Download as PDF, PPTX
Uploaded byAlgoSec
Microsegmentation from strategy to execution
The webinar on micro-segmentation discusses strategies for reducing the attack surface in networks through the control of east-west traffic. It emphasizes application discovery, filtering policy creation, and ongoing maintenance for secure micro-segmented networks, particularly in the context of ransomware threats. The session provided insights on leveraging software-defined networking technologies to simplify the implementation of micro-segmentation.
More Related Content
Similar to Microsegmentation from strategy to execution
Microsegmentation from strategy to execution
- 1. Micro-Segmentation: from Strategy toExecution Prof. Avishai Wool CTO and Co-Founder
- 2. WELCOME Comment through theLive Chat Have a question? This webinar will be available On-demand and as Podcast Connect with AlgoSec online ! 2 marketing@algosec.com • https://www.algosec.com/resources • https://www.algosec.com/webinars • https://www.algosec.com/podcasts
- 3. AGENDA Motivation: lateralmovement Reducing the attack surface Network segmentation Managing micro-segmented networks Use Cases
- 4. 4 | Confidential MOTIVATINGEXAMPLE: LATERAL MOVEMENT / RANSOMWARE ATTACKS
- 5. HOW? 1. Deliver exploitsto 1st victim computer 2. Repeat per victim computer: • Encrypt file system • Encrypt accessible networked file shares • Move laterally: explore the network • Deliver exploits to next victim via network 3. Wait for victim to call 4. Collect ransom 5. Supply decryption key “Advanced Persistent Threat”, Wikipedia 5
- 6.
- 7.
- 8.
- 9. STEPPINGSTONES 9 Financial Database HVAC Control Partner Network Procurement Department Internet Step 0 Step 1Step 2 Step 3 Pay $$$$ or lose data 9
- 10. 10 | Confidential REDUCINGTHE ATTACK SURFACE
- 11. MICRO-SEGMENTATION: A BLUEPRINT •Define network segments to control east-west traffic • Activate traffic filters crossing segments • Traffic fully inside a segment can flow freely • Write restrictive policies for traffic crossing segment borders 11
- 12.
- 13. TRADITIONAL EXCUSES INA TRADITIONAL DATA CENTER Use standard or virtualized firewalls Requires: • Reassigning IP addresses • Making routing changes • Defining new VLANs • Possibly connecting new cables Hard Work! 13
- 14. SOFTWARE-DEFINED DATA CENTERS •Comes with filtering capabilities inside the networking fabric • Reassigning IP addresses • Making routing changes • Defining new VLANs • Possibly connecting new cables • On-premise data center: • Cisco ACI • VMware NSX • Public cloud: • Amazon AWS • Microsoft Azure Old excuses are gone! Technology is just the 1st step. You still need to configure it! 14
- 15. NEXT CHALLENGES • Whereto place the segment boundaries? • What filtering policy should you write ? • So all legitimate business traffic is allowed! • To do this – you just need to know all the legitimate traffic in the data center, so you can write policy allowing it. Naturally, you have perfectly accurate records of all the application flows running through the data center, so it’s easy. right? 15
- 16. FOR EVERYONE ELSE:APPLICATION DISCOVERY • Need to: • Detect all the network flows • Annotate them with application name (“intent”) • Aggregate & optimize “thin” flows into “fat” flows • Put them in the filtering policy • How: • Netflow → AlgoSec AutoDiscovery (or → AutoDiscovery) • Import into AlgoSec AppViz • Results: • Micro-segmentation knowhow • Application name annotates current + future rules that support it 16
- 17. OTHER CONSIDERATIONS: SENSITIVEDATA ZONES • Some types of data are more sensitive • Credit card data (PCI regulation) • Personally Identifiable Information (GLBA, privacy laws) • Medical data (HIPAA) • Financial data (SOX, etc.) • Ransomware encryption of personal or PCI data: equivalent to theft • Regulatory implications • Keep servers with sensitive data in separate segments 17
- 18. 21 | Confidential USECASE 1: DISCOVERY
- 20. Netflow (e.g., fromVMware / Router / … )
- 21. Automatically organize relatedflows into business applications
- 22. Aggregate into fatflows
- 24. 27 | Confidential USECASE 2: ONGOING MAINTENANCE POLICY CHANGE AUTOMATION
- 38. • Micro-Segmentation isKEY to tight network security • SDN enables micro-segmentation – but it does not mean all your challenges are gone • Discovery, segment definition, and initial policy definition • Ongoing maintenance: east-west + north-south 44 | Confidential SUMMARY
- 39. 45 | Confidential QUESTIONS? Requesta Free Evaluation marketing@algosec.com youtube.com/user/AlgoSec linkedin.com/company/AlgoSec facebook.com/AlgoSec twitter.com/AlgoSec www.AlgoSec.com/blog
- 40. THANK YOU! Prof. AvishaiWool CTO and Co-Founder