NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

Right-Sized Segmentation Testing

In a recent webinar, Edgewise CEO Peter Smith and MegaplanIT CISO Mark Butler discussed two big organizational “musts”: Network segmentation and penetration testing.

In today’s highly complex networking ecosystems, organizations must take proactive measures to protect the data, applications, and services communicating on their hybrid infrastructures. Doing so requires adaptive, automated controls and the continuous validation that those controls are functioning as intended while addressing ever-changing business needs.

The reality is that securing an organization’s digital landscape is extremely challenging. Networks, themselves, sprawl across on-premises data centers, various cloud models, containers, and virtual environments. Applications are added, changed, and removed as part of rapid deployment cycles. New technology and connections are deployed without security’s oversight. Business units amass data at an alarming rate. And vulnerabilities and exploits are discovered, published, and weaponized daily. All of this adds up to a whole lot of ground for cybersecurity professionals to cover while threat actors need to take advantage of just one vulnerability—a missed patch, a coding flaw, a busy executive—to compromise an organization’s systems.

It’s overwhelming.

However, a more offensive approach against the enemy is necessary, despite the challenges, because cybersecurity has become a topline business risk. A proactive security posture relies on organizations’ abilities to understand the depth and breadth their digital landscapes, their asset inventories, and the extent of vulnerabilities that accumulate within their environments. It’s one thing to know the magnitude of the cyber threat in general and another thing entirely to correlate an actual threat against a particular network.

Develop a segmentation strategy

There are many elements to a holistic security program, but a leading cause of network compromise and data breach is network overexposure. Flat networks facilitate access to resources, which helps with business speed and efficiency, but...flat networks facilitate access to resources, which creates an overabundance of network paths that attackers can exploit to reach sensitive and private databases and applications. While flat networks are advantageous from an ease of use standpoint, the security impact is negative. Today, “inside versus outside” is an extinct concept. Companies must assume threats can initiate inside the perimeter just as easily as they can on the internet. Therefore, any network lacking granular segmentation is practically inviting threat actors to use open and unmonitored network paths as attack paths.

While segmentation, or microsegmentation, is a foundational step to securing a company’s network, it is a major effort. A starting point for segmentation/microsegmentation is always inventorying assets and learning connectivity and data flows between hosts, applications, and services. Security and network teams can’t properly design policy if they don’t know what they need to protect. Shrinking the attack surface means constraining access between applications and services, but you can’t protect what you can’t see. In other words: know what you have before you design.

Needless to say, understanding connectivity and data flows is a massive project. Today’s networks are constantly changing, especially with cloud and containers. The more you understand about your dataflow and systems and their patterns of communication, the better able you will be able to design a set of segmentation policies that make sense and support business. The key to gaining this network information as a means to implement then enforce control is automation. And this is where continuous security testing gives you a leg up.


Stay on the cutting edge. Subscribe to our blog.


Plan your pen testing

The reality is, for most organizations, penetration testing is less than continuous. Well-resourced and security-conscious companies are likely to conduct regular vulnerability scanning (which is not the same as testing) and layer semi-annual pen tests into the mix. Even for companies with the ability to test their networks (and their network segmentation) more frequently, pen testing is never 24x7. Therefore, the best way to be sure that recurring testing achieves its goal of finding vulnerabilities and validating controls are working properly is to review the scope of every test (i.e., what are you are testing; why are you testing) and to assess changes in the environment. A good question to ask as you embark on your pen test planning is: What are the high-level risks we need to address from an exposure and configuration standpoint and/or a potential data loss standpoint?

As for changes to the environment, no network is static and so past testing requirements and scope likely do not accurately reflect today’s or tomorrow’s test. Some things to ask before you write a requirements guide for your test include: What configuration changes have been made between the last test and the upcoming test? Were any new patches applied, and have new patches been released that aren’t yet implemented (i.e., new known vulnerabilities)? Have any new services been deployed?

Using the results from your automated and continuous inventorying, mentioned above, include current dataflows and applied segmentation information in your scope, too. Establishing tighter integration between business and technology will help accomplish this step.

Use compliance guidance to improve requirements

The PCI requirement 11.3.4.1 says that segmentation testing should “validate the effectiveness of segmentation controls, every 6 months or after any changes to segmentation controls, to ensure segmentation controls continue to operate effectively.” Following this guidance, even if you’re not subject to PCI DSS, will align your company with industry-leading practices. Further, PCI mandates require “continual, complete isolation between cardholder data environments (CDE) and non-CDE systems.” This requirement is a good recommendation for any organization’s most-sensitive data, regardless of PCI applicability. Implementing strict segmentation around business-critical applications and data is always best practice for preventing unauthorized access to and leakage of data.

Segmentation testing should go well beyond port scanning and enumeration of available services. The point of segmentation testing is for testers to try to gain access into environments to which they shouldn’t have access. There are various ways to test segmentation controls—through network-based communication channels, app-based channels, identity and access management, credential stealing...the possibilities are endless! So, too, are attackers’ tricks, therefore your testing should reflect as many avenues as possible. Importantly, segmentation testing must look at what can access what within environment. In other words: Which applications are connecting to which other applications? Should server A be talking to that host B? Is this type of traffic, user, direction, flow, frequency expected, etc? Is it authorized? The answers to these types of questions should be part of the audit report you receive from your testers.

Optimally, the methods used for testing should include not just brute force against systems and applications, but also use analytics (such as the aforementioned overexposure analysis) that is context aware. Only in this way will you start to understand your cybersecurity risk—where your biggest vulnerabilities against your specific environment lay in wait—and be able to determine your best strategy to mitigate those vulnerabilities.

In our next webinar recap post, we’ll address some methods you can use to mitigate risk and avoid data breach.

In conclusion

To close out this post, a good game plan that will help you get started on right-sizing your segmentation testing includes the following:

  • Incorporate automation to understand data flows
  • Integrate segmentation testing into your security strategy
  • Learn everywhere microsegmentation is in use, especially with containers, cloud, and other dynamic/ephemeral environments
  • Update upcoming pen test plans with recent changes and requirements; pen testing requirements are not static
  • Update risk and threat models to include new attack types and scenarios that were previously unknown or enumerated
Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.