Security Through Visibility: Seeing Into Virtual and Cloud Networks
Ravid Circus, Skybox VP, Products
Imagine an IT security team as a navy crew at sea. A torpedo blasts the ship’s side below the water line. As the water floods in, they can’t even see the hole, let alone fix it. Instead, everyone turns to the pumps to keep the ship afloat.
This is the state of many security programs today. Despite a plethora of point solutions, security teams lack visibility into what they’re trying to protect, their most pressing risks and the security tools at their disposal. Thus security teams operate in constant reactionary mode, while a strategic, proactive security program remains elusive.
The growing popularity of virtual networks further complicates visibility issues. Virtual machines are spun up at a moment’s notice and security groups and tags are assigned but not necessarily in line with broader security policies. Network security teams may have no access to management consoles and limited insight as to how changing network architectures affect their attack surface.
But with comprehensive network modeling extending into virtual networks, network security engineers can gain the needed visibility to unify security and compliance processes across their hybrid hardware and virtual environments.
A major challenge to policy and access verification in hybrid environments is complexity. The mixture of physical, virtual and cloud networks with their various security groups and tags, as well as traditional ACLs, makes manual comparison and analysis almost impossible. But by normalizing this data and combining hybrid network policies, network access can be analyzed end to end and visualized within the model.
Historically, data centers have been protected by perimeter security technologies analyzing north-south traffic into and out of the data center. Traditional data center designs assume that all east-west traffic – traveling within the data center -occurs in trusted, well-protected zones. Recent data breaches, however, have shown that this assumption is no longer valid. Microsegmentation is capable of dividing east-west traffic within the data center into smaller, more protected zones; but without security visibility into how microsegmentation is implemented, it’s difficult to verify that policy is adhered to across the network.
By combining and modeling north-south and east-west policies network security teams can gain end-to-end access visibility throughout their hybrid network. Model-driven visibility also provides a more realistic view of applied policy at the host level rather than verifying access only at “chokepoints” or gateways to the virtual network.
Vulnerability Detection in Virtual Networks
One added benefit of modeling virtual and cloud environments is scan less vulnerability detection. Security analytics applied to the model can deduce vulnerabilities using product configuration and version information. This can significantly decrease reliance on active or third-party scans which are harder to operate on virtual and cloud networks. Incorporating vulnerability intelligence gives a fuller picture of how these networks impact overall risk.
By unifying hybrid IT environments in one model and normalizing their data, organizations can break down the barriers that traditionally existed between physical, virtual and cloud networks for comprehensive, streamlined security management. This information can be further distilled into a simple picture of the organization’s unique attack surface. Using attack surface visualizations, CISOs to “in-the-trenches” security practitioners to board members can quickly see the interconnectedness of their IT infrastructure and where their most critical security exposures lurk. Attack surface visibility gives an intuitive and deeply analytical tool to make fast, informed decisions regarding incident response, operations and security investments. It provides a common language and reference to stop reacting to symptoms and start treating root causes of security issues, creating a proactive, holistic security program.