro-Segmentation in the Real World – a zero trust story.
Zero Trust has been discussed and versed in many ways. Most of us know that the zero trust story states that the old concept of perimeter-only (e.g. firewalls, vpns) security is not relevant or effective in today’s IT world.
Today we have resources and users on “both sides of the fence”. To misquote “the Matrix” – “there is no fence”. Thus we have to establish trust not only at the “entry” of our enterprise – but instead have to RE-establish the entry at ever point.
That’s what Zero Trust is – creating an architecture that Re-establishes trust at as many key connecting points as possible.
But What is micro-segmentation?
Micro-segmentation is an emerging security best practice that offers a number of advantages over more established approaches like network segmentation and application segmentation. The added granularity that microsegmentation offers is essential at a time when many organizations are adopting cloud services and new deployment options like containers that make traditional perimeter security less relevant.
Micro-segmentation policies can take many forms, including controls based on environment type, regulatory scope, application, user identity, and infrastructure tier. Micro-segmentation also makes it possible to apply the principle of least privilege more extensively in data center and cloud environments, providing a more effective defense posture than traditional network-layer controls alone.
How does Micro-Segmentation relate to Zero Trust?
Micro-segmentation helps you create what Forrester calls Microperimeters around specific applications. In essence micros-segmentation allows you to create secure enclaves/bastion hosts or DMZs of workloads of one. Simply put, micro-segmentation creates and enforces small segments of control around sensitive data and applications, which in return reduces your threat attack surface and improves your security posture. This creates a network policy of access of least privilege that permissions are only assigned based on ‘Never trust – always verify.’ This does not stop at users alone, but also with applications and even the data itself.
You then need to continuously review the need for access and audit everything. Rather than simply collecting data and manually reviewing all the logs you use tools such as Guardicore Centra and Youattest to automatically monitor and review to generate alerts and reports where necessary.
How do I make Micro-Segmentation work w/ the Real World, my AD?
Active Directory, AD is still the most utilized “user store of record” for most enterprises. It contains not only the user’s and the user credentials – but also the grouping of these users.
Thus the groupings as best practiced cited by Microsoft, should be used to classify and authorize users to access.
The vast majority of attacks come from misuse of credentials, so your user identity access management strategy needs to be second to none. Most breaches are an inside job. You don’t need a disgruntled employee; all you need is one instance of credential theft, and a flat network that’s easy to leverage for lateral movement within your enterprise. The Zero Trust framework for user identity follows the same logic as it does when securing networks and data, ‘never trust, always verify.’ Here’s how we’ve integrated this mentality into Guardicore Centra.
Guardicore Centra’s Micro-segmentation solution can isolate user interactions. Using an Active Directory group membership, user access is limited to certain servers and applications via specific ports, processes and FQDN. This access control can be enforced between workloads in the same segment of the network, and intelligent micro-segmentation even allows for simultaneous connections from the same server/Jumpbox.
Real-World Example of How Micro-Segmentation Improved Security:
Ransomware attacks such as the Darkside attack on the Colonial pipeline can be prevented, and quickly recovered from. Last August I was doing a Proof of Value test with one of the very first companies to get hit by the Darkside ransomware. The division that was testing Guardicore did not get hit as Guardicore’s micro-segmentation policy prevented Darkside from taking a foothold into that division. The prospect immediately used Guardicore POV to help respond and recover their other divisions in 1.5 days.
I always say if I’m only allowed to hack one server it would be the patch management server as it has privileged rights throughout the enterprise. Enterprise’s can use Guardicore’s Centra to limit access to sources of known trust to get updates from with FQDN policy. The Solarwinds hack went after this type of trust to try and infiltrate organizations. Solarwinds the company was hacked and their distribution binary was modified. Companies that had limited their Solarwinds Orion servers to get updates only from Solorwinds.com still downloaded the modified binaries.
But, one of the first things that the modified distribution did was to reach out to other domains to download malicious software. The FQDN policy prevented the additional software from being downloaded. For those customers that did not have a FQDN policy in place but still had a Zero-Trust micro-segmentation policy that was enforced at the layer 7 process level still had protection. The customers still downloaded the additional malicious software, but the layer 7 enforcement policy only allowed the solarwindsorion.exe to run and prevented the lateral movements of the additional processes.
Guardicore – the only choice for a Zero Trust Micro-Segmentation:
As I stated above, ransomware attacks such as the one that hit the Colonial Pipeline can easily be prevented. Unlike traditional endpoint solutions that detect after the fact, Guardicore Software Defined Segmentation platform stops attacks earlier on in the cyber kill chain process with prevention.
When it comes to segmentation vendors Guardicore, the company, is an actual security company and not just a product company. Guardicore Labs performs both industry and academic security research. Guardicore offers a free open-source breach and attack simulation tool called Infection Monkey that maps to the Forrester Zero Trust eXtended framework. Guardicore Labs publicly publishes in-depth write ups on Ransomware and Security issues that it discovers. Guardicore Labs offers a free threat intelligence feed. These are many ways that Guardicore gives back to the Security community but also helps its understanding with building the leading segmentation solution.
In Summary: Five Steps to Zero Trust
Guardicore Centra is a Software Defined Segmentation Platform that is the only holistic segmentation solution. It offers visualization, prevention, detection, response, and recovery features and services that no other segmentation vendor offers. Unlike the overpriced Orchestration segmentation solutions that are just fancy UI’s for native OS functionality Guardicore can scale not only to large enterprises but also have large policies that products that use the native OS firewalls start to exponentially impact performance. Guardicore Centra requires zero changes to your networks or applications and can be used to implement Zero Trust principles with zero outages or disruptions.
Milton Keath, CISSP, GCEH is Sr. Sales Engineer for Guardicore. Milton is a Microsoft-certified engineer with over 25+ years of experience in enterprise-grade identity and security deployments
Register for the YouAttest/Guardicore webinar, Micro-Segmentation for Zero Trust Security and Compliance. YouAttest is the only cloud-based IGA platform that deploys in minutes to conduct access reviews. YouAttest has a dedicated AD attestation and can be used in conjunction w/ Guardicore in a Zero Trust environment.