Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take. In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network. Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy: What is micro-segmentation. Common pitfalls in micro-segmentation projects and how to avoid them. The stages of a successful micro-segmentation project.  The role of policy change management and automation in micro-segmentation.

1. Micro-Segmentation:
from Strategy to Execution
Prof. Avishai Wool
CTO and Co-Founder

2. WELCOME
Comment through the Live Chat
Have a question?
This webinar will be available On-demand and as Podcast
Connect with AlgoSec online !
2
marketing@algosec.com
• https://www.algosec.com/resources
• https://www.algosec.com/webinars
• https://www.algosec.com/podcasts

3. AGENDA Motivation: lateral movement
Reducing the attack surface
Network segmentation
Managing micro-segmented networks
Use Cases

4. 4 | Confidential
MOTIVATING EXAMPLE:
LATERAL MOVEMENT / RANSOMWARE
ATTACKS

5. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key “Advanced Persistent Threat”, Wikipedia
5

6. STEPPINGSTONES
6
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
6

7. STEPPINGSTONES
7
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1
7

8. STEPPINGSTONES
8
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
8

9. STEPPINGSTONES
9
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
Pay $$$$ or lose data
9

10. 10 | Confidential
REDUCING THE ATTACK SURFACE

11. MICRO-SEGMENTATION: A BLUEPRINT
• Define network segments to control east-west traffic
• Activate traffic filters crossing segments
• Traffic fully inside a segment can flow freely
• Write restrictive policies for traffic crossing segment borders
11

12. CONTROL EAST-WEST TRAFFIC
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Easy, right?
12

13. TRADITIONAL EXCUSES IN A TRADITIONAL DATA CENTER
Use standard or virtualized firewalls
Requires:
• Reassigning IP addresses
• Making routing changes
• Defining new VLANs
• Possibly connecting new cables
Hard Work!
13

14. SOFTWARE-DEFINED DATA CENTERS
• Comes with filtering capabilities inside the networking fabric
• Reassigning IP addresses
• Making routing changes
• Defining new VLANs
• Possibly connecting new cables
• On-premise data center:
• Cisco ACI
• VMware NSX
• Public cloud:
• Amazon AWS
• Microsoft Azure
Old excuses are gone!
Technology is just the 1st step.
You still need to configure it!
14

15. NEXT CHALLENGES
• Where to place the segment boundaries?
• What filtering policy should you write ?
• So all legitimate business traffic is allowed!
• To do this – you just need to know all the legitimate traffic in the
data center, so you can write policy allowing it.
Naturally, you have perfectly accurate records
of all the application flows running through
the data center, so it’s easy. right?
15

16. FOR EVERYONE ELSE: APPLICATION DISCOVERY
• Need to:
• Detect all the network flows
• Annotate them with application name (“intent”)
• Aggregate & optimize “thin” flows into “fat” flows
• Put them in the filtering policy
• How:
• Netflow → AlgoSec AutoDiscovery
(or → AutoDiscovery)
• Import into AlgoSec AppViz
• Results:
• Micro-segmentation knowhow
• Application name annotates current + future rules that support it
16

17. OTHER CONSIDERATIONS: SENSITIVE DATA ZONES
• Some types of data are more sensitive
• Credit card data (PCI regulation)
• Personally Identifiable Information (GLBA, privacy laws)
• Medical data (HIPAA)
• Financial data (SOX, etc.)
• Ransomware encryption of personal or PCI data: equivalent to theft
• Regulatory implications
• Keep servers with sensitive data in separate segments
17

18. 21 | Confidential
USE CASE 1: DISCOVERY

20. Netflow (e.g., from VMware / Router / … )

21. Automatically organize related flows into business applications

22. Aggregate into fat flows

24. 27 | Confidential
USE CASE 2: ONGOING MAINTENANCE
POLICY CHANGE AUTOMATION

38. • Micro-Segmentation is KEY to tight network security
• SDN enables micro-segmentation – but it does not mean all
your challenges are gone
• Discovery, segment definition, and initial policy definition
• Ongoing maintenance: east-west + north-south
44 | Confidential
SUMMARY

39. 45 | Confidential
QUESTIONS?
Request a Free Evaluation
marketing@algosec.com
youtube.com/user/AlgoSec
linkedin.com/company/AlgoSec
facebook.com/AlgoSec
twitter.com/AlgoSec
www.AlgoSec.com/blog

40. THANK YOU!
Prof. Avishai Wool
CTO and Co-Founder