security is dead. long live...
TRANSCRIPT
SECURITY IS DEAD.LONG LIVE SECURITY.USING MICRO-SEGMENTATIONTO MAKE CYBERSECURITY WORK.
A WHITE PAPER BY UNISYS GLOBAL SECURITY
NOVEMBER 2015
2
Introduction
Cybersecurity is dead. ...that is, the way it was originally designed and is currently deployed. Whether
measured by the billions of dollars wasted trying to implement it, or the almost-daily breach notifications
from organizations around the world, the core premise of old security models is failing society every day.
The old adage that the good guys have to be right 100% of the time while the bad guys only have to
be right once is both true and troublesome. This failed premise that assumes that protection requires
absolute perfection must be changed. Especially now.
Our reliance on computing and communications is critical to our way of life, and is increasing every
day. It’s not just our computers that are at risk; rather, increasingly attacks jeopardize careers, wallets,
companies, infrastructure, and even lives. Our adversaries are no longer anonymous or invisible as they
boldly wield the power to access personal and corporate data online as well as take control of systems
throughout our logical and physical worlds.
A fresh approach to security — one that understands that organizations aren’t perfect, that employees
sometimes work from home, that clouds and mobile are a necessary efficiency, that supply chains are
integrated, and that adversaries are both skilled and motivated to attack — will tip the balance of power
back to the good guys. This fresh approach is our future and is based on advanced technology coupled
with an approach that assumes that bad guys will get in somehow/somewhere/sometime, but that the
damage they do must be localized and limited so that it’s not front page news. This paper outlines the
power of Micro-segmentation to do just that.
3
Background
2015 was known as “The Year of Cybersecurity Incidents.” However, this isn’t much different from
what we saw in 2014, and 2013 and 2012. It’s just getting worse. Each time the public is exposed to a
“massive breach,” it is bigger and more destructive than the last.
Our favorite public brands are notoriously susceptible to attack. Millions are all too aware of breaches at
Target and Home Depot, which resulted in the release of 70 million users’ personal data and 56 million
payment card signatures, respectively.
The Sony hack remains the most memorable, as it first introduced the public to the full repercussions of
a security lapse. It was also the first time we could be sure a nation state targeted a major corporation.
Since then, the volume of private data available online has grown exponentially and, unfortunately, so has
its value.
In June 2015, the U.S. government’s Office of Personnel Management (OPM) reported that background
check data for millions of Americans had been compromised. Such occurrences aren’t slowing down,
despite billions of dollars invested in cybersecurity. Simply put, current strategies aren’t working. Without
taking drastically different measures, we will continue to be vulnerable.
4
Outdated Models Keep the Threat Alive
Breaches aren’t just devastating to the integrity of an organization, they also hold certain central figures
accountable for their actions, or inactions. It’s very difficult for anyone, be they an IT manager or a C-level
executive, to admit they have been breached and that they must now deal with the fallout. In essence,
it’s an indication of defeat.
It’s tempting to believe that doubling the security budget or increasing employee training programs will
somehow eliminate security vulnerabilities or make a major impact. Most organizations are taking steps
to mitigate security concerns, but many are stuck at the most elementary levels of password protection.
Consider something as simple as better passwords, where employees are required to create
ever-more elaborate passwords. Inevitably, they write them down or keep them in a file somewhere.
Changing password requirements removes yesterday’s rainbow table threat but introduces just as
many new vulnerabilities.
These efforts are well intentioned and shouldn’t go unappreciated, but with the old premise of the bad
guys just needing one slipup to get in, they are no longer practical in today’s connected environment.
5
The Cost of Chasing Bad Guys
A recent report from CyberSecurity Ventures estimates that approximately $77 billion will be spent
worldwide on information security products, including VPNs, firewalls, endpoint protection, and
consulting, by the end of this year. Over the next five years, that figure is projected to rise to $170
billion. At the same time, the study projects that the annual cost of cybercrime will continue to rise
as well, taking into account the combination of real losses, incident recoveries, and damage to
overall brand image.
Today enterprises are allocating their investments toward keeping malware out, while continuing
to monitor every security “event” that occurs. There is a growing consensus that new, extended
enterprises — a panoply of technologies combined with armies of supply chain partners — will not
be able to keep out every adversary or threat. Given today’s realities and tomorrow’s possibilities,
is this still a sustainable model?
6
Today’s Reality: The Bad Guys Are In
Across all of the recent attacks, there is one common thread: the bad guys always get in. How they do it varies
from attack to attack, and each one informs our understanding of the parameters of the threat landscape.
The attack vectors vary greatly, from social engineering to Advanced Persistent Threats to something as
simple as an unpatched server or a lost laptop. In each case, despite the existence of monumental security
safeguards, many of which were considered science fiction 10 years ago, the bad guys ultimately get in.
Traditional security processes actually do keep out most attacks, but they will never catch all. The script
kiddies going after Linux boxes; the code hackers who examine every piece of JavaScript looking for a clue as
to how to perform an SQL Injection. Although there are countless skilled people working tirelessly on the side
of the good guys, they can never keep everyone out.
Consider the fluidity of today’s threat landscape and that its shape can often be determined by the target of
the incursion. The larger or more complex the enterprise, the bigger the attack surface and higher the number
of entry points. Those entry points can differ in nature, be they digital assets or the end users themselves
who might succumb to social engineering, expose their passwords, or fail to destroy their hard drive before it
gets disposed of. With a big enough target on a long enough timeline, the odds of patching every portion of an
attack surface drop to zero. There will always be vulnerabilities, and pretending that there won’t be is a failed
mindset in today’s world.
Today’s attacks get in, then move around, and then start doing damage. Since yesterday’s security has failed
at stopping them from getting in, it’s now time to stop them from moving around.
7
Changing the Failed Premise
The U.S. Office of the Director of National Intelligence (ODNI) and many other global security experts have
said that a top key to security today is to segment the enterprise. That makes sense, in that a break-in
to one segment of an enterprise won’t affect the security of the other segments. For the last few years,
enterprises have begun attempts at segmenting their enterprise based on this vision.
The first attempt to segment came with “air gaps,” which physically separated networks into different
buildings, floors, or rooms — each with their own network backbones. This proved to be wildly expensive
and impossibly cumbersome to employees who needed to work in more than one segment on a regular
basis. It was also discovered that they are not as secure as first thought, due to humans who cross the
boundaries and side channel attacks. So, well intentioned but expensive failures.
The second attempt was to segment with firewalls. Firewalls were great in the early days when we had
just a few segments to protect, and a few operations that needed to traverse them. But now the firewalls
are expensive to buy, install, and maintain, and their rules (called ACLs) have gotten out of control, with
five- and even six-figure numbers of individual rules per firewall, average error rates in the 30 percent
range, and the time to make a simple change measured in weeks. Finally, in order to accommodate
today’s business environments, too many back doors are left open, rendering this security an expensive
failure. So firewalls were better, but still not a match for today’s agile enterprise.
The next approach was virtual LANs, or VLANs. These were designed to be much easier to deploy than
firewalls, and they are, but they are no less cumbersome and complex to manage, since they are still
based upon the physical topology of the enterprise. Finally, VLANs “fail open,” potentially exposing data on
connection errors, which further extends enterprise risk. Again, a good approach at the time, but still not
able to keep up with the operational requirements today.
So if everyone agrees that segmentation is good but the attempts are not working in today’s
environments, how does security evolve?
8
FRESH APPROACH: MICRO-SEGMENTATIONThere is a better way to approach security, but it requires a fresh approach.
Micro-segmentation takes on the mission of the old-style segmentation, but
with an entirely new approach that makes it easier to implement and manage,
and much more secure and inclusive. It embraces new technologies like clouds
and new business models like integrated supply chains, and delivers real
results that are cost-effective in terms of both money and security resources.
Micro-segmentation is the future.
9
What Is Micro-Segmentation?
Micro-segmentation, often shortened to “µSeg,” allows enterprise managers to quickly and easily divide their
physical networks into hundreds or thousands of logical micro networks, or microsegments. As opposed to the
old way, which was analogous to putting your valuables in a bank vault and investing in strong walls and a fancy
door, Micro-segmentation is more like a safe deposit box room in the vault. Unlike the old way, which worked
fine until too many people needed keys to your vault, setting up microsegments to keep the different parts of
an organization logically separate dramatically lowers risk, since when someone does find a key to get in, they
only can see what’s in their one tiny little box (segment).
Outside of analogies, Micro-segmentation is based on software that you load onto your network devices, with
a single management console coupled with bits of code that run on IP devices in the enterprise. Together, they
allow the system manager to layer on controls that decide who gets to do what, and easily enforce those rules
at the network packet level.
Installed and running quickly, Micro-segmentation is a simple way to take back control of an enterprise network
without having to deal with firewall rules, outdated applications, remote users, cloud-based services, and third
parties that all have become attack vectors in today’s world. Micro-segmentation is the future.
Micro-Segmentation: Cryptographically Sealed Packets
Micro-segmentation works at the Internet packet level, cryptographically sealing each packet in such a way that
only packets that are within the approved microsegment will be processed. For every packet, not only is the
data portion (payload) completely encrypted, but the routing information (headers) is cryptographically sealed
to ensure only authorized delivery. That way users within your communities of interest — employees, partners,
suppliers, customers — can only send and receive packets for their group.
Micro-segmentation must negotiate with the packets early in the process (pre IKE), which keeps endpoints dark and
significantly reduces the attack surface. The best Micro-segmentation employs a variety of proven cryptography
systems, including Suite-B, AES-256, Perfect Forward (PFS), and Elliptic Curve, thus ensuring global compliance.
By implementing Micro-segmentation at the packet level, organizations avoid the need for tinkering with
applications that are often either too old to modify, too rushed to secure, or from third parties where you just
don’t have access to know. The packets still flow normally through your existing routers and equipment, but
each packet that flows through your extended enterprise is cryptographically sealed.
10
Micro-Segmentation: Identity-Driven Management
One of the key failures of trying to segment networks with firewalls and VLANs is the rules required to
secure the physical topology. These old devices are built to manage flow from point A to point B, and
those points must be hard coded. So when a new person needs to be given access to something
at point B, new rules must be created and propagated across the entire network. Often these rules
number in the tens of thousands, if not hundreds of thousands. This has introduced unacceptable
error rates due to missed or faulty rules, and has driven the time to make simple changes from
minutes to months.
Micro-segmentation can be identity driven, straight from existing Active Directory (AD) or LDAP
systems already in place. A single change in the AD and access can be granted or taken away. In
minutes, not months.
One of the largest security issues is that firewall rules are almost never removed. The fear of
breaking something has overwhelmed the network engineers. With identity-based µSeg, that fear
no longer exists. When a user is removed from AD or the LDAP their access to their µSeg’s is
automatically removed, with no additional work on the part of the network engineers. In fact, the well-
established processes for removing employees from your AD will also ensure that your µSeg rules
stay up to date. This is known as mandatory access controls.
11
Micro-Segmentation: Leverage the Clouds
Clouds are cost-effective, agile, and here to stay. Yesterday’s security schemes were holding back
migration to public and private clouds, but software-based Micro-segmentation is topology and
network hardware independent, so enterprises can have one security model that works as easily in
local data centers as it does in the public cloud. Now with Micro-segmentation you can extend your
enterprise security model natively to the cloud while retaining control of your data in motion and
the keys that secure it, and while still leveraging all of the cost savings and flexibility that the cloud
provides. Micro-segmentation can be quickly and easily be implemented within virtual machines
(VMs) to defend against side-channel attacks and other cloud-specific risks.
Micro-Segmentation: Integrated Supply Chains
Ask yourself if your suppliers have the same security standards as your company. Probably not. When
you consider that suppliers are suppliers of physical inventory and services the problem expands
exponentially. In the past the “Edge” of your network was well defined and well protected; however,
today the boundaries of where your network ends and where your suppliers’ starts are often not well
defined. So no one is quite sure where their responsibilities end and where the outsiders’ begin. This
is exactly why a successful Micro-segmentation solution must present itself to be easily deployable
across disparate networks and different hardware and operating systems, while maintaining security
from endpoint to endpoint.
With suppliers now becoming fully integrated components of an enterprise, Micro-segmentation
is a much better approach to providing just the right amount of access (least privilege) they need
to do their job, while never allowing them to even see outside of their authorized µSeg. Unlike
suppliers of old who just dropped off packages at your loading dock, today’s suppliers are practically
indistinguishable from employees, yet pose a completely different risk. With µSeg you can rest
assured that whatever suppliers try to do outside of what you ask them to do will be stopped at the
network packet level by Micro-segmentation.
12
Micro-Segmentation: Role of the Coffee Shop
Employees love working from home, from their mobiles, and from coffee shops. Employers appreciate the
lower real-estate costs, but they have been historically offset by the cost of security. Micro-segmentation,
with its topology independent model, enables the same security system to work at the office or with a
cappuccino, thus winning over the employee and the CFO at the same time. With Micro-segmentation an
additional level of security can be deployed. Additional access rules can be deployed based on location.
If an employee is inside the “building” they can be granted higher levels of access than when they are in
the “coffee shop.” When inside the building they may have access to sensitive competitive information,
but when accessing information from the coffee shop they may only be granted access to lower levels of
“released” information.
13
Micro-Segmentation: Protecting Your Legacy (Systems)
The reality today is that most organizations don’t currently operate with the latest, most secure operating
systems. Although you probably haven’t touched a Windows XP machine in years, the fact remains that
there are still millions of them functioning out there, diligently sending commands that open valves, close
doors, and turn on lights. Called ICS, for Industrial Control Systems, these machines are still operational in
every industry, despite the fact that Microsoft stopped patching them years ago. They’re generally wide open
to hackers, meaning complex firewall rules must be created and maintained to keep them operational.
How do you protect legacy systems? The most secure strategy that will enable you to still use legacy
operating systems such as XP and Windows 2003 is to isolate them from the production network using their
own µSeg. This way you can still meet your policy of “no unpatched systems on the business network” and
keep the production floor still operating. This will keep the auditors happy and the product flowing.
14
Micro-Segmentation: Leveraging Global Standards
Information security professionals have seen creative, proprietary solutions to security threats all boil down
to one basic idea: “If only everyone in the world would buy and install this product, then there would be no
data breaches.” We have yet to see 100 percent adoption of any such solution. The only solutions that have
transformed security, and, in the process, enabled things like e-commerce, were open standards. These
non-standards-based security systems will fail.
Micro-segmentation today must, in the same way as SSLs in the ’90s, use open, widely adopted standards
that don’t need any special hardware or software. And use IP (Internet Protocol), IP/Sec (Internet Protocol
Security), and IKE (Internet Key Exchange), which are the mandatory building blocks of today.
The Internet Protocol (IP) is the most-followed global standard in history and is the obvious commonality to
leverage when looking to secure an extended enterprise that covers computers, communications, phones,
Internet of Things devices, SCADA devices, clouds, cars, and so much more. The one and only thing they
all have in common is the IP stack they use. Further, by leveraging the global IP Security standards (IP/Sec)
and IKE that are now commonly built into these stacks by the device vendors, you minimize rollout costs and
maximize global adoption. Finally, full support of both IPv4 and IPv6 standards is mandatory in order to be
functional in today’s environment. Using IP/Sec at the packet level will help implement a micro-segmented
network that is both practical and economical.
Micro-Segmentation: Leveraging Experience and Support
No one likes to rely on version 1 of anything, let alone a security system. Too many oversights, too
many glitches, and too many problems. Luckily, Micro-segmentation has been a project here for 10
years, and in our case is now an award-winning product at version 3 and installed on large-scale critical
systems around the world. Tapping into existing and proven use cases, for doing things like data center
consolidation, cloud migration, PCI and HIPAA compliance, XP and device isolation, and critical asset
protection will dramatically lower your time, risk, and cost to deploy.
15
LONG LIVE SECURITY WITH MICRO-SEGMENTATIONYesterday’s approach to security is dead. Micro-segmentation is that great security hope that helps us
live to fight another day. When it is implemented properly and deployed in an identity-based model, we
can cover owned assets as well as ecosystem assets. We can converge all logical and physical security
assets in an easily manageable environment to allow your organization to operate with confidence
knowing it’s better prepared the next time a security “event” erupts.
There are tremendous business benefits to implementing Micro-segmentation today:
• Easier to deploy
• Easier to manage
• Lower operating costs
• Lower equipment costs
• Less security personnel required
• More-secure data centers
• Supports data center consolidation
• Supports secure use of the clouds
• Supports integrated supply chains
• Supports mobile and home use
• Supports convergence
• Supports business agility
• Supports mergers and acquisitions
It’s now entirely possible to add robust, segmented, scalable security to virtually any enterprise
environment. It doesn’t take miracles or magic. What it takes is a brave leadership to drive this change in
attitude. It takes board members who express an active interest in the space and the grim realities that
have resulted. It takes CEOs to recognize that security is now a business issue and not just a technology
one. It takes a CSO to admit that prior safeguards and processes haven’t worked and won’t work — and
ultimately to muster the courage to speak up for what’s needed, even if it requires going beyond what’s
known and comfortable.
With this strong leadership, enterprises will begin to move forward securely and face tomorrow’s business
challenges head-on. Long live security.
16
Unisys’ award-winning Stealth™ products deliver Micro-segmentation at scale for some of the world’s largest
and most important enterprises. Stealth can be quickly and easily added to your enterprise today to lower
costs and risks. Unisys Stealth is software based and identity-driven, and has been in service defending
critical enterprises around the globe. Unisys Stealth is part of a full suite of trusted security offerings that
include both cyber and physical security, efficient managed delivery, and a global consulting force — all
provided by trusted and proven Unisys Corporation. For more information, please get technical and business
details at www.unisys.com/stealth, or contact our client support teams directly at [email protected] to set
up a demonstration in your environment.
About Unisys
Unisys is a global information technology company that works with many of the world’s largest companies and government organizations to solve their most pressing IT and business challenges. Unisys specializes in providing integrated, leading-edge solutions to clients in the government, financial services and commercial markets. With more than 20,000 employees serving clients around the world, Unisys offerings include cloud and infrastructure services, application services, security solutions, and high-end server technology.
For more information on Micro-segmentation, email us today at [email protected].
© 2015 Unisys Corporation. All rights reserved.
Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners.
Printed in the United States of America 11/15
Talk to the Security experts today about Stealth™ for Micro-segmentation. Contact us today at Unisys.com/stealth
UNISYS.COM/STEALTH