The Definitive Guide to Choosing a Micro-Segmentation Solution | 1

The Definitive Guide to Choosing a Micro-Segmentation Solution WHITE PAPER

The Definitive Guide to Choosing a Micro-Segmentation Solution | 2

Micro-segmentation gives your business granular workload-based security and unparalleled process-level visibility over your operations.

The Definitive Guide to Choosing aMicro-Segmentation Solution

As IT environments get more complex and dynamic, isolating communication flows through micro-segmentation is essential. Micro-segmentation gives your business granular workload-based security and unparalleled process-level visibility over your operations, reducing the risk of attack and improving governance over your entire IT stack. On top of this, having a full understanding of your infrastructure puts you in a better position to achieve regulatory compliance, and has immense strategic value. It allows your company to safely innovate through Cloud technologies and build flexible yet secure rules-based policy into every element of your architecture.

As micro-segmentation grows in popularity, there are a number of options to choose from for your security operations, from the vendors themselves to the tools and processes they offer. Let’s break it down. What are the essential elements to consider before you make your choice, and what are the must-haves for micro-segmentation in order to make it simple to truly reap the rewards?

In this guide we will look at:

• Visibility through application discovery and dependency mapping

• Ensuring your solution is platform agnostic

• Setting up simple policy management/workflows with a logical and

straightforward UI

• How to avoid under-segmentation with Layer 7 insight

• Including threat detection and breach response

• Choosing the right provider, and avoiding the trap of ‘all or nothing’

micro-segmentation

The Definitive Guide to Choosing a Micro-Segmentation Solution | 3

Visibility through Application Discovery and Dependency MappingStrong micro-segmentation cannot exist without strong visibility. Many micro-segmentation solutions aren’t up to the challenge, lacking process-level visibility or the ability to look at data contextually. They might rely on traditional network visibility, or manual mapping, which is not enough. The lack of visibility at a granular application level means that it’s impossible to identify and map out segmentations for applications, workloads, or users, because you can’t truly visualize the difference between sanctioned and unsanctioned behaviors or assess application dependencies.

Data collection and manually mapping processes take time and effort and are increasingly difficult in today’s large data center and hybrid cloud environments. With tens of thousands of workloads and hundreds of thousands of assets to consider, manual mapping will soon be obsolete. It is already inefficient and subject to human error, making it unsustainable for the companies who continue to use it. Additionally, without context for your mapping, you’ll need to undertake lengthy analysis before any real decisions can be made on application workflows. The right solution makes this seamless, so that micro-segmentation is quick to implement and efficient.

Moreover, even process-level visibility becomes irrelevant if you don’t have access to a real-time view. A static snapshot of your application, even in granular detail, cannot accurately display the dynamic and fast-paced nature of the hybrid environments we work in today. Simply put, without true real-time visualization at process level, IT and security professionals are plagued with blind spots.

This is why your micro-segmentation solution should offer application visibility and dependency mapping as standard. As a live map of all the components in your application, from services and ports to communications and underlying processes, you can see a real-time view of your architecture. This can import the relevant metadata to generate asset labels automatically and be able to work at scale, across all environments and infrastructures. Your solution should then be able to suggest segmentation rules based on observing real-time behavior, adapting as necessary. With this granular visibility, all the hard work is taken off your hands entirely.

Ensuring Your Workload Micro-Segmentation is Platform-AgnosticKeeping your security procedures independent of any particular platform is essential if you are running a multi-cloud or hybrid environment. The benefits of using a combination of public and private cloud options, IaaS or SaaS solutions are growing. Businesses increasingly have a mix of servers, virtual machines, and new Cloud technology such as containers making up the architecture of their IT systems. With this growing intricacy of operations, it can be difficult to find adequate visibility, and even to understand who is responsible for security measures and how to deploy these across such a complex IT environment. By employing one platform-agnostic solution for security and micro-segmentation, including enforcement up to Layer 7, the complexity of your security does not have to become overwhelming, and you can take advantage of new and exciting cross-platform opportunities.

When it comes to public Cloud operations, each vendor might offer its own point solutions dedicated to its architecture alone. This is not just time consuming to manage, but also gives a poorer standard of support than you might realize. Despite the fact that outsourcing security is one of the reasons many businesses make the move to the Cloud, the standard level of security on offer is usually inadequate to say the least. While the benefits of being able to auto-scale and add mobility and flexibility are powerful, native cloud security controls can be limited to

The Definitive Guide to Choosing a Micro-Segmentation Solution | 4

certain areas. The security controls can also struggle with dynamic policy setting, even if you are only using one Cloud platform. As workloads scale up or down, security controls may not be updated or modified adequately. It can be difficult to understand who has responsibility for important security decisions, or who should be staying on top of updates or patches. Without the application layer visibility, and with a model of shared security, blind spots are inevitable. Your business is left in the dark, struggling to identify and secure its own assets successfully.

Being able to deploy one solution that works across the entire IT stack doesn’t just allow you to implement micro-segmentation effectively. This approach is also significantly quicker and easier to track and manage than multiple disparate security protocols. It also provides a targeted focus and a tailored platform-agnostic solution for your specific business goals and security requirements. In contrast, the cloud vendor is reasonably going to have their own needs front and center, which may not be aligned to your unique challenges, and almost certainly isn’t working to support threat detection for your business first and foremost.

Ensuring your solution is platform-agnostic, and deploying micro-segmentation by workload means that as workloads move across varied and dynamic environments, security protocols stay aligned and persistent right alongside. This is all without putting the responsibility on your IT security team to manage multiple policies or SLAs.

Setting Up Simple Policy Management and WorkflowsFor many organizations, your policy engine will be what the success of your micro-segmentation solution will hinge upon. It’s essential that your provider keeps it simple enough that anyone in your company can understand and manage your policy creation. A simple and straightforward UI should be logical all the way from the first stage in the process to the execution of your full segmentation plan. It should be able to show you in detail the impact of of your rules and policy before they are applied to traffic. Your company needs visibility through the entire process, getting insight into the journey from a blank page through to mapping and application dependencies all the way to setting the rules themselves and seeing the benefits in action. This UI should include built-in automated policy suggestions that can show product expertise and help make the process seamless from beginning to end.

Well-crafted policy creation won’t make you give up on flexibility to ensure security. Many point solutions include ‘allow-only’ rule sets, which are limited to say the least. In order to set up an effective security posture for your environment, you need to be able to enforce global-deny rules that take priority over all other rule sets, In this way, you can create unauthorized actions, for example stopping a workload with a particular label from accessing the internet at all. For areas like compliance and regulatory assessments for PCI or HIPAA for example – this makes your security professional’s workload a whole lot easier. At the same time as establishing these type of ‘macro-segmentation’ rules, you should be able to create explicit granular policy through micro-segmentation for the same application segments.

Before you determine your solution, take some time to ensure that your choice is flexible enough. You want to be able to to view and govern your environment exactly the way you choose. Examples for micro-segmentation include by Type of environment, (such as development or production), Regulatory sensitivity, (PCI, HIPAA etc) Application, (HR, CRM, domain controller, billing) Tier or Role, (this could include database, application server, web server etc) and Process (hosts, ports).

Ensuring your solution is platform-agnostic and deploying micro-segmentation by workload means that as workloads move across varied and dynamic environments, security protocols stay aligned and persistent right alongside.

The Definitive Guide to Choosing a Micro-Segmentation Solution | 5

Once this is established, your policy engine must allow for dynamic provision and adaptability when changes occur. From workflows that auto-scale to services that expand or contract – IT environments are never static, and increasingly dynamic. if your policy engine doesn’t adapt, micro-segmentation cannot occur.

Some features to check your provider includes are:

• The flexibility to set custom, highly specific compliance-based rules

• Dynamic labeling as workflows scale up or down

• Multiple workloads can share labels and therefore policy

• Segmentation policies that are able to be tuned and converted to blocking policies

with ease

• Blocking policies that do not influence or affect legitimate traffic, ensuring there isn’t

disruption to business-critical process

• A policy engine that can proactively limit lateral movement in case of a breach

How to Avoid Under-Segmentation with Layer 7 InsightTraditional network segmentation is not enough when you consider the diverse ecosystem in which most businesses build their IT infrastructure today. While network segmentation focuses on managing a complex environment, micro-segmentation looks at optimal security. Rather than try to limit the dynamic workloads, the right solution can simply make them safer from the outset. Old-fashioned security procedures might need you to keep your IT environment as simple as possible, encouraging you to shy away from new opportunities- as they come with unknown risk. With micro-segmentation, visibility and tight workload-based segmentation means the risk is always under control, allowing you to embrace agility and innovation without compromising on security.

In order for this to work, your business needs to ensure that it isn’t under-segmenting, and that it is managing communication flows all the way to Layer 7. Port hijacking has become a common threat, with breaches known to take over an allowed port for data exfiltration. With this reality - Layer 4 approaches, which focus only on the transport layer, are the equivalent of a bank that doesn’t employ guards once you get past the front door. Although this might have been sufficient in the past, attackers have more tools at their disposal than ever before. It’s becoming increasingly easy for attackers to gain access through your perimeter. When they do, you’re leaving them to show themselves around wholly unsupervised. If your solution only segments or protects up to Layer 4, you are not limiting the attack surface area, leaving it dangerously large. The more we embrace dynamic infrastructure and the more workloads interact and communicate across different segments, the more dangerous this security weakness will be.

A powerful micro-segmentation approach will do the same for your data center as you would expect for your perimeter security, which you would never protect with less than a Layer 7 firewall. Segmenting and enforcing up to the application layer for your data center means that you are delivering strong security against lateral movement by open ports and protocols, stopping attacks before they get out of control or do more harm than they have already done. You are also blocking or allowing traffic by both source and destination processes on all your OS, rather than simply by servers and ports alone.

The Definitive Guide to Choosing a Micro-Segmentation Solution | 6

Including Threat Detection and Breach Response to Strengthen Security PostureBy isolating application components, micro-segmentation has the automatic benefit of isolating breaches to your environment, stopping attackers before they can increase the threat or make lateral moves. A powerful micro-segmentation solution should be able to do more, integrating with security tools that offer preventative measures to stop attacks in the first place, and using reputation analysis to detect a breach immediately. Threat response can then isolate and fix problems in real-time, without affecting genuine communication flows, even within the same segment.

To incorporate strong security tools with your micro-segmentation solution, you need to choose a provider who can access data from multiple attack vectors, and assess policy violations and anomalies in real time. Your solution should not only recognize and alert you to attempted or successful breaches, but also actively block any attempts to use compromised assets as launch points for lateral movement. Unauthorized communications or non-compliant traffic of any kind needs to be immediately detected and contained for analysis.

This analysis will also vary from provider to provider. Experts in cyber-security should be able to use deep forensics to uncover and collect the user credentials, attack methods and propagation tactics of the intruder, speeding up the investigation process and using that data to prevent a future breach.

The right micro-segmentation solution won’t just contain a breach to one area, but also put you in the best position in advance to stop it in its tracks, and create an improved security posture behind the scenes for your entire organization.

Choosing the Right Provider, and Avoiding the Trap of ‘All or Nothing’ SegmentationWhile the benefits of micro-segmentation are simple and straightforward, starting this process can be difficult. That’s why experience matters. When you’re doing this for the first time it’s more important than ever that you leverage the expertise of a company with a great track record, take advantage of the best tools and service on the market to make a success of your implementation. The road to micro-segmentation does not have to feel like an uphill journey, and it doesn’t need to be disruptive for your company, either. In fact, it works best if it’s done slowly, in stages. Look for a provider that wants to help you take it step by step.

First, the right company should create an implementation plan for you that starts with visibility. This allows you to get a clear understanding of your needs before you even think about what rules or segmentation policy you want to create. This stage should give you a granular understanding of your IT architecture. This will include network flows and orchestration details from all of your platforms and workloads. It should provide you with a visual map of the relationships between your applications. Now that you have a more thorough understanding of your infrastructure as a whole, you’re ready to move on to identifying critical assets, which are usually high risk or high value infrastructure. Micro-segmentation of these individual applications can begin to show you the benefit of this approach, shrinking the security perimeter substantially with just one line of policy. You can then gradually be able to move forward to the next stage, increasing the areas and applications you micro-segment incrementally, seeing the benefits spread throughout the organization as you do.

While the benefits of being able to auto-scale and add mobility and flexibility are powerful, native cloud security controls can be limited to certain areas.

The Definitive Guide to Choosing a Micro-Segmentation Solution | 7

Considering Micro-Segmentation as a WholeImplementing the right micro-segmentation solution is a multi-stage process. First, your security vendor should be able to help you accurately visualize and map all of your application flows and dependencies, starting with the most critical and building from there. This should be seamless across hybrid environments, and be entirely platform agnostic. This then allows you to embrace the inherent simplicity of creating workflows and build flexible policies which are tailored to your unique environment, including enforcement up to Layer 7. To make things even easier, crafting your segmentation policy with the help of underlying breach detection and resolution provides a holistic all in one solution. This does more than simply isolating threats, it finds and resolves them in real-time, strengthening your security posture as a whole.

About GuardicoreGuardicore is an innovator in data center and cloud security that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security - for any application, in any IT environment.

www.guardicore.comCopyright 2019