Posts

Micro-Segmentation and Application Discovery – Gaining Context for Accurate Action

The infrastructure and techniques used to deliver applications are undergoing a significant transformation. Many organizations now use the public cloud extensively alongside traditional on-premises data centers, and DevOps-focused deployment techniques and processes are bringing rapid and constant change to application delivery infrastructure.

While this transformation is realizing many positive business benefits, a side effect is that it is now more challenging than ever for IT and security teams to maintain both point-in-time and historical awareness of all application activity. Achieving the best possible security protection, compliance posture, and application performance levels amidst constant change is only possible through an effective application discovery process that spans all of an organization’s environments and application delivery technologies.

Essential Application Discovery Process Components

Application discovery plays a valuable role for organizations defining and implementing a micro-segmentation strategy. Micro-segmentation solutions like GuardiCore Centra are more powerful and simpler to use when they have a complete and granular representation of an organization’s infrastructure as a foundation.

Application discovery is achieved through a multi-step process that includes the following key elements:

  • Collecting and aggregating data from throughout the infrastructure
  • Organizing and labeling data for business context
  • Presenting application discovery data in a visual and relevant manner
  • Making it seamless to use application discovery insights to create policies and respond to security incidents

Each step has its own nuances, which require consideration when evaluating micro-segmentation technologies.

Application Data Collection and Aggregation

Modern application delivery infrastructure often consists of numerous physical locations, including third-party cloud infrastructure, and a wide range of application types and delivery models. This can make it challenging to collect comprehensive data from throughout the infrastructure. For example, GuardiCore Centra relies on multiple techniques to collect data, including:

  • Deploying agents on application hosts to monitor application activity
  • Collecting detailed network data through TAP/SPAN ports and virtual SPANs
  • Collecting VPC flow logs from cloud providers

While each of these techniques is valuable, agent-based collection in particular ensures that Layer 7 granularity is included in the application discovery data set.

Once collected, application activity data must be aggregated and stored in a scalable manner to support the subsequent steps in the application discovery process.

Applying Context to Application Discovery Data

Whenever data is collected from disparate sources, it is difficult to interpret and derive value from it in its raw form. Therefore, it is critical to organize data and present it in context that is relevant to the organization. GuardiCore Centra employs several complementary techniques to simplify and, when possible, automate this essential step, including:

    • Querying an organization’s’ existing data sources, such as orchestration tools and configuration management databases, using REST APIs.
    • Automatically applying dynamic labels based on pre-defined logic
    • Discovering labels using agents deployed on applications hosts
    • Giving customers a simple and flexible framework to create labels manually.

A sound labeling approach makes it easy for an organization to view application activity in meaningful ways using attributes such as environment, application type, regulatory scope, location, role, or owner. While these are common examples, GuardiCore Centra’s labeling framework is also highly flexible, so organizations can define a custom label hierarchy to accommodate any specialized needs.

Visualizing Application Discovery Information

Once application data has been collected, harmonized, and contextualized, the next step is to present it in a manner that is meaningful to IT professionals, security experts, and application owners. The following examples from GuardiCore Centra illustrate the impact that the preceding three steps have on the quality of the visual representation of application discovery data.

Without context, raw data may look something like this:

Without context, it’s difficult to know which applications exist in the environment and how they interact with one another.

As you can see, this view contains a large amount of information but provides very little insight into which applications exist in the environment and how they interact with one another.

In contrast, once context has been added through labeling, more meaningful visualizations like the following example become possible:

Visualizing Application Discovery Information

In this case, the underlying data is presented in a manner that defines a specific application, its components, and its flows very clearly.

When evaluating possible application discovery data visualizations approaches, it is important to consider both real-time and historical visualization needs. Real-time data is helpful for assessing additional policy needs or responding to in-progress security incidents. However, historical data is also extremely valuable for compliance audits and security incident forensics and post mortems.

Moving from Application Discovery to Action

A final consideration when implementing an application discovery process is how to best make the data collected actionable. Once security teams and application stakeholders gain a complete view of application activity across their infrastructure, they often identify new legitimate applications that must be protected, unauthorized applications that they would like to block, possible security enhancements for existing applications, and even active security incidents that must be contained.Therefore, it is important to have seamless linkage between application discovery and micro-segmentation policy definition.

GuardiCore Centra accomplishes this by making application discovery visualizations directly actionable through point and click actions. Administrators can click on assets and flows in the visualization and gain immediate access to policy definition options. They can even create sophisticated compound policies through GuardiCore’s intuitive, highly visual interface.

Understanding the mutually-beneficial relationship between application discovery and micro-segmentation.

This final step illustrates the mutually-beneficial relationship between application discovery and micro-segmentation. A well-implemented application discovery process gives an organization’s application stakeholders both a clear view of application activity across all environments and an intuitive path to positively affect it through granular micro-segmentation policies. Similarly, once micro-segmentation policies have been implemented, the ability to view them in an up-to-date visualization of the infrastructure at any time makes it easier to update and maintain policies as environments change and new threats emerge.

The challenge of implementing an integrated application discovery process that spans all environments and delivery models may seem daunting to many organizations. However, by breaking the problem down into its four key elements and considering how each can be addressed more effectively with the help of flexible technologies like GuardiCore Centra, security teams and other stakeholders can set their application discovery process on a path to success.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Implementing Micro-Segmentation Insights, Part 2: Getting Internal Buy-In

In a recent blog, I revealed part one of my insights from implementing micro-segmentation projects with large customers. Vendors don’t always get the perspective of deep involvement in the execution of these projects, but I have been fortunate enough to cultivate relationships with our customers and have thus been granted an inner view. In my first blog of this series, I discussed short versus long-term objectives and the importance of knowing your goals and breaking them down into phases to ensure that you’re truly working on the important matters first and foremost. In this blog, I want to get into the importance of getting internal buy-in from other teams in order to enable improved implementation. To make the process easier for all involved, “selling” the project to other teams is an important early step.

More often than not the segmentation project is driven by the security organization and they are the ones who see immediate value out of it, but they need the collaboration of other teams to help them deploy the product. It doesn’t really matter if the product is an overlay (usually based on agents) or underlay (comes as a part of the infrastructure).

Some teams will need to carry more of the weight and bear more in the processes of deploying such a project- networking, application, infrastructure, system etc. To achieve collaboration of those teams it helps to carry a carrot, not just a stick. Getting early buy-in on these projects and planning out collaboration from the right people will make the process much easier in the long run. In order to do so, the solution needs to be “sold” internally. And just like with any sales process, the more you are prepared and equipped for this, the smoother it will go.

As is true with any sales process, there will be the “early adopters” and the “late adopters.” In our experience, when the project team was well prepared and presented the benefits of the solution to the other teams, the impact was significant. If you can show the application team how they can benefit from the solution they will not just ease up on the objections, in fact they will be pushing the deployment.

But, there is a significant BUT to this. The product you choose for your segmentation needs to be able to deliver those carrots. It needs to be able to support use cases that are not the clear immediate concern of its direct, original audience. Here is a small example: let’s say you need to convince the application owner to install the agents that will enforce the policy. The application owner usually has little interest in the security use case and might object or hesitate because of the additional player introduced in the mix: wondering how will it affect the stability, and performance etc. But if you are able to demonstrate that he will gain value from the product, he in fact will become the one who pushes the deployment.

One of such value propositions that we constantly see is the value of “getting visibility into your application.” This is of course a great promise, but for the application owner to actually be able to gain value from this visibility, the visibility should have certain properties: it needs to be L7 with application context, it needs to collect data and store it historically (pay attention here that for the sake of building policy the historical aspect of the data is not important at all, you just need to know what connections might happen), and it needs to be searchable and filterable to allow simple and convenient consumption by the application owner. This of course is just one example, but the important lesson is to show the many ways in which the solution can expand beyond the obvious reason for implementation to help ensure buy-in of other teams through the illustration of other benefits.

So, when starting to deploy a segmentation solution make sure that you prepare an on-boarding package for the teams you need to cooperate with that includes ways they can leverage the product to expedite the adoption process and make the projects deadlines. Equally as important, when doing so make sure that the product you choose can actually cater to those use-cases, and many of the products on the market today miss that important point.

Learn more on our micro-segmentation hub or read about GuardiCore Centra for best practices.

Read part one of my insight from implementing micro-segmentation.

Harness the Benefits of Micro-Segmentation

Enterprise IT environments – and the security attacks they are subjected to – are becoming more sophisticated and diverse. While data centers continue to play a central role, a growing number of workloads are shifting to cloud and hybrid cloud deployment models. Meanwhile, emerging deployment approaches like containers bring both new advantages and new security challenges.

As a result of these shifts, the days of a well-defined perimeter are over, putting greater pressure on IT security teams to detect and prevent lateral movement among heterogeneous data center and cloud assets. Micro-segmentation with Layer 7 granularity addresses this growing challenge, bringing several essential benefits to today’s fast-evolving enterprise environments.

Read more