"By deploying advanced security solutions, financial institutions can better protect their data centers from undetected breaches and sophisticated threats"
That hasn’t stopped the financial services industry from diving head-first into cloud-based technologies. More and more financial sector businesses are migrating workloads and application data to virtualized environments, whether through public cloud, private cloud SDDCs (Software Defined Data Centers) or a hybrid combination of both. While the appetite for increased network agility drives massive changes to infrastructure, the tools and techniques used to protect data centers also need to adapt and evolve.
Recent efforts to upgrade these massive security systems are still falling short. Since data centers by design house huge amounts of sensitive data, there shouldn’t be any shortcuts when implementing security to protect all that data. Yet, the focus predominantly remains on providing protections only at the perimeter to keep threats outside. However, implementing perimeter-centric security leaves the inside of the data center vulnerable, where the actual data resides.
Let’s take a look at a real world example where perimeter security wasn’t enough. In April 2015, one of the world’s biggest jewelry heists occurred at the Hatton Garden Safe Deposit Company in London. Posing as workmen, the criminals entered the building through a lift shaft and cut through a nearly 2-ft thick concrete wall with an industrial power drill. Once inside, the criminals had free and unlimited access to the company’s secure vault for over 48 hours during the Easter weekend, breaking into one safety deposit box after another to steal an estimated $100m worth of jewelry.
So why weren’t the criminals caught? How did they have free reign into all of the safety deposit boxes? It turns out that the security systems only monitored the perimeter, not inside the vault. Despite the burglars initially triggering an alarm to which the police responded, no physical signs of burglary were found outside the company’s vault. So the perpetrators were able to continue their robbery uninterrupted. In other words, the theft was made possible by simply breaching the vault’s perimeter – once the gang was inside, they could move around undetected and undisturbed.
Cybercriminals understand this all too well. They are constantly utilizing advanced threats and techniques to breach external protections and move further inside the data center. Without strong internal security protections, hackers have visibility to all traffic and the ability to steal data or disrupt business processes before they are even detected.
At the same time financial institutions face additional challenges as traffic behavior and patterns are shifting. There are greater numbers of applications within the data center, and these applications are all integrated with each other. The increasing number of applications has caused the amount of traffic going east-west traffic – or laterally among applications and virtual machines - within the data center to drastically grow as well.
As more data is contained with the data center and not crossing the north-south perimeter defenses, security controls are now blind to this traffic—making lateral threat movement possible. With the rising number of applications, hackers have a broader choice of targets. Compounding this challenge is the fact that traditional processes for managing security are manually intensive and very slow. Applications now are being rapidly created and evolving far more quickly than static security controls are able to keep pace with.
To address these challenges, a new security approach is needed—one that effectively brings security inside the data center to protect assets, data and workloads against advanced threats: Micro-segmentation.
Micro-segmentation works by grouping resources within the data center and applying specific security policies to the communication between those groups. The data center is essentially divided up into smaller, protected sections (segments) with logical boundaries which increase the ability to discover and contain intrusions. However, despite the separation, application data needs to cross micro-segments in order to communicate with other applications, hosts or storage devices. This makes lateral movement still possible, since perimeter security controls are not able to inspect the traffic contained within the data center for malicious payloads.
For example, a web-based application may utilize the SQL protocol for interacting with database servers and storage devices. The application web services are all logically grouped together in the same micro-segment and rules are applied to prevent these application services from having direct contact with other services. However SQL may be used across multiple applications, thus providing a handy exploit route for advanced malware that can be inserted into the web service for the purpose of laterally spreading itself throughout the data center.
Micro-segmentation with advanced threat prevention is emerging as the new way to improve data center security. This provides the ability to insert threat prevention security— firewall, Intrusion Prevention System (IPS), AntiVirus, Anti- Bot, sandboxing technology and more—for inspecting traffic moving into and out of any micro-segment and thus prevent the lateral spread of threats. However, this presents security challenges due to the dynamic nature of virtual networks, namely the ability to rapidly adapt the infrastructure to accommodate bursts and lulls in traffic patterns or the rapid provisioning of new applications.
In order to cope with rapid changes, security in a software-defined data center needs to learn about the role, scale, and location of each application. This allows the correct security policies to be enforced, eliminating the need for manual processes. What’s more, dynamic changes to the infrastructure can be automatically recognized and absorbed into security policies, keeping security tuned to the actual environment in real-time.
By sharing context between security and the software-defined infrastructure, the network then becomes better able to adapt to and mitigate risks. As an example, if an infected VM is identified by an advanced security solution protecting a micro-segment, the VM can automatically be re-classified as “infected.” Re-classifying the VM can allow the infrastructure to trigger a predefined remediation workflow to quarantine and clean the infected VM.
Once the threat has been eliminated, the infrastructure can then re-classify the VM back to its “cleaned” status and remove the quarantine, allowing the VM to return to service. Firewall rules can be automatically adjusted and the entire event logged—including what remediation steps were taken and when the issue was resolved—without having to invoke manual intervention or losing visibility and control.
Strong perimeter security is still an important element to an effective defense-in-depth strategy, but perimeter security alone offers minimal protections for virtualized assets within the data center. It is difficult to protect data and assets that aren’t known or seen. With micro-segmentation, advanced security and threat prevention services can be deployed wherever they are needed in the virtualized data center environment.
Implementing solutions like Check Point vSEC compliments micro-segmentation and provides comprehensive threat prevention security to protect east-west traffic within the data center, and can provide the foundation for automating the quarantine of infected machines for remediation. This puts required protections inside a financial service organization’s data center, securing their assets and valuable data from attacks. By deploying advanced security solutions, financial institutions can better protect their data centers from undetected breaches and sophisticated threats.