Network Segmentation, Security and RedSeal
Over the last few decades, many network security architecture products have come to market, all with useful features to help secure networks. If we assume that all of these security products are deployed in operational networks, why do we still see so many leaks and breaches?
Some say the users are not leveraging the full capabilities of these products – which is true.
Other say the users are not fully trained on how to use the product. Also true, and probably why they’re not using the full capabilities of their products.
Instead, we might benefit from remembering a basic truism: We humans are lazy.
Most of us, if offered a button that simply says “fix,” will convince ourselves that it will fix any network problem. We’ll buy that button every day of the week.
Our belief in fix buttons has led to a situation where many of us aren’t following standard security practices to secure our networks. When a network is designed or when you inherit a network, there are some basic things that should be done.
One of the first things to do is isolate, or segment, your network. Back in the 1990s, network segmentation was done more for performance reasons than security. As we moved from hubs to large, switched networks, our networks have become flat, with less segmentation. Today, once attackers get in, they can run rampant through a whole enterprise.
If we take the time to say, “Let’s step back a second,” and group our systems based on access needed we can avoid much trouble. For instance, a web server most likely will need access to the internet and should be on a separate network segment, while a workstation should be in another segment, printers in another, IoT in one of its own, and so on.
This segmentation allows better control and visibility. If it’s thought out well enough, network segmentation can even reduce the number of network monitoring security products you need to deploy. You can consolidate them at network choke points that control the flow of data between segments versus having to deploy them across an entire flat architecture. This also will help you recognize what network traffic should and should not be flowing to certain segments based on that network segment’s purpose.
This all seems to make sense, so why isn’t it done? In practice, network segmentation is usually implemented at the start. But, business happens, outages happen, administrators and network engineers are under enormous pressure to implement and fix things every day. All of this causes the network design to drift out of compliance. This drift can happen slowly or astonishingly fast. And, changes may not get documented. Personnel responsible for making the changes always intend to document things “tomorrow,” but tomorrow another event happens that takes priority over documentation.
Network segmentation only works if you can continuously ensure that it’s actually in place and working as intended. It is usually the security teams that have to verify it. But, as we all know, most security and networking teams do not always have the best partnerships. The network team is busy providing availability and rarely has the time to go back and ensure security is functioning.
Even if the security teams are checking segmentation in large enterprises, it is a herculean effort. As a result, validating network segmentation is done only yearly, at best. We can see how automating the inspection of the network security architecture is a clear benefit.
RedSeal enables an automated, comprehensive, continuous inspection of your network architecture. RedSeal understands and improves the resilience of every element, segment, and enclave of your network. RedSeal works with your existing security stack and network infrastructure (including cloud and SDN) to automatically and continuously visualize a logical model of your “as-built” network.
RedSeal’s network modeling and risk scoring platform enables enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital and virtualized world, and to overcome one of the main enemies of cybersecurity – human nature.
