A recent report from Rapid7 suggests that organizations aren’t doing enough to protect their networks. The report aggregates the results of 128 penetration tests performed for large and small enterprises in a variety of industries. In more than 80 percent of the tests, the penetration testers were able to break into the network. More than two-thirds of the breaches were never detected.
These sobering statistics point to an equally sobering reality: perimeter security is no longer enough. While it’s still important to try to prevent unauthorized network access, it’s equally critical to take steps to minimize the damage in the likely event that a hacker finds a way inside.
Consider the problem of advanced persistent threats (APTs), in which a hacker infiltrates an organization’s network and operates undetected for weeks or months. The hacker might gain access by obtaining a legitimate user’s credentials through social engineering or a phishing attack. Once inside, the hacker uses a sophisticated combination of techniques to evade detection.
Of course, a majority of attacks begin on the inside. According to the 2016 Cyber Security Intelligence Index by IBM X-Force Research, 60 percent of all cyberattacks were carried out by insiders, up from 55 percent in 2014. Two-thirds of insider attacks (44.5 percent of all attacks) were carried out by malicious actors, who have the opportunity to operate undetected for longer periods of time than external hackers.
What happens when a malicious actor gets past the network perimeter? Unless the network is segmented, an intruder will have ample opportunity to access virtually any applications and data. In the Target data breach, for example, hackers entered the network using credentials stolen from a subcontractor, working their way to point-of-sale (POS) devices where they stole credit and debit card data. Security experts have stated that a lack of network segmentation was a primary cause of that breach.
Network segmentation subdivides the network so that a malicious actor cannot move about freely. The most sensitive systems are placed in their own network segment with strict security controls. In the Target example, network segmentation would have isolated POS systems from the applications the subcontractor needed to access, preventing or at least deterring the breach. That’s why regulations such as the Payment Card Industry Data Security Standard include guidance on network segmentation.
As organizations continue to expand their networks to support the Internet of Things (IoT), mobile devices and cloud-based applications, network segmentation can significantly reduce the attack surface. It also enables organizations to isolate legacy systems that perform essential functions but pose security threats.
The problem is that network segmentation is difficult to implement and even more difficult to maintain. Organizations must identify the security requirements of various systems, group those that are related and determine who should and should not have access. Access policies must continually be updated, creating a significant burden for network administrators.
Cisco TrustSec software-defined segmentation addresses these challenges. With TrustSec, administrators assign users to security groups based upon access policies, which are applied consistently across the network through software. TrustSec makes security policy changes 98 percent faster than traditional methods, with an 80 percent reduction in operational efforts.
In today’s threat environment, organizations must take steps to contain attacks that successfully breach perimeter security defenses. Let us show you how Cisco TrustSec software-defined segmentation enables policy-based protection of your sensitive applications and data.