Posts

5 Ways that PCI DSS Micro-Segmentation Can Help You Achieve Compliance

As regulations for compliance become increasingly stringent, the consequences for failing an audit go far beyond a bureaucratic headache. As well as damage to your public image, you could be subject to financial penalties and even a halt to your business operations altogether until safety measures have been put into place.

Relying on a security solution that employs micro-segmentation can be a powerful tool that provides unparalleled control over the traffic cross your hybrid IT ecosystem. The right approach will be able to isolate and segment all applications, monitoring and routing all traffic, including east-west. By doing this, micro-segmentation can effortlessly check boxes for your compliance regulations, whether that’s PCI-DSS, HIPAA, or others.

PCI DSS Micro-Segmentation through Separation of Zones

When it comes to PCI DSS, micro-segmentation can support you in reducing scope. The compliance regulations are very clear. “To be considered out of scope for PCI DSS, a system component must be properly isolated from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” A similar rule is found for HIPAA compliance, but this time regarding Protected Health Information (PHI).

It is likely that some systems can be physically separated from your CDE or PHI. In the past, firewalls could enforce network zones, as could virtual LANs with strong ACLs. However, more complex architecture such as cloud-based VMs or containers have this made this difficult. Even simple compliance regulations, such as placing a firewall, become a challenge. Additionally, dynamic workloads mean you need granular visibility of where changes are happening within the CDE in real-time. This has encouraged businesses to look for a solution that allows for continuous process or identity level detail and control.

Ensuring that you have rich visibility into the flow of traffic is number one on the list for any auditor. This has two benefits. Firstly, it shows the regulatory board that you have a strong understanding of the data and access in your network. Secondly, it proves that you can automatically detect a threat or breach if the worst happens.

Reduced Impact of a Breach

Once you have established visibility, controlling traffic to isolate and resolve an attack should be next on the agenda. By starting with broad micro-segmentation policies and then creating more specific layers you can achieve the right balance between under and over segmenting your network. This should be done gradually, allowing you to gain the perfect amount of control without losing functionality and flexibility. Because the policies you build for micro-segmentation are application-aware, you can use them to enforce system access to specific regulated data, such as PHI for HIPAA compliance. Even if a breach happens to your perimeter, a hacker would not be able to move from an out of scope area to one that threatens compliance posture. Companies that only focus on protecting their perimeter between external and internal systems are behind the times. If attackers get through your perimeter, your entire data center or network is up for grabs. For PCI-DSS, micro-segmentation can provide a deeper level of security on all the important systems on your network. It can also stop attackers from making lateral moves within your network, pivoting dangerously from an out of scope area to one which can reach your CDE or PHI.

Another benefit for HIPAA or PCI DSS, micro-segmentation can meet the requirement of maintaining a vulnerability management program. For this to work best, your solution needs to work in tandem with a strong breach detection and mitigation solution, protecting your system against malware. Micro-segmentation works with the principle of least privilege, perfect for verticals like healthcare dealing with HIPAA compliance, where 70% of organizations cite employee negligence as the most worrying reason for breaches.

Another important element to keep in mind for compliance is having separate development and testing environments from production environments. Top tip: Make sure that scanning and auditing is done in a continuous cycle, not just periodically.

Locking Down Systems with PCI DSS Micro-Segmentation

PCI DSS dictates that more in-depth security features should be implemented for what they call “insecure” services, daemons or protocols. An example of this could be using a VPN for file sharing. Using a flexible policy engine is an important element of a compliance-ready micro-segmentation approach. This can enable you to validate administrative access to each system, and restrict specific protocols to using additional security measures.

Another element of compliance is ensuring that only one primary function can be implemented on each server. This means that functions with different security levels cannot be on the same server, preventing lateral moves from weaker entry points. By implementing PCI DSS micro-segmentation, process level policies can be enforced so that only necessary services are making connections, and only one secure function is implemented per server.

Logging all Systems and Mapping Vulnerabilities in PHI or PCI Micro-Segmentation

As well as showing that you’ve created zones in your network, nearly all compliance regulations will expect you to have visibility into the traffic that moves among them and the ability to log this information for later. Traditionally, companies have had visibility into north-south traffic which moves between client and server. The best approaches can now analyze and monitor east-west traffic, also known as server to server traffic, from within the data center itself. The policies that you define for your micro-segmentation approach can be used as documentation of your compliance, and the granular detail of east-west traffic serves as proof that you have a strong security posture that meets regulations.

Many businesses struggle to prove the systems that they have deemed out of scope actually are separate from their CDE or PHI, especially when dynamic boundaries are part of their IT infrastructure. If you choose a PCI micro-segmentation approach with labeling functionality, you can examine the PCI or PHI environments and inspect the flows and communications in granular detail. Filtering where necessary can allow you to drill down to specific protocols at process level, granting you unparalleled levels of control in comparison to traditional network segmentation.

Finding an All-Inclusive Solution for Compliance

There are many requirements for ongoing compliance, and companies will need to have various security controls in place to establish they are meeting the regulations of complex standards like PCI DSS or HIPAA. For example, when you’re employing PCI DSS micro-segmentation to meet regulations, you will need a distributed firewall to separate the CDE from other applications, as well as file integrity monitoring on your CDE itself. For mapping and documentation you’ll benefit from powerful process level visibility on traffic and data flows.

Lastly, especially important in compliance-heavy industries like healthcare where attacks are so common, your micro-segmentation approach should integrate with tools that allow you to secure the environment and maintain overall vulnerability control. These could include powerful breach detection tools like honeypots and malware detection, Choose a solution that covers many requirements in one, and you’ll take on less risk and management overall, simplifying the road to ongoing compliance.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Learn more about micro-segmentation and PCI compliance.

I Know What We Did Last Summer, You Should Too: See What’s New with GuardiCore Centra

As our CTO Ariel Zeitlin mentioned in his recent post , the GuardiCore field team has been very busy over the past several months working with some of the world’s largest corporations on different hybrid cloud security projects. More specifically, the GuardiCore Centra solution has been helping these large companies achieve greater visibility and assisting them in creating micro-segmentation policies.

At the same time, the GuardiCore product teams were busy developing the next wave of innovation for GuardiCore Centra. Some of our customers told us that the ability to quickly innovate and introduce new capabilities is one of our key differentiators as a company, and we take this feedback and the responsibility to push the boundaries of our technology seriously.

I have selected a couple of important highlights of the recent releases that I wanted to share with you, to give you a glimpse of the exciting progress we are making. The overview below is only partial. For the complete list of new release features and release content, please see the documentation on our customer portal (login required).

Of note – we are currently on release 28, and soon will EA release 29 and start the development of release 30. We are in continuous motion, upgrading, optimizing and pushing out the best improvements for our customers and if I may add a personal note – setting an example for the industry.

Reveal

GuardiCore Reveal provides visibility into application flows and processes. When visualizing assets, one can now perform asset grouping according to multiple, nested keys. This allows a much clearer view of large data centers and communication flows between environments, applications and roles. In addition, Centra now supports defining segmentation rules according to complicated logic of labels. Want to know more? Watch the demo to learn about Centra and visibility.

Some of the other recent enhancements include the following capabilities:

Nested Grouping

Users can now define map groupings that consist of multiple keys to form a nested map structure. For example, a user can define a default “Environment” → “Application” → “Role” grouping; Reveal maps will then show the different environments by default. When expanded, each environment will reveal its underlying applications, and correspondingly when an application is expanded, Reveal will show its underlying Roles.

3-tier GuardiCore Centra product update

 

AND Segmentation Rules

Segmentation rules now support specifying the result of a logic “AND” operation on label criteria as a rule’s source or destination. As in previous versions, users can get these suggestions directly from the Reveal map or enter them manually in the Segmentation Policy screen.
AND rules are directly related to nested groups. For example, when suggesting rules from the eCommerce application node in the Production environment, to the Data Processing application in the Production environment, the resulting rules will have a source of “Environment: Production AND Application: eCommerce” and a destination of “Environment: Production AND Application: Data Processing”.

One-Click Daily Maps

This new feature produces daily Reveal maps, generated automatically every 24 hours. Clicking “Explore” on the Reveal menu displays the most recent map by default. Maps are created once and are automatically updated based on your configuration.

Time estimation – We added a progress bar to indicate how long it takes the map to build. When you create a new map on an extended time frame (a week, a month etc’) or activate the Accurate connection times option on the Create New Map window, you will get an ETA indication on the Saved Maps page.

Tighter Process Level Policy Enforcement

To enable more granular and secure policies , we added the ability to explicitly specify the full path of the process as part of the Allow/Block rules. For example, when creating a policy for application “nginx”, Centra will suggest to allow /usr/local/nginx instead of  /tmp/nginx.

Cloud Native Visibility, More Multi-Cloud UI Controls

We simplified the way users activate multiple orchestration providers: AWS, vSphere and Kubernetes (K8s) simultaneously. Asset inventory and metadata will be continuously fetched from all defined orchestration providers.

We also added the ability to display orchestrations data from multiple sources for the same Kubernetes asset. All the data about a specific node is now collected both from the Kubernetes API and the compute providers’ APIs.

For GuardiCore customers who are using agentless, managed cloud solutions such as AWS, GCP and Azure, we provide a visibility and ‘soft’ enforcement solution with AWS inherent virtual private cloud (VPC) flow logs. VPC flow logs provide a way to inspect all the flows between all the different cloud assets within a given cloud network. Policy-wise this means that only alerts are supported without enforcement.

Private Threat Feeds Integrated into GuardiCore Reputation Services

Our users have asked us to enable them to use their own existing threat feeds (IoCs) with the GuardiCore Reputation Service. Now GuardiCore users can add their internal threat feed and enjoy the same rich visual incident experience as with all GuardiCore incidents. The IoC types that are supported are file and IP. The IoCs are uploaded in a JSON format to Centra REST API. Once uploaded, Centra will alert on the presence of these IoCs across the entire customer’s data center.

Shift Left on Security to Enable Secure and Rapid Digital Transformation

Rapid development and deployment can be a major competitive business advantage. This approach minimizes waste and cost, aligns business and IT teams, and allows companies to respond to real-time customer need and market trends. However exciting these opportunities are, it’s important to remember that dynamic and complex IT environments are creating increasing risk and threat, and reliability and security are a must have, not an optional extra.

Ensuring that rapid development and security protocols are not at odds should be a goal for any forward-focused business, especially during October’s cyber security Awareness Month. Shifting left on your security is becoming increasingly popular, but how can it be done?

Embracing the Shift Left Approach from a Security Standpoint

The idea behind the ‘shift-left’ approach for security is simple. Instead of first building a new product or service entirely, and then introducing security as a rubber stamp of approval at the end, you bring the security process in at an earlier point in the timeline, at the DevOps stage.

This has multiple benefits. From a business perspective, it’s a more cost-effective way to work on a new project. In fact, according to software development guru Steve McConnell, “violations are 10x to 20x less expensive to resolve during software development compared to at the production release step.”

The shift-left approach also ensures that areas such as reliability and compliance are considered at the earliest possible stage and can be part of the game plan from the start. As any security problems are discovered at the beginning, they are much easier to resolve, as they aren’t integral to the product yet. Troubleshooting security issues in advance means you can fix potential security violations before they become a reality.

Change the Way Security Fits Within your Business Structure and Company Culture

Without “shifting left,” when security is added as an afterthought, key stakeholders in development have historically seen security as a hurdle to get past, or a hoop to jump through. Often, security can stand in the way of a product or a service, making it more difficult to make quick decisions or streamline a process.

By moving security earlier on in the process, it can do the exact opposite – making it easier to say yes to new innovation and change. One example could be third-party code that would speed up development of a new product. Instead of being forced to build your own code from scratch to ensure security, automated processes could scan the code at the point of entry and ensure it is architecturally sound, working with DevOps teams to make their lives easier.

Going Further to Break Down Traditional Silos

Another method to increase the speed of deployment and its agility is to create a shared ownership over delivery of projects as well as a shared accountability for each other’s bottom lines. If development is responsible for secure code going out, and security is responsible for quick deployment, they suddenly have a shared goal they can work towards.

This change in mentality provides functionality and security in one for your business, with a seamless ability to feedback and improve. This is effective throughout a specific development cycle, and also as an overall posture of communication and collaboration for your company. Furthermore, this approach makes the security function less disruptive. It’s a quiet and constant part of the process rather than an addition that is seen to blow up the hard work of your development team at the very last stages.

What Does This Look Like in Action?

Embedding security into the application itself as part of the risk reduction process can be done in a number of ways. Let’s look at a practical example of implementing this methodology using GuardiCore Centra.

First, you will identify the applications and the connections it creates, either on staging or in the QA environment. You can then verify and analyze what the associated risks are.

Once the the GuardiCore agent is embedded into the workloads, you can then configure the security policy using our flexible policy engine. Workload specific, this can be implemented with a Zero Trust policy model. The policies are applied to the assets themselves, without the need to rely on IP addresses or any physical location, so wherever the application moves to, the policy follows.

The Benefits are Clear

Rapid digital transformation is essential for business success, and yet without security at its core – the risks are simply too great. Rather than allow security to continue to take a bolted-on role that is disparate from business process, we should be using tools such as Centra to enable security to shift-left and take an early and equal continuous role in development.

As CTO Ariel Zeitlin shared with his insights, the sooner you get started, the sooner you can enjoy the taste of your success

GuardiCore’s Journey from Vision to Best-in-Class Micro-Segmentation

Micro-segmentation as we know it today has gone through several stages in the last few years, moving from a rising trend for securing software-defined data centers to a full-blown cyber security technology and a top priority on the agenda of nearly every CISO.

Built on the vision of securing the hybrid cloud and software defined data centers, we started our journey in 2013, thinking how to solve what in our opinion was a huge challenge for a market that did not exist at that time. In this post we’ll share how we created the micro-segmentation solution that is considered the best on the market – from vision to execution.

2015: First steps towards segmentation

Throughout the second half of 2015, we started delivering our micro-segmentation methodology after realizing that understanding how applications communicate inside the cloud was the key to success and as such – must be addressed first. “You can’t protect what you can’t see” wasn’t coined by GuardiCore but was immediately embraced by us when we started planning our micro-segmentation solution. We started developing our visibility solution Reveal, a visual map of all the applications running in the data center, all the way down to the process level. Reveal allows you to view applications and the flow they create in real time while also providing historic views. For the first time, admins and security teams were able to easily discover the running applications, one by one, and then review relations between the application tiers. Early releases supported general data center topologies as well as Docker containers.

2016: Gartner names micro-segmentation a top information security technology

We launched our segmentation solution at the RSA conference 2016 with a big splash. Reveal gained a lot of coverage and was well received by security teams who were lacking the proper tools to see the application flows in their data centers. It was one of the hottest security products at RSA 2016 and for a good reason!

Important to note that when micro-segmentation was introduced in Gartner’s Top 10 Technologies for Information Security in 2016 time in June 2016, many security professionals were unaware of the concept. In that report Gartner stated that to prevent attackers from moving “unimpeded laterally to other systems” there was “an emerging requirement for microsegmentation of east/west traffic in enterprise networks”. Enthusiasm was then at its peak, micro-segmentation was widely covered in the media and conferences dealing with the technology abound.

2017: Micro-segmentation for early adopters

Micro-segmentation was gaining traction as one of the most effective ways to secure data centers and clouds, but organizations learned the hard way that the path to meaningful micro-segmentation was full of challenges. Incomplete visibility into east-west traffic flows, inflexible policy engines and lack of multi-cloud support were among the most cited reasons. Throughout 2017 market penetration was around 5% of target audience and micro-segmentation was far from being mainstream. Andrew Lerner, Research Vice President at Gartner, noted in a blog post that “Micro-segmentation is the future of modern data center and cloud security; but not getting the micro-segmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward”.

That year GuardiCore tackled these challenges head on and based on the feedback we received from our growing customer base, we added flexible policy management and moved on from using only 3rd party integration to add native enforcement at the flow and process levels. Customers were able to move from zero-segmentation to native enforcement in 3 easy steps, based on revealing applications, building policies and natively enforcing policies.

2018: Our solution takes complexity out of micro-segmentation

Today, micro-segmentation serves as a foundational element of data center security in any data center. According to a Citi group’s report, cloud security is the number one priority among CISOs in 2018, with micro-segmentation the top priority in plans to purchase in this category. Concentrated effort on the part of organizations from different industries has resulted in better understanding of the technology. This year we were able to deploy micro-segmentation across all types of environments, from bare metal to virtualized machines, through public cloud instances and recently to containerized environments.

So if you are planning a micro-segmentation project let’s talk. We can show you how to do it in a way that is quick, affordable, secure, and provable across any environment.

Lateral Movement Security

Security teams often focus significant effort and resources on protecting the perimeter of their IT infrastructure and tightly controlling north-south traffic, or traffic that flows between clients and servers. However, several major transformations in enterprise computing are causing east-west traffic, or server-to-server communication within the data center, to outgrow north-south traffic in both volume and strategic importance.

For example:

  • Traditional on-premises data centers increasingly use horizontal scaling techniques that employ large sets of peer nodes to service the requests of clients, rather than a simple north-south flow.
  • The emergence of big data analytics as an essential competency is also driving substantial growth of east-west traffic, as processing of large data sets distributed across many nodes is generally required.
  • The growing adoption of public cloud infrastructure makes the traditional concept of a network perimeter obsolete, increasing the importance of securing east-west traffic among nodes.

While many organizations remain heavily invested in perimeter security, they are often extremely limited in their ability to detect and prevent lateral movement within their data center and cloud infrastructure.

What is Lateral Movement?

Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to identify the most vulnerable and/or valuable assets, expand their level of access, move to additional trusted assets, and further advance in the direction of high-value targets. Lateral movement typically starts with an infection or credential-based compromise of an initial data center or cloud node. From there, an attacker may employ various discovery techniques to learn more about the networks, nodes, and applications surrounding the compromised resource.

As attackers are learning about the environment, they often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that may allow them to move successfully to their next target node.

When an attacker executes an effective combination of lateral movement techniques, it can be extremely difficult for IT teams to detect, as these movements often blend in with the growing volume of legitimate east-west traffic. The more they learn about how legitimate traffic flows work, the easier it is for them to attempt to masquerade their attacks as a sanctioned activity. This, combined with many organizations’ insufficient investment in lateral movement security, can cause security breaches to escalate quickly.

Assessing Lateral Movement Security

One fast, simple, and inexpensive step that organizations concerned about lateral movement security can take is to test how vulnerable their environment is to unsanctioned east-west traffic. GuardiCore Labs offers a free, open-source breach and attack simulation tool called Infection Monkey that can be used for this purpose.

Infection Monkey scans the environment, identifies potential points of vulnerability, and attempts predetermined attack scenarios to attempt lateral movement. The output is a security report that identifies the security issues that were discovered and includes actionable remediation recommendations.

Infection Monkey Warns of Danger of Lateral Movement

Visualizing East-West Traffic

Organizations seeking more proactive lateral movement security can begin by visualizing the east-west traffic in their environment. Once a clear baseline of sanctioned east-west traffic is established and viewable on a real-time and historical basis, it becomes much easier to identify unsanctioned lateral movement attempts.

This is one of the flagship capabilities of GuardiCore Centra. Centra uses network and host-based sensors to collect detailed information about assets and flows in data center, cloud, and hybrid environments, combines this information with available labeling information from orchestration tools, and displays a visual representation of east-west traffic in the environment.

Visibility for Lateral Movement

This added visibility alone delivers immediate benefits to organizations seeking a greater understanding of potential lateral movement risks. It also provides the foundation for more sophisticated lateral movement security techniques.

Improving Lateral Movement Security

Once an organization has a clear view of both sanctioned and unsanctioned east-west traffic in its data center and cloud infrastructure, it can use this information to take active steps to stop lateral movement. An optimal approach includes a mix of both proactive and reactive lateral movement security techniques.

Micro-Segmentation Policies

Once an IT team has visualized its east-west traffic, the addition of micro-segmentation policies can significantly reduce attackers’ ability to move laterally. Micro-segmentation applies workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. When strong micro-segmentation policies are implemented, attempts at lateral movement that do not explicitly match sanctioned flows – down to the specific process level – can generate alerts to the security operations team or even be blocked proactively.

Detecting and Responding to Unauthorized East-West Traffic

While micro-segmentation policies significantly improve lateral movement security, it is important to complement policy measures with additional detection and response capabilities. In addition to providing information-risk alerts when policy violations occur, GuardiCore Centra can detect and respond to unauthorized east-west traffic by leveraging deception technology to monitor and investigate suspicious behavior within east-west traffic.

Deception

GuardiCore Centra applies deception technology to analyze all failed attempts at lateral movement and then redirect suspicious behavior to a high-interaction deception engine. The attacker is fed responses that suggest that their attack techniques are successful, but all their tools, techniques and exploits are being recorded and analyzed in a fully isolated environment.

Deception

This helps IT teams learn more about the lateral movement being attempted in the environment and assess how to best improve security policies over time.

A Growing Strategic Priority

While strong perimeter security remains essential, the transition from traditional on-premises infrastructure to hybrid-cloud and multi-cloud architectures is increasing the strategic importance of lateral movement security.

It’s essential for security teams to:

  • Gain ongoing visibility into their organization’s east-west traffic
  • Develop techniques for differentiating between sanctioned and unsanctioned east-west traffic
  • Implement controls like micro-segmentation to tightly govern infrastructure activity
  • Actively monitor for unauthorized lateral movement to both contain breaches quickly and continuously refine policies based on the latest attack techniques.

Organizations that move beyond perimeter-focused thinking and place greater emphasis on lateral movement security will ensure that their security measures remain in step as IT infrastructure becomes more dynamic and heterogeneous.

For more information about Micro-Segmentation, visit our Micro-Segmentation Hub