You hear so much about zero belief microsegmentation lately and rightly so. It has matured right into a confirmed safety best-practice to successfully stop unauthorized lateral motion throughout community assets. It includes dividing your community into remoted segments, or “microsegments,” the place every section has its personal set of safety insurance policies and controls. In this manner, even when a breach happens or a possible menace beneficial properties entry to a useful resource, the blast radius is contained.
And like many safety practices, there are other ways to attain the target, and usually a lot of it will depend on the distinctive buyer setting. For microsegmentation, the secret is to have a trusted associate that not solely supplies a strong safety answer however offers you the flexibleness to adapt to your wants as a substitute of forcing a “one size fits all” method.
Now, there are broadly two totally different approaches you’ll be able to take to attain your microsegmentation targets:
- A number-based enforcement method the place the insurance policies are enforced on the workload itself. This could be completed by putting in an agent on the workload or by leveraging APIs in public cloud.
- A network-based enforcement method the place the insurance policies are enforced on a community machine like an east-west community firewall or a swap.
While a host-based enforcement method is immensely highly effective as a result of it supplies entry to wealthy telemetry when it comes to processes, packages, and CVEs working on the workloads, it could not at all times be a practical method for a myriad of causes. These causes can vary from software group perceptions, community safety group preferences, or just the necessity for a distinct method to attain buy-in throughout the group.
Long story brief, to make microsegmentation sensible and achievable, it’s clear {that a} dynamic duo of host and network-based safety is vital to a strong and resilient zero belief cybersecurity technique. Earlier this 12 months, Cisco accomplished the native integration between Cisco Secure Workload and Cisco Secure Firewall delivering on this precept and offering clients with unmatched flexibility in addition to protection in depth. Let’s take a deeper take a look at what this integration allows our clients to attain and a few of the use instances.
Use case #1: Network visibility through an east-west community firewall
The journey to microsegmentation begins with visibility. This is an ideal alternative for me to insert the cliché right here – “What you can’t see, you can’t protect.” In the context of microsegmentation, move visibility supplies the muse for constructing a blueprint of how functions talk with one another, in addition to customers and gadgets – each inside and out of doors the datacenter.
The integration between Secure Workload and Secure Firewall allows the ingestion of NSEL move data to supply community move visibility, as proven in Figure 1. You can additional enrich this community move information by bringing in context within the type of labels and tags from exterior programs like CMDB, IPAM, id sources, and so on. This contextually enriched information set permits you to shortly determine the communication patterns and any indicators of compromise throughout your software panorama, enabling you to right away enhance your safety posture.
Figure 1: Secure Workload ingests NSEL move data from Secure Firewall
Use case #2: Microsegmentation utilizing the east-west community firewall
The integration of Secure Firewall and Secure Workload supplies two highly effective complimentary strategies to find, compile, and implement zero belief microsegmentation insurance policies. The skill to make use of a host-based, network-based, or mixture of the 2 strategies offers you the flexibleness to deploy within the method that most accurately fits your small business wants and group roles (Figure 2).
And whatever the method or combine, the mixing lets you seamlessly leverage the complete capabilities of Secure Workload together with:
- Policy discovery and evaluation: Automatically uncover insurance policies which are tailor-made to your setting by analyzing move information ingested from the Secure Firewall defending east-west workload communications.
- Policy enforcement: Onboard a number of east-west firewalls to automate and implement microsegmentation insurance policies on a selected firewall or set of firewalls by means of Secure Workload. (For extra on this functionality, Topology Awareness, learn my colleague’s weblog Topology Matters).
- Policy compliance monitoring: The community move info, compared towards a baseline coverage, supplies a deep view into how your functions are behaving and complying towards insurance policies over time.
Figure 2: Host-based and network-based method with Secure Workload
Use case #3: Defense in depth with digital patching through north-south community firewall
This use case demonstrates how the mixing delivers protection in depth and finally higher safety outcomes. In immediately’s quickly evolving digital panorama, functions play an important position in each facet of our lives. However, with the elevated reliance on software program, cyber threats have additionally change into extra refined and pervasive. Traditional patching strategies, though efficient, might not at all times be possible attributable to operational constraints and the chance of downtime. When a zero-day vulnerability is found, there are a number of totally different eventualities that play out. Consider two frequent eventualities: 1) A newly found CVE poses a right away danger and on this case the repair or the patch is just not out there and a pair of) The CVE is just not extremely important so it’s not value patching it exterior the standard patch window due to the manufacturing or enterprise affect. In each instances, one should settle for the interim danger and both look ahead to the patch to be out there or for the patch window schedule.
Virtual patching, a type of compensating management, is a safety apply that permits you to mitigate this danger by making use of an interim safety or a “virtual” repair to identified vulnerabilities within the software program till it has been patched or up to date. Virtual patching is usually completed by leveraging the Intrusion Prevention System (IPS) of Cisco Secure Firewall. The key functionality, fostered by the seamless integration, is Secure Workload’s skill to share CVE info with Secure Firewall, thereby activating the related IPS insurance policies for these CVEs. Let’s check out how (Figure 3):
- The Secure Workload brokers put in on the applying workloads will collect telemetry in regards to the software program packages and CVEs current on the applying workloads.
- A workload-CVE mapping information is then revealed to Secure Firewall Management Center. You can select the precise set of CVEs you wish to publish. For instance, you’ll be able to select to solely publish CVEs which are exploitable over community as an assault vector and has CVSS rating of 10. This would assist you to management any potential efficiency affect in your IPS.
- Finally, the Secure Firewall Management Center then runs the ‘firepower recommendations’ software to high quality tune and allow the precise set of signatures which are wanted to supply safety towards the CVEs that have been discovered in your workloads. Once the brand new signature set is crafted, it may be deployed to the north-south perimeter Secure Firewall.
Figure 3: Virtual patching with Secure Workload and Secure Firewall
Flexibility and protection in depth is the important thing to a resilient zero belief microsegmentation technique
With Secure Workload and Secure Firewall, you’ll be able to obtain a zero-trust safety mannequin by combining a host-based and network-based enforcement method. In addition, with the digital patching skill, you get one other layer of protection that permits you to keep the integrity and availability of your functions with out sacrificing safety. As the cyber menace panorama continues to evolve, concord between totally different safety options is undoubtedly the important thing to delivering simpler options that shield useful digital property.
Learn extra about Cisco Secure Workload and Cisco Secure Firewall
Sign up for a Secure Workload workshop
We’d love to listen to what you suppose. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: