You hear lots about zero belief microsegmentation lately and rightly so. It has matured right into a confirmed safety best-practice to successfully forestall unauthorized lateral motion throughout community sources. It entails dividing your community into remoted segments, or “microsegments,” the place every phase has its personal set of safety insurance policies and controls. On this manner, even when a breach happens or a possible risk features entry to a useful resource, the blast radius is contained.
And like many safety practices, there are alternative ways to realize the target, and usually a lot of it relies on the distinctive buyer surroundings. For microsegmentation, the secret’s to have a trusted accomplice that not solely offers a sturdy safety resolution however provides you the pliability to adapt to your wants as a substitute of forcing a “one dimension matches all” strategy.
Now, there are broadly two completely different approaches you may take to realize your microsegmentation aims:
- A number-based enforcement strategy the place the insurance policies are enforced on the workload itself. This may be executed by putting in an agent on the workload or by leveraging APIs in public cloud.
- A network-based enforcement strategy the place the insurance policies are enforced on a community system like an east-west community firewall or a swap.
Whereas a host-based enforcement strategy is immensely highly effective as a result of it offers entry to wealthy telemetry by way of processes, packages, and CVEs operating on the workloads, it might not all the time be a practical strategy for a myriad of causes. These causes can vary from software staff perceptions, community safety staff preferences, or just the necessity for a unique strategy to realize buy-in throughout the group.
Lengthy story quick, to make microsegmentation sensible and achievable, it’s clear {that a} dynamic duo of host and network-based safety is vital to a sturdy and resilient zero belief cybersecurity technique. Earlier this 12 months, Cisco accomplished the native integration between Cisco Safe Workload and Cisco Safe Firewall delivering on this precept and offering prospects with unmatched flexibility in addition to protection in depth. Let’s take a deeper take a look at what this integration allows our prospects to realize and a few of the use instances.
Use case #1: Community visibility by way of an east-west community firewall
The journey to microsegmentation begins with visibility. It is a good alternative for me to insert the cliché right here – “What you may’t see, you may’t defend.” Within the context of microsegmentation, circulation visibility offers the muse for constructing a blueprint of how purposes talk with one another, in addition to customers and gadgets – each inside and outdoors the datacenter.
The mixing between Safe Workload and Safe Firewall allows the ingestion of NSEL circulation data to supply community circulation visibility, as proven in Determine 1. You may additional enrich this community circulation information by bringing in context within the type of labels and tags from exterior programs like CMDB, IPAM, id sources, and many others. This contextually enriched information set permits you to rapidly determine the communication patterns and any indicators of compromise throughout your software panorama, enabling you to right away enhance your safety posture.
Determine 1: Safe Workload ingests NSEL circulation data from Safe Firewall
Use case #2: Microsegmentation utilizing the east-west community firewall
The mixing of Safe Firewall and Safe Workload offers two highly effective complimentary strategies to find, compile, and implement zero belief microsegmentation insurance policies. The flexibility to make use of a host-based, network-based, or mixture of the 2 strategies provides you the pliability to deploy within the method that most accurately fits your online business wants and staff roles (Determine 2).
And whatever the strategy or combine, the combination lets you seamlessly leverage the total capabilities of Safe Workload together with:
- Coverage discovery and evaluation: Mechanically uncover insurance policies which might be tailor-made to your surroundings by analyzing circulation information ingested from the Safe Firewall defending east-west workload communications.
- Coverage enforcement: Onboard a number of east-west firewalls to automate and implement microsegmentation insurance policies on a particular firewall or set of firewalls by means of Safe Workload. (For extra on this functionality, Topology Consciousness, learn my colleague’s weblog Topology Issues).
- Coverage compliance monitoring: The community circulation data, in comparison towards a baseline coverage, offers a deep view into how your purposes are behaving and complying towards insurance policies over time.
Determine 2: Host-based and network-based strategy with Safe Workload
Use case #3: Protection in depth with digital patching by way of north-south community firewall
This use case demonstrates how the combination delivers protection in depth and in the end higher safety outcomes. In in the present day’s quickly evolving digital panorama, purposes play a significant function in each side of our lives. Nonetheless, with the elevated reliance on software program, cyber threats have additionally turn out to be extra subtle and pervasive. Conventional patching strategies, though efficient, could not all the time be possible attributable to operational constraints and the danger of downtime. When a zero-day vulnerability is found, there are just a few completely different eventualities that play out. Contemplate two frequent eventualities: 1) A newly found CVE poses an instantaneous danger and on this case the repair or the patch isn’t accessible and a pair of) The CVE isn’t extremely vital so it’s not price patching it outdoors the same old patch window due to the manufacturing or enterprise influence. In each instances, one should settle for the interim danger and both watch for the patch to be accessible or for the patch window schedule.
Digital patching, a type of compensating management, is a safety apply that permits you to mitigate this danger by making use of an interim safety or a “digital” repair to recognized vulnerabilities within the software program till it has been patched or up to date. Digital patching is often executed by leveraging the Intrusion Prevention System (IPS) of Cisco Safe Firewall. The important thing functionality, fostered by the seamless integration, is Safe Workload’s means to share CVE data with Safe Firewall, thereby activating the related IPS insurance policies for these CVEs. Let’s check out how (Determine 3):
- The Safe Workload brokers put in on the appliance workloads will collect telemetry concerning the software program packages and CVEs current on the appliance workloads.
- A workload-CVE mapping information is then printed to Safe Firewall Administration Heart. You may select the precise set of CVEs you wish to publish. For instance, you may select to solely publish CVEs which might be exploitable over community as an assault vector and has CVSS rating of 10. This might will let you management any potential efficiency influence in your IPS.
- Lastly, the Safe Firewall Administration Heart then runs the ‘firepower suggestions’ software to advantageous tune and allow the precise set of signatures which might be wanted to supply safety towards the CVEs that have been discovered in your workloads. As soon as the brand new signature set is crafted, it may be deployed to the north-south perimeter Safe Firewall.
Determine 3: Digital patching with Safe Workload and Safe Firewall
Flexibility and protection in depth is the important thing to a resilient zero belief microsegmentation technique
With Safe Workload and Safe Firewall, you may obtain a zero-trust safety mannequin by combining a host-based and network-based enforcement strategy. As well as, with the digital patching means, you get one other layer of protection that permits you to keep the integrity and availability of your purposes with out sacrificing safety. Because the cyber risk panorama continues to evolve, concord between completely different safety options is undoubtedly the important thing to delivering simpler options that defend useful digital property.
Be taught extra about Cisco Safe Workload and Cisco Safe Firewall
Join a Safe Workload workshop
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safety on social!
Cisco Safety Social Channels
Share:
