EXECUTIVE BRIEF: WHY YOU NEED NETWORK SECURITY SEGMENTATION TO STOP ADVANCED THREATSCyber-attacks require unrestricted access across your network to succeed

AbstractModern threats take advantage of all areas of your network to succeed. In order to stop advanced attacks, networks need to be divided into security segments to contain and mitigate threat propagation.

Advanced threats leverage every part of your network

Today’s advanced persistent threats (APTs) are sophisticated, targeted attacks that are evasive and dynamic, leveraging multiple areas of your network as attack vectors.

For example, an APT might leverage email servers for phishing attacks, then use directory servers to gain unauthorized access to exfiltrate data from finance servers, or trigger exploits in applications residing on servers or in the cloud. These attacks might enter your network via unauthorized websites and downloads from wireless laptops, tablets or mobile devices.

In order to succeed, once these attacks breach your security perimeter, they need to roam and propagate freely within your network, as well as transmit information into and out of your network.

Legacy perimeter firewalls alone are insufficient

Earlier firewall practice was to establish a single security perimeter, with everything outside of the perimeter considered to be untrusted and everything inside considered to be trusted. Unfortunately, however, this approach no longer works.

Limiting your security to just one perimeter presents a single point of failure. Breach of that single point enables cybercriminals to apply unauthorized access, malware propagation and sensitive data exfiltration throughout the network. In addition, a firewall that only monitors traffic at the gateway has no visibility or control over the movement and activities of attacks within the perimeter.

2

Moreover, the nature of the traditional perimeter itself has evolved, with legacy WAN borders extended to encompass mobile, wireless and distributed remote endpoints, as well as resources located in virtual and cloud environments.

Therefore, everything –ll both outside and inside of the traditional firewall perimeter – must now be considered to be untrusted, and the legacy single perimeter approach has become obsolete.

To protect networks effectively against advanced threats today, a solution must be able to control traffic flow policy based upon logical segments (e.g. WAN, DMZ, VPN, WLAN, etc.) correlated with user role and identity, as well as geographic location, time and other criteria, such as secure switching architecture. It should also tightly integrate with monitoring, visibility and security features such as sandboxing, intrusion detection and prevention, anti-malware and application control.

To address evolving threats, segment policies must be dynamically capable of automating decisions based upon real-time criteria. For example, a segment policy should be able to automatically drop a connection from a user logged into an endpoint in New York who then shows as being logged into an endpoint in San Jose five minutes later.

The business impact of unsegmented networks

The lack of effective network security segmentation has played a crucial role in a number of high-profile attacks. For instance, in headline-grabbing breaches

at both Home Depot and Target, resulting in tens of millions of credit cards being compromised, more effective network security segmentation might have been instrumental in stopping unauthorized access to cardholder data from procurement portals. Likewise, in the breach of Community Health Systems, network security segments could have better inhibited the theft of millions of patients’ personal health information and personal identifier information (PHI/PII).

In addition, business and industry regulations, such as Payment Card Industry Data Security Standard (PCI-DSS), mandate that organizations apply proper network security segmentation in order to stay compliant. For instance, PCI-DSS requires that separate network security segments be established for point-of-sale (POS) systems, Wi-Fi networks (WLANs) and payment card data systems. In addition, policy should be defined and enforced to control access to these segments, as well as what data can be transmitted between them.

Organizations cannot afford to disregard segmentation as a fundamental cornerstone for their network security. And yet, up to 90 percent of IT professionals say their organizations fail to strategically establish segments around business drivers for the latest threats, and 6 percent have no network security segments at all.¹

Administrative considerations

Implementing comprehensive network security segments can be challenging — but nowhere as difficult as recovering from a catastrophic breach or denial-of-service (DoS) attack. Still, there are important administrative considerations to segmentation. For instance, traffic must maintain wire speed between segments to prevent performance and productivity bottlenecks. This can require especially high throughput in data center environments. Another concern is administrative overhead and total cost of ownership (TCO). To alleviate these issues, an appropriate

segmentation solution must be easy to deploy in multiple configurations, and be able to be managed transparently over a uniform platform from a single-pane-of-glass console. It must also be highly scalable to rapidly grow and evolve with the business.

ConclusionCybercriminals love attacking an unsegmented network. Much as bulkheads compartmentalize sections to prevent the spread of flooding in a ship if its hull is breached, network security segments limit the spread of attacks throughout a network if the primary perimeter is breached. Network security segments are a core element of any effective network defense-in-depth strategy.

Learn more. Discover proven best practices for implementing network security segments as an effective defense against advanced threats. Read our solution brief, “How to stop advanced threats with network security segments.”

Up to 90 percent of IT professionals report their organization fails to strategically set segmentation around business drivers for the latest threats.

¹ “Segmenting for security: Five steps to protect your network” Network World, Nov. 24, 2014

3

© 2017 SonicWall Inc. ALL RIGHTS RESERVED.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING,

BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

About Us

SonicWall has been fighting the cyber-criminal industry for over 25 years, defending small, medium size businesses and enterprises worldwide. Our combination of products and partners has enabled a real-time cyber defense solution tuned to the specific needs of the more than 500,000 businesses in over 150 countries, so you can do more business with less fear.

If you have any questions regarding your potential use of this material, contact:

SonicWall Inc. 5455 Great America Parkway Santa Clara, CA 95054

Refer to our website for additional information. www.sonicwall.com

ExecBrief-WhyYouNeedNetworkSecurity-US-VG-MKTG1150