Effective Access Control with Active Segmentation
Published 07/30/2015
By Scott Block, Senior Product Marketing Manager, Lancope
As the threat landscape has evolved to include adversaries with deep pockets, immense resources and plenty of time to compromise their intended target, security professionals have been struggling to stave off data breaches. We’ve all heard it ad nauseam – it’s not a matter of if your network will be compromised, but when.
Since many companies have built up their perimeter defenses to massive levels, attackers have doubled down on social engineering. Phishing and malware-laden spam are designed to fool company employees into divulging login information or compromising their machine. According to the security consulting company Mandiant, 100 percent of data breaches the company has studied involved stolen access credentials.
Since threat actors have become so good at circumventing traditional defenses, we cannot afford to have only a single point of failure. Without proper internal security, attackers are given free reign of the network as soon as they gain access to it.
Instead, attackers should encounter significant obstacles between the point of compromise and the sensitive data they are after. One way to accomplish this is with network segmentation.
Keep your hands to yourself
In an open network without segmentation, everyone can touch everything. There is nothing separating Sales from Legal, or Marketing from Engineering. Even third-party vendors may get in on the action.
The problem with this scenario is that it leaves the data door wide open for anyone with access credentials. In a few hours, a malicious insider could survey the network, collect everything of value and make off with the goods before security personnel get wind of anything out of the ordinary.
What makes this problem even more frustrating is that there is no reason everyone on the network should be able to touch every resource. Engineers don’t need financial records to perform their job, and accountants don’t need proprietary product specifications to do theirs.
By simply cordoning off user groups and only allowing access to necessary resources, you can drastically reduce the potential damage an attacker could inflict on the organization. Instead of nabbing the crown jewels, the thief will have to settle for something from the souvenir shop. Additionally, the more time the attacker spends trying to navigate and survey your network, the more time you have to find them and throw them out, preventing even the slightest loss of data in the process.
How it works
It is best to think of a segmented network as a collection of zones. Groups of users and groups of resources are defined and categorized, and users are only able to “see” the zones appropriate to their role. In practice, this is usually accomplished by crafting access policies and using switches, virtual local area networks (VLANs) and access control lists to enforce them.
While this is all well and good, segmentation can quickly become a headache in large corporate environments. Network expansion, users numbering in the thousands and the introduction of the cloud can disrupt existing segmentation policies and make it difficult to maintain efficacy. Each point of enforcement could contain hundreds of individual policies. As the network grows in users and assets, segmentation policies can quickly become outdated and ineffective.
Retaining segmentation integrity is an important security function in today’s world of advanced threats and high-profile data breaches. To properly protect themselves, organizations need to constantly maintain segmentation, adding new policies and adjusting existing ones as network needs change.
One way to tackle the challenges of traditional access control is with software-defined segmentation, which abstracts policies away from IP addresses and instead bases them on user identity or role. This allows for much more effective and manageable segmentation that can easily adapt to changes in the network topology.
Active segmentation for effective access control
When you couple software-defined segmentation with an intelligent planning and implementation methodology, you get active segmentation. This approach to segmentation allows network operators to effectively cordon off critical network assets and limit access appropriately with minimal disruption to normal business functions.
When implemented correctly, active segmentation is a cyclical process of:
- Identifying and classifying all network assets based on role or function
- Understanding user behavior and interactions on the network
- Logically designing access policies
- Enforcing those policies
- Continuously evaluating policy effectiveness
- Adjusting policies where necessary
Here is a high-level overview of the active segmentation cycle:
Network visibility enables active segmentation
One of the cornerstones of active segmentation is comprehensive network visibility. Understanding how your network works on a daily basis and what resources users are accessing as part of their role is paramount to designing an adequate policy schema.
Leveraging NetFlow and other forms of network metadata with advanced tools like Lancope’s StealthWatch® System provides the information needed to understand what users are accessing and their behavior when operating on the network. This end-to-end visibility allows administrators to group network hosts and observe their interactions to determine the best way to craft segmentation policies without accidently restricting access to resources by people who need it.
After the segmentation policies have been implemented, the visibility allows security personnel to monitor the effectiveness of the policies by observing access patterns to critical network assets. Additionally, the network insight quickly highlights new hosts and traffic on the network, which can help assign segmentation policies to them. This drastically reduces the amount of time and effort required to ensure segmentation policies are keeping pace with the overall growth of the enterprise network.
In short, active segmentation is the process of logically designing policies based on network data and constantly keeping an eye on network traffic trends to make sure access controls are utilized effectively and intelligently to obstruct attackers without impeding normal business functions. With the right tools and management, organizations can minimize the headaches and time involved with network segmentation while significantly improving their overall cybersecurity posture.