You hear quite a bit about zero belief microsegmentation lately and rightly so. It has matured right into a confirmed safety best-practice to successfully stop unauthorized lateral motion throughout community sources. It includes dividing your community into remoted segments, or “microsegments,” the place every phase has its personal set of safety insurance policies and controls. On this approach, even when a breach happens or a possible menace positive aspects entry to a useful resource, the blast radius is contained.
And like many safety practices, there are alternative ways to realize the target, and sometimes a lot of it will depend on the distinctive buyer setting. For microsegmentation, the bottom line is to have a trusted associate that not solely offers a sturdy safety resolution however provides you the flexibleness to adapt to your wants as an alternative of forcing a “one measurement matches all” method.
Now, there are broadly two totally different approaches you possibly can take to realize your microsegmentation goals:
- A bunch-based enforcement method the place the insurance policies are enforced on the workload itself. This may be achieved by putting in an agent on the workload or by leveraging APIs in public cloud.
- A network-based enforcement method the place the insurance policies are enforced on a community gadget like an east-west community firewall or a swap.
Whereas a host-based enforcement method is immensely highly effective as a result of it offers entry to wealthy telemetry by way of processes, packages, and CVEs working on the workloads, it might not all the time be a practical method for a myriad of causes. These causes can vary from software workforce perceptions, community safety workforce preferences, or just the necessity for a unique method to realize buy-in throughout the group.
Lengthy story quick, to make microsegmentation sensible and achievable, it’s clear {that a} dynamic duo of host and network-based safety is vital to a sturdy and resilient zero belief cybersecurity technique. Earlier this 12 months, Cisco accomplished the native integration between Cisco Safe Workload and Cisco Safe Firewall delivering on this precept and offering clients with unmatched flexibility in addition to protection in depth. Let’s take a deeper have a look at what this integration permits our clients to realize and a number of the use instances.
Use case #1: Community visibility through an east-west community firewall
The journey to microsegmentation begins with visibility. It is a excellent alternative for me to insert the cliché right here – “What you possibly can’t see, you possibly can’t defend.” Within the context of microsegmentation, circulation visibility offers the muse for constructing a blueprint of how purposes talk with one another, in addition to customers and units – each inside and outdoors the datacenter.
The combination between Safe Workload and Safe Firewall permits the ingestion of NSEL circulation data to supply community circulation visibility, as proven in Determine 1. You’ll be able to additional enrich this community circulation information by bringing in context within the type of labels and tags from exterior methods like CMDB, IPAM, identification sources, and many others. This contextually enriched information set permits you to shortly determine the communication patterns and any indicators of compromise throughout your software panorama, enabling you to instantly enhance your safety posture.
Determine 1: Safe Workload ingests NSEL circulation data from Safe Firewall
Use case #2: Microsegmentation utilizing the east-west community firewall
The combination of Safe Firewall and Safe Workload offers two highly effective complimentary strategies to find, compile, and implement zero belief microsegmentation insurance policies. The flexibility to make use of a host-based, network-based, or mixture of the 2 strategies provides you the flexibleness to deploy within the method that most accurately fits what you are promoting wants and workforce roles (Determine 2).
And whatever the method or combine, the mixing allows you to seamlessly leverage the complete capabilities of Safe Workload together with:
- Coverage discovery and evaluation: Routinely uncover insurance policies which might be tailor-made to your setting by analyzing circulation information ingested from the Safe Firewall defending east-west workload communications.
- Coverage enforcement: Onboard a number of east-west firewalls to automate and implement microsegmentation insurance policies on a selected firewall or set of firewalls by way of Safe Workload. (For extra on this functionality, Topology Consciousness, learn my colleague’s weblog Topology Issues).
- Coverage compliance monitoring: The community circulation info, compared towards a baseline coverage, offers a deep view into how your purposes are behaving and complying towards insurance policies over time.
Determine 2: Host-based and network-based method with Safe Workload
Use case #3: Protection in depth with digital patching through north-south community firewall
This use case demonstrates how the mixing delivers protection in depth and finally higher safety outcomes. In in the present day’s quickly evolving digital panorama, purposes play an important function in each side of our lives. Nonetheless, with the elevated reliance on software program, cyber threats have additionally grow to be extra subtle and pervasive. Conventional patching strategies, though efficient, might not all the time be possible as a consequence of operational constraints and the chance of downtime. When a zero-day vulnerability is found, there are a number of totally different eventualities that play out. Take into account two widespread eventualities: 1) A newly found CVE poses a direct threat and on this case the repair or the patch shouldn’t be out there and a couple of) The CVE shouldn’t be extremely essential so it’s not value patching it outdoors the same old patch window due to the manufacturing or enterprise affect. In each instances, one should settle for the interim threat and both look forward to the patch to be out there or for the patch window schedule.
Digital patching, a type of compensating management, is a safety observe that permits you to mitigate this threat by making use of an interim safety or a “digital” repair to identified vulnerabilities within the software program till it has been patched or up to date. Digital patching is usually achieved by leveraging the Intrusion Prevention System (IPS) of Cisco Safe Firewall. The important thing functionality, fostered by the seamless integration, is Safe Workload’s capacity to share CVE info with Safe Firewall, thereby activating the related IPS insurance policies for these CVEs. Let’s check out how (Determine 3):
- The Safe Workload brokers put in on the applying workloads will collect telemetry concerning the software program packages and CVEs current on the applying workloads.
- A workload-CVE mapping information is then printed to Safe Firewall Administration Heart. You’ll be able to select the precise set of CVEs you need to publish. For instance, you possibly can select to solely publish CVEs which might be exploitable over community as an assault vector and has CVSS rating of 10. This may assist you to management any potential efficiency affect in your IPS.
- Lastly, the Safe Firewall Administration Heart then runs the ‘firepower suggestions’ device to fantastic tune and allow the precise set of signatures which might be wanted to supply safety towards the CVEs that had been discovered in your workloads. As soon as the brand new signature set is crafted, it may be deployed to the north-south perimeter Safe Firewall.
Determine 3: Digital patching with Safe Workload and Safe Firewall
Flexibility and protection in depth is the important thing to a resilient zero belief microsegmentation technique
With Safe Workload and Safe Firewall, you possibly can obtain a zero-trust safety mannequin by combining a host-based and network-based enforcement method. As well as, with the digital patching capacity, you get one other layer of protection that permits you to keep the integrity and availability of your purposes with out sacrificing safety. Because the cyber menace panorama continues to evolve, concord between totally different safety options is undoubtedly the important thing to delivering more practical options that defend useful digital property.
Be taught extra about Cisco Safe Workload and Cisco Safe Firewall
Join a Safe Workload workshop
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safety on social!
Cisco Safety Social Channels
Share: