Blog

The world seems upside down at the moment, and it is difficult not to be anxious and stressed. There were times in my past when during stressful moments, I would take a welcomed trip to the Bronx Zoo. The escape from the hustle and noise of the city was a welcome reprieve. I quite enjoyed the simplicity of a walk to visit the animals and wildlife. My personal favorite was the rhinos, healthy and fit yet calm and proud.

Keeping the Animals Separate

When you enter the Bronx Zoo in New York City, you will notice that the animals are separate in particular areas. At the southern end of the park, there is the African Plains section with the giraffes and wild dogs, and it’s also where you can see the fierce lions basking in the sun. Over by the Himalayan highlands is where visitors can observe the snow leopard and the red panda. So awesome those little red pandas. Between the mountains and the plains, you will find playful characters in the baboon reserve.

There is, of course, a separate world of reptiles, the birds of prey, even Madagascar! Where ring-tailed lemurs roam playfully. At the north section of the zoo by the fountain, the circle is the aquatic birdhouse, the sea bird aviary and the birds of prey. To the east of the main foundation at the Fordham Road gate is where you whisk away to the high plains and see the Bison grazing. Everything in the animal kingdom in its place, everything in order.

Covering over 265 acres, the Bronx zoo is one of the largest in the US and first opened its doors in 1899. Sections and regions are well organized, and every animal, reptile, bird, you name it, is grouped logically together: kingdom, phylum, class, order, family, genus, and species. The ordering makes sense, everything is in their natural habitat, and you won’t find an antelope sharing a snack with the penguins. The order of things is intuitive, and the segmentation implemented adds a layer of protection.

Segmentation Keeps Threats at Bay

Segmentation can also help mitigate risk. At the zoo, you can have external threats, bad actors coming from the outside, and causing damage and internal risk when you can have havoc from the inside. In 2001, an otherwise normal man climbed a 20-foot wall entered the gorilla enclosure, and stripped down to his boxer shorts, telling the NYPD later that he wanted to be “one with the gorillas.” In 2007 Javan langurs (an old-world monkey form the colobinae subfamily) was placed together with Oriental small-clawed otters. The monkeys proceeded with well, monkey business, and it didn’t end well for one of them, a tragic example of internal risk.

Likewise, there are external and internal risks that large enterprises deal with every day. From hospitals to banks to retail operations, information is valuable, and hackers will do anything to attack from the outside to get access to valuable information. An example of internal risk is when compromised employees or vendors go after sensitive information, or if an employee unknowingly grants access to an attacker by clicking on a phishing link in an email.

Similar to the order of things at the zoo, we help organizations segment their networks in a manner that makes sense. We can divide networks granularly down to the workload level and define specific security policies for these specific segments and workloads. So instead of just using gates and fences seen at some local animal farm, it’s a more secure process where movement can be monitored, communications can be traced, and all the animals can roam but stay in their respective regions.

If and when a deviation occurs (a crocodile gets out, or a device in the ER room talks to the finance department), our system can take remedial action right away. If a green peafowl escapes, there is no need to close the entire zoo. Our system is smart enough to contain the bird in the right area.

Segmentation Keeps Red Pandas and Networks Safe

With Ordr, we can help reduce the number of alerts and alarms and act fast when something unexpected happens. We proactively protect the enterprise network, and traffic is analyzed at multiple layers. Our SCE system creates a conversation map called the flow genome for every connected device. We can identify all communications between the various segment and VLANs, and we leverage AI to baseline normal communication behavior and then translates these behaviors into a device-specific security policy. The red panda will be proud.

Segmentation Done Right – Part 3 of 3

Segmentation is a good thing and we understand the benefits and we also know that segmentation needs to be done right. Doing it right means segmenting in a non-rigid manner and having a clear goal in mind before VLANs are deployed randomly or likeminded devices are just lumped together. In our concluding series, we discuss our take on flexible segmentation and how to generate policies using the observed behaviors of devices.

At Ordr we can granularly group devices by type or even group the same type of devices across an enterprise. For example, if you want to see all your cameras across your entire enterprise we can do that. Want to see cameras only used by the surveillance security department? Or cameras just in the manufacturing line? We can slice it or dice it any way you like in ways that fit your business requirements.

No alt text provided for this image One popular starting point that we see with some customers is segmentation by vulnerabilities. This process entails segmenting by the most vulnerable devices in your network. For example, think about all the cameras that come with a default password which is oftentimes just “password”. We can help segment these vulnerable cameras from the rest of the network to reduce their attack surface if they get hacked. Later on, we can help a hospital segment another group of precious devices such as CT scanners and patient monitoring devices which are often vulnerable since they run older operating systems. Older operating systems can be an issue since they can be susceptible to malware attacks, oftentimes inadvertently introduced by a healthcare worker who worked remotely, visited a bad site, and then came back to the hospital.

With the Ordr system, you can work through the device population one group at a time, based on your specific business criticality requirements. This is a very granular configurable method vs the traditional way of segmenting …the all or nothing approach of traditional VLANs. Think of it rather as a personal VLAN per device. We can help security personnel maintain good network hygiene by segmenting rogue access points, preventing devices from guest networks accessing clinical resources, and even help identify and remove outlier devices from incorrect segments.

No alt text provided for this image With our approach, there is no need to declare a zero-trust day plan, and then execute to that milestone only to realize that the business requirements have changed, the device population has increased, or the network footprint evolved. With Ordr, you can start the segmentation journey now with a logical device-centric approach vs. big rigid boxes of categories. Our micro-segmentation approach is easier to execute, flexible and changes as your business requirements change, equipment is moved around due to utilization adjustments, or whatever the case may be.

No alt text provided for this image We add insights into understanding the behaviors of devices. Once Ordr has baselined all the traffic, the system can report any time a device attempts to communicate outside its defined network behavior. This will be alerted on the main dashboard and as a device security incident. We can further show you the flows of traffic per device and how it interacts with every other device in your network. We can tell you what’s “normal” as we have intelligently mapped and baselined the traffic. Our system can subsequently report any time a device attempts to communicate outside its defined network behavior. This deviation from a device’s normal behavior will be alerted on the main dashboard as a device security incident.

At Ordr, you can group and segment however you prefer, the choice is yours. Whether it is creating network segments for medical vs. facilities vs. a contractor vs. the Emergency room, even subsegment the pharmacy if you like. And within each segment, you can selectively allow access by various groups. With granular flexible micro-segmentation from Ordr, you can contain any potential breaches and damage. Whitelist internal flows for your business needs flexibly. Blacklist with micro-segmentation, we do that too. We give you the tools to do segmentation right and we give you the smarts to take control.

Read Segmentation Done Right – Part 1: Great Idea and Segmentation Done Right – Part 2: Seeking A Better Way

Segmentation Done Right – Part 2 of 3

Segmentation is a good thing, and there are many use cases for segmentation done the right way. What tools then do we implement to get started with segmentation, and are there some pitfalls to avoid? The idea is simple, but one doesn’t want to design cost and complexity into the equation from the start. A flexible yet granular segmentation system with ample room to grow is what you need.

The traditional way of doing segmentation was to use the perimeter firewall—one side was trusted and safe, and on the outside was the big bad world. With many intrusions, however, a small breach means the damage is difficult to contain. Take it a step further, and one can deploy multiple virtual networks, or VLANs, to further segment and create various “safety zones” inside the network, then leverage routers and Layer 3 switches to control access between the virtual segments.

No alt text provided for this image Using VLANs is pretty intuitive—place all things of a particular type into the same virtual segment. But VLANs are manually intensive—each new device must be manually categorized and assigned the correct VLAN. Each new group needs its own VLAN and a painful call to the IT desk to allocate a new VLAN across the enterprise, each with its own unique IP address space. And don’t forget the VLAN boundaries. ACL policies need to be consistently deployed at each of the routers and L3 switches to control the flow between VLANs, or else what was the reason for creating new VLANs in the first place?

Furthermore, the world of applications is dynamic, so boundaries can’t be so rigid. When one creates and deploys a new application using an Auto Scaling group, which contains a collection of Amazon EC2 instances, an IP address is dynamically assigned. Frequently this application will need to move around various network segments. If one applies a rigid approach to segmentation, there will be too many strict routing rules to navigate since traffic is only allowed when information is on a pre-defined list. Moving around is hampered, and a permissible list has to be updated continuously manually. In today’s environment, network ports are dynamic, DHCP is dynamic, applications are active, and we think segmentation should be flexible and smart.

No alt text provided for this image Let us go back to the middle school example from last week. Students in their classrooms can further represent segmentation. Grades and different classrooms separate children, and each class has a teacher. Typically, (or in some cases hopefully) the children are expected not to interact with each other during lessons and only interact with the teacher. Likewise, when you have a class of IoT devices, rarely do these devices need to communicate or talk to each other. If anything, one MRI machine talking to another or sharing a snack should not happen.

So if this orderly communication between a teacher and student makes sense in a classroom or “segment,” then why do we lump similar devices such as cameras, X-Ray machines, or workstations together into their respective segment, VLAN or subnet with the notion that they are protected? These devices should talk to a central master and externally to get a patch once in a while, but not each other. If one device is compromised, there goes the notion of protection via segmentation. If junior in class catches the flu, other students in the same class are likely to get sick, too. Likewise, if a workstation is compromised and it’s in the same VLAN with other workstations, how does one contain the damage?

Traditional segmentation often places all sorts of devices of a general category into the same group/segment, and any infection of one will quickly spread to the rest. At Ordr, we segment smartly and take it further with micro-segmentation. We can group and segment things logically, and we can control the flow between the logical segments. Micro-segmentation divides networks down to the workload level and then defines specific security controls and policies for these specific segments and workloads. It’s a more granular and logical approach than physical segmentation via physical firewalls, making it easier for network and security administrators.

If a device becomes infected, we can contain the damage and not let it spill over, thus help you regulate and protect precious assets and information. Next week we will discuss segmentation automation and how one can generate clear policies using observed behavior. Be smart and control the flow between segments and do segmentation in an Ordr’ly way.

Read Segmentation Done Right – Part 2: Seeking a Better Way

Segmentation Done Right Part 1 of 3

When I was in middle school standing in the cafeteria lunch line, there was always that feeling of nervousness before the spaghetti or tuna casserole(or aloo tikka masala if you are familiar with the Indian school lunch trays) hit my lunch tray with its unique thud. After the entrée, I would shuffle my feet to the left to receive my overcooked peas and carrots. Last but not least was a big scoop of extra syrupy canned peaches. Ah, the joys of being in 7th grade. The good thing about public school lunch was that at least the lunch tray was compartmentalized and my noodles only caught a little bit of that extra sugary-extra sweet peach syrup. Segmentation, what a great idea.

Contain the Damage

Reminiscing about my school noodles made me think about the benefits of network segmentation which is the division of a network into smaller more manageable groups. These zones can be separated from each other with controls in between to help control and keep zones safe and secure. If for example, there was a cyberattack and a device is compromised, the segmentation will keep the damage from spreading as the damage is confined to a specific zone or segment. Think blast radius control. Unusual lateral side to side movement is also kept in check when a network is properly segmented.

It’s Recommended

No alt text provided for this image

It sounds simple enough, separate the network into its own compartment to limit the spillover effect and zones can readily consist of VLAN/subnets, groups or segments, hence the name. In terms of application, one can deploy network segmentation using existing network infrastructure or even via deploying new next-generation firewalls into specific zones. The National Institute of Standards and Technology (NIST) in its framework for zero trust architecture recommends segmentation for enhanced identity governance.

Factors to Consider

Getting started with segmentation takes a little bit of thought. How big will the zones be? How many devices of similar types would be in each zone? What about the regulatory environment? The regulatory side can have a say in how things are portioned as well. For example, if your business deals with payments the PCI-DSS standard will state a clear demarcation between payment card authorization and point of sale. In hospitals, one would want to keep life-saving equipment separated from the IT devices.

No alt text provided for this image So how does one begin and are segments rigid in a “set it and forget it” way? How can segments evolve as network requirements change? How is it going to adapt to changing business policies? It helps to start off the right way with a segmentation project by considering the various enterprise departments and the level of fine-grained control required. Furthermore, consider the zones of vulnerability, as plenty of exploits and attacks can occur from inside the network. Departmental segmentation can be done with firewalls but if you want to get more granular control, it very quickly amounts to deploying a large number of small hardware firewalls everywhere on the campus, which is not practical nor cost-effective.

Network segmentation by itself is a great methodology, but if your organization does not know how your applications communicate with your endpoints, then you may risk having incoherent policies at your control points, which reduces the solution’s effectiveness and usefulness of segmenting. Also, segmentation applied without precision, can even impact the day to day operations of a company, so something to consider when it comes to implementation. The other factor to consider is the growth and expansion of your network as you want a segmentation method that is scalable with your business requirements.

Slice and Dice Your Way to Segmentation

When you use a platform from Ordr, you can get as granular as you like. Beyond buildings, sites, departments, and floors, one can segment a network via business requirements and even perform grouping by device functions, even for the same class of devices. For example at a casino, we can separate all the cameras into various groups based on their function, physical surveillance cameras for regulatory compliance (watching the slot machines) vs. general use security cameras observing foot traffic. High-risk assets vs. mission-critical assets are another way to consider the segmentation process.

Segmentation similar to the lunch tray can work great when it’s done right. There is no spillover or cross-contamination and things are in a nice tidy order. Next week we will discuss the limitations and shortcomings of existing approaches and dive deeper into modern methods for segmenting the network the right way.

Read Segmentation Done Right – Part 2

Ordr Knowledge Base

Become A Partner