Securing the Enterprise Data Center: Why a Fundamentally New Approach is Needed
Over the last decade, the modern data center has changed dramatically due to the increasing use of virtualization, software defined networks (SDNs) and public clouds, raising a host of new security challenges. Having evolved into dynamic, complex environments with exceptionally high traffic rates, the typical enterprise data center has become increasingly hard to protect against advanced threats from the outside. And while the number of external threats measure in the millions, attackers only need to succeed once to cause significant damage and loss. Simply put, there is a significant disconnect that exists between the prevention tools deployed at the perimeter and on endpoints traditionally deployed to protect the data center, and the advancing rate of sophistication of the threats we are facing. As such, a fundamentally new approach for securing the data center is required.
There are several reasons why current solutions are not providing adequate levels of security.
1. The complex, dynamic and virtualized nature of modern data center architectures. As data centers have become increasingly virtualized, complexity has increased, making it difficult for security teams to gain the proper visibility into network and application flows in order to define and deploy more granular security policies for east-west traffic.
2. The accelerating speed and scale of traffic, which has swollen to multi-terabit levels. At these rates, traditional security technologies such as intrusion detection and prevention systems (IDP) and next-generation firewalls, which are based on deep packet inspection (DPI) and signature-based detection methods, are just not able to keep pace with today’s extreme traffic volumes.
3. Hybrid infrastructures of both private and public clouds. The same data center may have servers and workloads both on-premises and in a public cloud, which makes securing them in a consistent manner all the more challenging. That is because there are few existing security controls that can be replicated across both public and private clouds, which introduces technical challenges and makes security management more cumbersome.
4. The sophistication and menace of advanced persistent threats (APTs). Hackers are no longer “script kids” or “lone wolfs,” but are affiliated with organized crime which can make significant investments in technology, and lure the best talent with the promise of huge financial payouts. Hacking itself has become a professional, well-funded industry.
What’s Needed to Secure the Data Center?
It’s a foregone conclusion that attacks will inevitably breach traditional blocking and prevention mechanisms, placing a higher need on the ability to rapidly detect and respond to a breach when it does occur. According to Mandiant, the average time to detect a breach is over 200 days, and in 67 percent of these cases, attacks are actually discovered externally.
As sophisticated attacks become increasingly capable of invading and moving laterally within the data center, the perimeter is no longer a sufficient barrier.
As a result, real-time breach detection is essential—and must have an extremely low “false positive” rate, as typical security teams have very limited time and resources to monitor and investigate all potential security incidents. The detection function must cover all virtual machine (VM) VM-to-VM traffic and scale to massive east-west traffic rates.
An effective security strategy must begin with the ability to instantly understand the full nature of the attack: its mode of spreading, its footprint, and where it has already spread. This includes automated analysis that can quickly assist security teams to confirm and prioritize the incidents that require rapid response. Once prioritized, automated mitigation mechanisms, such as the ability to contain the threat by isolating the compromised systems, are essential for security teams to respond more quickly and limit the damage. Response should include mitigating the spread of the attack in real time and remediating infected hosts.
A comprehensive security platform for the data center must possess state-of-the-art cloud agility and programmability to detect and respond to attacks at an early stage, as they begin lateral movement. It should be able to react to “hints” in policy violations and suspicious activity between process-level communications, so it knows which connections to investigate deeper. The solution should also seek out malicious behavior such as backdoor installation, brute-force attempts, and log file manipulation.
Based on our experience, we believe that next-generation data center security solutions should possess the following features and capabilities:
• Visibility into data center flows – provides automatic discovery and visualization of all network and applications flows down to the process level, delivering deep visibility into communications and flows inside the data center.
• Micro-segmentation policy – allowing IT and security teams to define granular security policies between applications – down to the process-level – and monitor those policies for variations and suspicious activity. Variations from defined policies should be presented both visually as well as in the form of detailed security incidents that have been pre-prioritized for further investigation.
• Distributed and dynamic threat deception – that can interrogate, record, and monitor active and ongoing attacker sessions, looking for malicious behavior and gaining deep insights on attacker methods and spread.
• Real-time forensics – that enable total visibility and understanding of criminal behavior and security attacks.
• Automated response – that provides real-time attack isolation and remediation of infected files and servers, thus stopping an attack at initial stage, before it has caused any damage.
As sophisticated attacks become increasingly capable of invading and moving laterally within the data center, the perimeter is no longer a sufficient barrier. Attackers will certainly get through, and security must transform to move closer to the workloads it protects. A distributed strategy, offering continuous visibility and protection within the fabric of the data center is optimal for securing information. Detection is key to defense, capable of looking for the “needle in the haystack” amidst massive, dynamic traffic volumes. The right solutions will provide security visibility, enable effective segmentation and micro-segmentation, and detect breaches once they’ve occurred—but before they can cause damage—identifying infected servers, isolating them, and rendering them harmless while mitigating the breach and preventing the loss of information, data and peace of mind.