Software-Defined Adaptive Security Using SDN Analytics and Automated Response for Securing Hybrid Cloud, Datacenter, and Branch

by Hari Krishnan

The threat landscape is getting more sophisticated with the rise of ransomware, web based malware, botnets and phishing emails resulting in significant financial loss and data breaches. Recent malware like WannaCry ransomware that used lateral movement shows the importance of ensuring proper segmentation both at the branch and datacenter to contain lateral spread and the need for a new analytics based approach to detect and respond to these zero-day attacks. Recent massive data breach at Equifax Is a reminder to organizations on the importance of patching and quickly closing security vulnerabilities to secure key data before an attacker can use the security gaps to steal personal information. Organizations continue to get breached despite investments in security. Clearly there are gaps in organization’s current security model for these attacks to happen.

Current manual, perimeter-centric and reactive security model cannot effectively secure an organization data from emerging security threats in a cloud era. While software-defined workload centric security using microsegmentation provides significant benefits in terms of reducing the attack surface by limiting lateral movement of malware (such as WannaCry) inside datacenter and cloud, organizations need a comprehensive security model that is enterprise-wide across hybrid cloud, datacenter and branch networks that goes beyond segmentation inside datacenter as some attacks can invariably get through infected branch devices to datacenter and cloud environments. Gartner defined a new security approach called adaptive security architecture, one that is beyond traditional prevention and detection and includes response based on continuous monitoring and analytics. This adaptive security model suggests organizations to move from “incident response” mindset to a “continuous response” to defend against new wave of security threats.

So how can an organization move towards a holistic adaptive security model across their entire IT to secure their assets and data whether the data is on-premise in the enterprise datacenter or public cloud while defending against new wave of malware trying to gain access to enterprise data from compromised branch user devices? This is where software-defined security approach using the software defined network (SDN) platform can play a pivotal role. A SDN security solution, based on a unified intent based security policy automation and visibility platform, can enable enterprise-wide software-defined segmentation, visibility, threat detection, and dynamic response for securing hybrid cloud and datacenter environments including container, VM, bare-metal, as well as branch networks.

SDN is policy-driven, secure, automated, highly scalable, and thus well suited to address the multifaceted security requirements in dynamic heterogeneous environments.  SDN architecture as shown below is based on a centralized policy and analytics engine that provides high level security policy abstraction based on intent to define policies in a language that is tied to workloads rather than lower level networking constructs such as IP address or VLANs. The SDN policy engine takes the higher level policy and programs the network using an SDN controller.

The policies themselves can be enforced in wide range of policy enforcement points in hybrid cloud data center environments as well as branch networks. These policy enforcement points also act as flow data sources for real-time analytics. An SDN based approach offers security without changes to underlying physical network infrastructure or changes to workload and can support wide range of endpoints such as containers, VMs as well as bare-metal. SDN based security approach can enable organizations to prevent, detect and respond to security threats in an automated manner and enables organizations to move towards an adaptive security model.

Lets look at how SDN based software-defined security architecture above can address each of these key areas of security – prevention, detection and response.

Prevent: Segmentation and Policy Enforcement

SDN provides contextual flow visibility, policy enforcement, and automation to enable a whitelist security model where explicit connections are only allowed such as connections between different application tiers in hybrid environments or allowing select corporate branch users access to business applications. SDN based virtual switches can act as distributed virtual firewalls to enforce security policies closer to workloads and can see all traffic between workloads, it can help discover valid flows to enable whitelist policies for controlling access between workloads in hybrid cloud as well as user access to applications from branch. These whitelist policy recommendations can be reviewed and enforced both in the SDN layer and other existing security controls such as firewalls. This further secures the application environments and reduces the attack surface. In other words, should one application tier workload be compromised, hackers cannot easily traverse to other applications. The right SDN architecture can enable unified policy definition, security automation, and policy enforcement across heterogeneous workload types (VM, containers, bare-metal) in data centers and cloud, as well as branch networks.

Detect: Contextual Flow Visibility and Near Real-Time Security Analytics

But, enforcing granular workload-centric policy and microsegmentation is only part of the solution. Once granular policies are defined, it is important to continuously monitor what is going on in the network to detect new threats. This is an area where SDN can also help by leveraging contextual flow analytics by monitoring traffic flows between workloads as well as from branch locations in near-real time.  In addition, SDN layer can provide rich set of analytics based on wide range of traffic metrics as well as policy violations that can be used to detect anomalies and generate near real-time alerts.

Respond: Automate Response based on Security Analytics

Analysts today are overwhelmed by huge volume of events generated by security devices. Often times by the time they can get to the one or two alerts that are the needle in the haystack the damage is already done. SDN based software defined security approach can leverage rich network flow based SDN analytics, logical context of the workload, policy analytics (e.g., policy violations) to trigger automated security policy actions such as service chaining advanced security services), or mirror select traffic to intrusion detection systems (IDS) and security analytics tools for further analysis and detection of advanced malware. Once malware is detected from an end-point, the systems can use SDN policy APIs to quarantine the infected end-points.

To summarize, organizations need to move towards a proactive, software-defined, adaptive security model to combat the new wave of security threats and protect their key assets and data. An SDN based software-defined adaptive security approach addresses the entire IT environment from datacenter, cloud workloads (including VM, containers, bare-metal) as well as branch networks. Implementing this strategy can not only provide isolation and microsegmentation to reduce attack surface, but can also reduce the likelihood of data breaches and attacks through early detection and automation of incident responses.

 


Author Bio


Hari Krishnan

Nuage Networks