Tag Archive for: SDN

Make Network Security a Zero Trust Priority

/by

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CSI) titled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” and the CISA Zero Trust Maturity Model version 2 underscore the importance of securing network environments in line with zero trust principles. Both documents emphasize an integrated approach to zero trust, placing network security alongside identity management, data protection, and continuous monitoring.

John Kindervag, the creator of zero trust, recently cautioned the cybersecurity industry about its overemphasis on identity management, reminding us of the critical role that network security plays in the zero trust framework. As organizations continue to mature their zero trust architectures, the NSA and CISA outline clear guidelines on how network security fits into the overall security strategy.

Key insights from the CISA and NSA zero trust guidance

1. Data flow mapping

The CISA Zero Trust Maturity Model v2 emphasizes the importance of understanding data flows across the network to enforce zero trust effectively. RedSeal’s network mapping capabilities align perfectly with this requirement. By visualizing network paths, RedSeal helps organizations identify unprotected data flows, ensuring that sensitive information does not traverse insecure network paths. This visibility is crucial for implementing micro- and macro-segmentation strategies.

2. Macro-segmentation and micro-segmentation

Both the NSA and CISA documents stress the need for segmentation as a core component of zero trust. Macro-segmentation involves dividing networks into broad security zones to limit lateral movement by attackers. RedSeal’s “Zones and Policies” feature supports this by enforcing policies that prevent unauthorized access between different zones, such as between departments or IT and operational technology environments.

Micro-segmentation, on the other hand, focuses on further reducing the attack surface within network segments. RedSeal’s policy management capabilities assist organizations in enforcing precise controls at a granular level. With RedSeal’s advanced network modeling, you can identify the most critical areas for micro-segmentation and ensure policies are applied effectively.

3. Software-defined networking (SDN)

RedSeal’s capabilities complement SDN implementations, which are highlighted by CISA and NSA as essential for creating dynamic, adaptable zero trust environments. SDN allows for more granular and flexible control over network traffic. RedSeal enhances these SDN strategies by providing deep insights into network structure and identifying potential vulnerabilities, which is crucial for crafting effective SDN policies.

4. Threat visibility and continuous monitoring

Continuous monitoring is a cornerstone of zero trust, as outlined by both the NSA and CISA. RedSeal’s continuous network visibility and monitoring allow organizations to stay vigilant and identify potential risks. The ability to verify network configurations continuously ensures that security policies remain effective and adaptive as threats evolve.

Advancing zero trust maturity with RedSeal

RedSeal is uniquely positioned to help organizations mature their zero trust architectures, particularly within the network and environment pillar. By delivering comprehensive network visibility, enabling effective segmentation, and supporting SDN strategies, RedSeal plays a critical role in limiting attack surfaces and strengthening an organization’s security posture.

Zero trust is not a one-size-fits-all approach, but by leveraging RedSeal’s capabilities, you can ensure your network security is robust, dynamic, and capable of meeting the stringent requirements outlined by both CISA and NSA.

Discover how RedSeal can enhance your zero trust journey by scheduling a demo or attending one of our free monthly Cyber Threat Hunt workshops.

 

The Critical Role of Network Security in Zero Trust

/by

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CIS) entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” outlines how organizations can enhance their network security within the Zero Trust model. This involves leveraging advanced cybersecurity strategies to mitigate risks of lateral movement by malicious actors within networks.

In a recent SCmagazine article, the creator of the Zero Trust concept, John Kindervag, pointed out the industry’s current overemphasis on identity management, cautioning against neglecting network security’s critical role. This viewpoint complements the NSA’s guidance on implementing Zero Trust within the network and environment pillar, underscoring the need for a balanced approach that values both identity and network infrastructure. Kindervag’s insights advocate for not only recognizing the network as a foundational component of Zero Trust, but also actively engaging in strategies like data flow mapping, macro- and micro-segmentation, as well as leveraging software-defined networking (SDN) for enhanced security measures​​. This balanced focus ensures a comprehensive and resilient Zero Trust model, and RedSeal can address those network-related challenges effectively.

RedSeal can play a crucial role in implementing these strategies:

  • Data Flow Mapping: RedSeal’s capabilities in mapping the network and understanding how data moves across it align with the document’s emphasis on understanding data flow to identify and secure unprotected data flows. RedSeal can help organizations visualize their network paths and flows, which is foundational for recommended effective segmentation and isolation strategies.
  • Macro Segmentation: RedSeal’s Zones and Policies feature directly supports the concept of macro-segmentation, which is about segmenting the network into different security zones to control access and movement between them. By defining and enforcing network policies, RedSeal can help prevent unauthorized access between different parts of the network, such as between departments or between the IT environment and operational technology systems.
  • Micro Segmentation: While the document discusses micro-segmentation’s role in further reducing the attack surface within network segments, RedSeal’s detailed network models and policy management can assist in the detailed enforcement of policies that control access to resources within these segments. RedSeal’s analytical capabilities can help identify where micro-segmentation can be most effectively applied and help manage the policies that enforce this segmentation.
  • Software-Defined Networking (SDN): Although RedSeal itself is not an SDN solution, its network modeling and risk assessment capabilities are complementary to SDN’s dynamic and adaptable network management. RedSeal can enhance SDN implementations by providing a detailed understanding of the network structure and potential vulnerabilities, thereby aiding in the creation of more effective SDN policies.

RedSeal can significantly aid an organization’s efforts to advance its Zero Trust maturity, particularly within the network and environment pillar outlined in the NSA document. By providing detailed network visibility, facilitating effective macro- and micro-segmentation and complementing SDN strategies, RedSeal helps limit potential attack surfaces, enhances network security posture, and supports continuous verification of all elements within the network environment.

You can find out more by getting a demo of RedSeal and attend one of our monthly free Cyber Threat Hunt workshops.

RedSeal and DHS CISO’s Current Priorities

/by

In early August, at MeriTalk’s Cyber Security Brainstorm, Paul Beckman, chief information security officer (CISO) at the Department of Homeland Security (DHS), said that his biggest new priorities are:

  • Increasing use of software-defined networking (SDN)
  • Adopting a zero-trust model
  • Optimizing DHS’ security operations centers (SOC)

He added that the ability to leverage micro segmentation in cloud or SDNs is an efficient way to provide network data security services.

Which is true to an extent.

Unfortunately, Mr. Beckman puts too much trust in SDN security. If that word “software” does not concern you, then you are not thinking about the problem hard enough.  Humans make and deploy software and humans make mistakes, even in something called “software-defined.” They often don’t see what’s exposed as they build out their architecture. They may have intended to have something segmented and not realize it isn’t.

SDNs grow and change quickly. An equally agile modeling solution can ensure that any mistakes are caught and fixed rapidly. There can easily be millions of rules to check as workloads spin up and down too fast for any human to keep up. RedSeal will validate all your security rules over time to ensure that configuration drift doesn’t cause segmentation violations.

Agencies can create risks, too, by making multiple changes over time without comprehending the combined effect those changes have on end-to-end security. This problem is exacerbated by SDNs because of the ease and speed of change they offer. To reduce the risks and realize the true power of SDNs, agile change control should be part of your approval process. This will allow you to model changes at machine speed to see exactly what effect a change will have on end-to-end security.

Added to architecture, updating and workflow issues, is the fact that most SDNs exist in hybrid data center environments, connected to other SDNs, public clouds and physical assets. RedSeal’s model of your network includes all your environments, so you can see access between and within each one. While I agree that SDNs are an improvement on the earlier way of providing security services, they are not a silver bullet.

Mr. Beckman also said, “One of the things that I think we are, as an IT organization, going to be evolving to, is that zero-trust model. Traditionally the perimeter was your primary means of defense, but once you got into the squishy center, you were generally a trusted entity. That needs to go away.”

With zero trust, he said that you need to authenticate everything a user is trying to access inside the perimeter. It’s a great idea for any organization to trust no one on the inside of a network and make them prove they’re authorized to be there. But what happens when credentials are compromised? It is harder to do today, after implementation of two factor authentication procedures and password managers, but not impossible. Hackers still find a way.

Lastly, Mr. Beckman wants to consolidate 16 independent SOCs into four or five centers operating in a “SOC-as-a-service” format. These kinds of consolidation efforts have happened before. The government has put a lot of effort into merging SOCs, only to have them split apart again due to performance issues or mission requirements.

What is new and admirable is a focus on grading the performance of each individual SOC. Identifying poor performers and merging them with high-scoring SOCs seems like a logical way to take advantage of the limited numbers of highly skilled security professionals and improve outcomes. Again, this sounds good in theory. We will see how it works in real life environments.

For more information about how RedSeal meets the DHS’s highest priorities this year, visit our website at: www.redseal.net/government.

Who Says Software-Defined Security Is What We Want?

/by

Forbes | Dec 21, 2017

By Dr. Mike Lloyd, RedSeal CTO

Gartner’s Hype Cycle is always a fun read. For the 2017 version, I’d like to draw your attention to the dot for Software-Defined Security — you can find it sliding down the precipitous slope from the Peak of Inflated Expectations to the Trough of Disillusionment.

It’s easy to trace the rise and fall. Back in 2014, there was no Software-Defined-Security marker, but Gartner’s annual chart of hype, hope and hallucination had an entry for Software-Defined Anything (way over on the far left), where dreams turn into … well, more dreams (at least for a while). The intervening years saw Software-Defined Security charge up that first hill of expectations, crest over and eventually slide down.

Read More