From the beginning of networking, segmentation has been a fundamental method of protection within a network. You put devices (& users) into various segments and then limit cross communication between the segments.
It started with VLANs on the wired network, then the SSID for wireless and evolved into security group tags in the campus and then to VmWare tags and VxLAN tags in the data center.
The most prevalent form of segmentation involves simply putting devices in the same segment, perhaps based on a business function such as physical security, facilities, medical, manufacturing line, and guest. So regardless of the device type everything in the segment receives the same protection and exposure to the same threats.
One of the main problems with this general form of segmentation is it exposes critical devices to vulnerable devices. It’s like putting sick kids in the classroom with healthy kids, eventually most will get sick from cross-infections.
Rapid IP Device Growth Further Complicates Security
Masses of operational devices such as X-rays, surveillance, PLCs, medical, elevator, HVAC, lighting, and even robotic control systems are quickly moving from their proprietary networks and onto IP-based networks.
These devices, often called IoT, are frequently insecure. Unlike laptops and servers, they have purpose-built functionality, no identifiable users, and cannot be protected by installing security agents (such as MDM, VPN, antimalware, and AV). Applying manufacturer-issued patches is a primary means to secure operational devices, but its only effective when expediently applied, which is difficult as the process involves finding and manually updating large numbers of devices. As a result, devices have limited immunity to cyberthreats just like kids in a classroom, as WannaCry and NotPetya proved with medical equipment.
The most obvious means to protect these devices is by putting them on a dedicated network, but that is cost prohibitive. The realistic option is to put them on smaller, more operationally personalized network segments, but engineering new network segments is complex and time consuming. Rolling-out a single new VLAN can take months to years in the worst cases.
In addition, these devices are very chatty and need to converse with lots of associate devices, which we called a conversation map. Since each device will likely have a unique conversation map the act of multiple microsegments is extremely complex which makes it ‘easy’ to accidently cut-off critical devices. . One thing you cannot do is hamper the communication flows as it can cause service disruption.
Identifying devices, understanding their conversation maps, translating it into policy, and provisioning the network to create ‘watertight’ security compartments is complicated enough for one device. How can you scale to segment the thousands of devices in your operation? This is not possible with conventional segmentation methods.
So, operational devices often end-up in relatively open network segments with wide-ranging mixes of devices. This exposes them to threats from addresses, ports, and non-relevant devices that should be closed-off to them.
New Thinking: Prescriptive, Personalized Microsegmentation
Microsegmentation is an uber-granular approach to protecting on-net devices when compared to the common group-oriented network segmentation. It uses the same network and security devices you have in place today. For microsegmentation to be the most effective, you must create unique policies for each device that is prescriptive and personalized.
Virtually all devices can be protected using microsegmentation, but it requires new thinking and new intelligence and policy management technologies that break-away from the perimeter security concept and applies a tailored policy to protect each device.
It’s like a doctor analyzing and diagnosing a patient for a malady based on identity, gender, age, heart rate, blood pressure, weight, symptoms, and additional testing such as glucose or x-rays. Once the malady is understood the doctor creates a prescription to protect the patient, which is applied through medicine or therapy.
Our ML/AI-powered IoT software works like a doctor diagnosing a patient by conducting a device-by-device analysis that includes manufacturer, type, model, modality, classification, OS version, SW version, serial number, location, IP/MAC fields and flow conversations. From this we create a prescribed microsegmentation policy for each device with surgical precision. We recommend what devices need to be in a personalized segment and provide each device within the same segment with a different level of protection. This policy includes a conversation map or ‘white list’ of devices it’s allowed to talk to. In addition, we identify, control and monitor the protocols and transactions between devices so we know when there’s an anomalous communication, so you can take immediate action.
We can provision the network devices (controllers, APs, switches, routers, and firewalls) to create thousands of microsegments automatically so our solution can scale to create microsegmentation policies for any network.
We’d be more than happy to prove how you can engineer and provision a security policy for every device on your network. Contact us today!