The past
five years have seen the overhaul of some of cybersecurity’s biggest technology
categories. Palo Alto Networks and the next-generation firewall market upended
the network security market, companies like Splunk turned SIEM on its head, and
next-generation endpoint technology from companies like Crowdstrike and Cylance
changed the game for endpoint security.As these
transformations take hold in the market, the question becomes: what comes next?
Which technology will be the next one to be revolutionized?The next
category most likely to be disrupted is network segmentation, which allows
companies to split their main network into smaller sub-networks to mitigate
risks. From a cybersecurity perspective, this means you can have networks with
sensitive finance data or customer credit card information on a totally
separate network from potential entry points for attack, like an employee’s
laptop or your smart building technology.
While
network segmentation isn’t new, it hasn’t been as widely adopted across the
enterprise. Some of this can be credited to shortcomings of existing
technologies for today’s companies, such as difficulty to implement in
environments outside of the data center or blind spots like unmanaged devices.But there
are a few signs already that the technology is ready for a revamp. Hackers
continue to penetrate company networks, and the ease with which they can move
laterally across the network means they are able to cause greater havoc to an
organization. Companies are also facing new, more complex compliance
requirements and greater risk overall as the attack surface grows due to a
rising volume and diversity of devices, including IoT and operational
technology (OT) devices. Network segmentation is one way that companies can better
handle some of these challenges, or at least limit their risk.As part of
any coming transformation, our industry needs to shift our thinking about what
we want from the next generation of network segmentation tools and consider
some of the qualifications for these technologies. First, we
should make sure we are getting the full context of all devices and
applications you might want to segment across the full extended enterprise,
from campus to data center to cloud and OT environments. Without knowing that
context as a baseline, you won’t know what or how to segment. The more granular
that context, the more helpful it can be. For instance, it is helpful to know
if a camera is a surveillance camera or a teleconferencing camera because you
might want different types of policies for each type.Today, CISOs
are challenged when they only get that context in pieces. They may know device
types or applications for the data center, which is generally easier because
devices are more straightforward, but not across the entire enterprise. But
they will need this data as the foundation if they want to apply network
segmentation effectively and more broadly.Second, the
future of network segmentation needs traffic context. Very few organizations
have the luxury of building their network entirely from scratch. Instead,
they’re more likely to be layering network segmentation on top of existing
networks. To do that effectively, you need to know what is talking to what. You
also need to know what counts as legitimate traffic, as in what should be
talking to what. If you don’t have visibility into that, you can’t have full
confidence that you can enforce network segmentation rules without breaking
anything.Finally,
organizations will be able to use all that context information to create and
enforce policies. This is the step that will take us to the next generation of
network segmentation. It will set boundaries across the network, segmenting it
so devices and applications can only access the data they need and so the blast
radius of an attack is contained inside a limited area.The
important thing to note about this final step is that it will likely always be
an iterative process. The enforcement of the policies should be dynamic and
automated, taking the device and traffic context and using that to stay
up-to-date with today’s rapidly changing networks. Older policies may need to
be updated to take into account a changing environment. It should also be
orchestrated across multiple technologies to account for varying
infrastructure, like campus switches, firewalls, SDN infrastructure, and public
cloud infrastructure. All of these nuanced changes are possible if you have
deep context into the environment. Ideally, we could also simulate these
changes ahead of time, so security personnel could test out policies as they
create them to see how they might impact the network before they are put into
action. You don’t want to break something in the process!Today’s CISO
doesn’t have an easy job. They are grappling with how to get a handle on a
growing number of cybersecurity threats, as well as reduce overall risk and
meet compliance mandates. The network segmentation technologies of tomorrow
might help address those pain points and reduce the scope of an attack. Data
breaches are unfortunately a matter of when, not if, for all companies. With
that in mind, it is more important than ever to focus on finding new ways to
innovate and limit the risk and scope of damage an attack might pose.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
