Attackers require only one success to gain entrance to the entire data center; a breach is typically “game over.” Due to the complex and dynamic nature of modern data centers, along with very high traffic rates, organizations face significant challenges in gaining visibility into application communications and putting proper controls in place to secure east-west (server-to-server) traffic. Such traffic now represents over 80 percent of all traffic inside the data center. This means that data center security architecture must be re-evaluated in order to meaningfully address security, shifting focus to application-layer visibility, granular micro-segmentation, real-time detection and automated response. An effective approach must secure a heterogeneous, dynamic environment with extremely heavy traffic rates.
Aligned with the Gartner model of Adaptive Security Architecture, the GuardiCore Centra™ Security Platform helps address this interior data center security challenge by providing a unique combination of process-level visibility, threat deception, semantic-based analysis and automated response. The Centra Security Platform detects, investigates and mitigates data center threats in real-time, reducing exposure, risk, and cost. Its distributed architecture offers full coverage of all traffic inside data centers and scales to very large network sizes and traffic rates, with low impact on hyper visor server performance.
Hybrid cloud and multi-vendor environments
Organizations often locate their assets in hybrid private and public clouds, and in multiple network and compute environments. The same data center may have servers and workloads both on-premises and in a public cloud. On-premises locations may mix multiple infrastructure types, including legacy “bare metal” servers, VMware ESXi, VMware NSX, OpenStack, Cisco ACI switches, containers, and so on. Securing each of these assets is extremely challenging, and an effective and efficient security solution should cover all of them with a single platform. Legacy security tools don’t offer sufficient levels of agility, flexibility, and visibility for a highly diversified and active data center.
Attacker sophistication is growing
While security approaches are being challenged by rapid data center evolution, the sophistication and menace of advanced persistent threats (APTs) have taken a leap. The adversaries are no longer hacker “script kids.” Lured by huge financial payoffs, organized crime is making major investments in attack tools and teams. Hacking itself has become a professional, well-funded industry.
Ingredients of security inside data centers
The limitations of prevention
Since the early 1990s, most organizations have relied on preventive perimeter defenses, which are designed to keep threats out of the corporate network. These include, but are not limited to, next-generation firewalls, IDP, and sand-boxing. While perimeter security remains relevant, it has been outpaced too often by hackers’ ingenuity and aggressiveness.
Internal data center segmentation tools, including VLAN separation and end point firewalls, can limit unapproved communication between servers. Micro-segmentation, a state-of-the art technique involving advanced distributed firewalls, increases the ability to enforce policies on the communication inside data centers.
Separation needs to be dynamic and agile, and must work inside both VLANS and hyper-visors. Implementing micro-segmentation within a data center is no simple task, especially in “brownfield” deployments (upgrades or additions to an existing networks that use some legacy components). With these, the IT and security teams must first discover and analyze existing intra-application connections, and make sure that newly installed separation policies will not break existing applications.
Costly consequences: the epidemic of data breaches
The direction, cost, and frequency of cyber attacks are shearing upward to record levels. The Ponemon Institute reported in 2015 that the total average direct cost of a data breach is now $3.8 million, up from $3.5 million a year ago, with the cost of each lost or stolen record up 6 percent.² Direct costs include hiring experts to fx the breach, investigating the cause, setting up hotlines for customers, and offering credit monitoring to victims. Indirect costs can go even higher in terms of lost business and goodwill as current and potential customers depart following a breach.
Data Center Security Gap: Detection and Response
Due to the issues already discussed in this paper, some attacks will inevitably breach traditional blocking and prevention mechanisms, putting more emphasis on the ability to rapidly detect and respond to a breach when it does occur. According to Mandiant, the average time to detect a breach is over 200 days, and in 67 percent of these cases, attacks are actually discovered externally.
To properly secure data centers, it’s important to note that attackers operate differently once inside the data center as opposed to the perimeter: a server does not infect another server by sending an email with a document to open or a link to follow. Rather, lateral movement between machines inside a data center is more likely to utilize a password harvested at an earlier stage of the attack. Use of zero-day vulnerability is also more common inside data centers than at the perimeter. A security solution within the data center must be designed to detect and respond to relevant attack vectors.
GuardiCore delivers process-level visibility, breach detection, and response that work inside today’s dynamic data centers
When an organization wishes to implement micro-segmentation, its team now confronts thousands of virtual machines running applications written by many people, some of whom have already left the company. So which applications should be allowed to talk to which others? If a rule blocks two machines from talking, will it take a toll on legitimate communications?
Internal breach detection identifies and informs
The GuardiCore Centra Security Platform leverages state-of-the-art cloud agility and programmability to detect and respond to attacks at an early stage, as they begin lateral movement. It reacts to such “hints” as policy violations and suspicious activity between process-level communications, so it knows which connections to investigate deeper. The platform also seeks out malicious behavior such as backdoor installation, brute-force attempts, and log file manipulation. It confirms active breaches for fast prioritization and creates a footprint, which is then used to scope the impact by automatically identifying compromised systems across the data center.