With the frequency and sophistication of cybersecurity attacks increasing, proactive network security is vital. Many enterprise IT teams are stuck in a reactive cycle due to a lack of time and resources.
Microsegmentation through a centralized network management solution hardens enterprise network security while minimizing the need for manual network configurations. This frees up IT teams to pursue other business-critical goals and provides peace of mind.
The Threat Landscape
Enterprises remain prime targets for cyber attackers in a variety of areas. According to the Cisco 2018 Annual Cybersecurity Report, cybercriminal activity is increasing on three primary fronts:
- Malware: Ransomware is on the rise, using sophisticated cryptoworms to navigate networks. Self-propagating wiper malware like Nyetya, which affected more than 2000 Ukrainian companies, leads to expensive downtime, the loss of secure data, and causes almost irreparable damage to an enterprise’s reputation.
- Improved evasive tactics: Bad actors are using encryption to evade detection, while concealing command-and-control (C2) activity by using legitimate internet services such as Dropbox and GitHub.
- Exploiting the expansion of IoT: The exploding number of IoT devices gives consumers unprecedented access to technology, but the flip side is that cybercriminals are taking advantage of unmonitored and unpatched IoT devices to infiltrate networks.
Using proactive enterprise network security solutions ensures threats are contained and isolated without increasing the workload of IT teams.
Proactive Network Security with Microsegmentation
Microsegmentation expands on industry-standard segmentation practices. While traditional network segmentation is typically based on hardware-based firewalls, which allow access based on IP addresses, microsegmentation integrates security into a virtual network. When network security is tied to a physical environment, policies can break down when there is any change to that environment. Any changes require manual involvement, which takes up valuable time while also being vulnerable to human error.
Traditional network segmentation also focuses on traffic coming in and out of your firm. Microsegmentation allows you to better control the flow of traffic within your firm, isolating security breaches and minimizing damage.
With microsegmentation, you create policies that are inherited automatically. You may want to consider a zero-trust security model, which only allows network traffic when your security policies explicitly permit it. These policies are synchronized with a virtual network, and they can be applied to users, networks, applications, or devices. When your team makes changes to the network, the security policies persist, eliminating time-consuming manual configurations.
Implementing Microsegmentation with SD-Access
To implement microsegmentation at a granular level, you need an effective tool for network virtualization. Software-defined networking (SDN) provides you with a centralized view of your network, allowing your team to easily create and implement security policies without dealing with IP addresses, access lists, and VLANs.
SD-Access is Cisco’s software-defined network solution. It makes microsegmentation a more efficient process for your IT team. It provides automated, end-to-end segmentation down to the user, device, and application level.
SD-Access integrates your wired and wireless networks into a virtual fabric. It maps your network and allows you to easily separate user or device groups within a virtual network. Policy provisioning is a simple process, and it’s based on groups set up using the Cisco Identity Services Engine (ISE).
In SD-Access, applications, devices, and users are associated with groups. These groups can be created by assignment or dynamically through 802.1x. Policy groups are not based on IP addresses. Users can be in the same subnet or network and still have the group-based policy applied to them.
The next level of microsegmentation is at the network level. The virtualization created by SD-Access allows you to create multiple, self-contained virtual networks. You can drag and drop groups into a self-contained virtual network, which is contained within your overall network.
For example, your team may create a guest VN with a guest group that is isolated from your corporate group. The only way they could communicate is if you explicitly configure a connection between the groups. If needed, you can easily quarantine threats within your network and prevent groups from communicating with quarantined segments of your network.
If you want to go deeper with network security and get a truly comprehensive view of your network, you may want to consider a centralized network solution such as DNA Center.
Enhancing Security with DNA Center
Cisco’s DNA Center wraps in SD-Access and enhances it with additional tools that automate network management and security. DNA Center has an intuitive dashboard that allows you to easily control SD-Access. It has four sections:
- Design: The design section provides a quick visual reference for every level of your network, from global to local.
- Policy: In this section, you create policies based on your business needs, including access control policies, traffic copy policies, and virtual networks.
- Provision: This is where you drag and drop policies, provisioning them to various user groups that you decide. The process is completely automated, eliminating the human errors that lead to security gaps.
- Assurance: DNA Center Assurance uses predictive analytics to monitor your network and find issues before they impact your users. You can see the health of every device on the network easily and see network issues in a timeline view.
In addition to facilitating microsegmentation, DNA Center also includes Stealthwatch, which detects and mitigates threats using machine learning. Stealthwatch can detect malicious patterns in encrypted traffic and detect C2 activities, data exfiltration, and malware.
Integrating Microsegmentation Into Your Network
Microsegmenting your network may initially seem daunting. SD-Access simplifies that process, creating an integrated fabric that’s easy to change according to your business needs. DNA Center furthers that control, adding tools that improve your network performance and harden network security.
At Acadia Technology group, we provide solutions based on the needs of your business. Our experienced Cisco engineers can help you implement microsegmentation in a way that makes sense for your firm, enhancing your security and giving you peace of mind. Contact us today to find out how we can assist you.