Micro-Segmentation Deep Dive and Best Practices (1087)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is good that's quite loud okay all right well good morning everyone you get the medal for showing up for the 8 a.m. session I'm not sure if we have enough seats so for those of you in the back fill in no good morning and welcome and thank you for getting up early this morning to make this session we're gonna make this interactive and fun so there are points for participation so you will be called upon I also be ready I'm gonna start off the session actually with just a quick poll and asking where people are on their micro segmentation journey so a brief show of hands how many of you have actually started an implementation around micro segmentation so we got a one two three four Wow okay so one two three four ten or so awesome how many of you are interested in implementing micro segmentation but you're really kind of just figuring it out I'm not really sure how to get started one learn more okay so the majority of you how many of you keep hearing about it so you're here to learn more okay a few more hands how many of you just like we're wandering by and said I need a place to crash and okay no one all right so here's what we're gonna cover in the sec the presentation today we're gonna start off with a quick introduction on why micro segmentation this is probably a refresher for some of you maybe you learned a couple of things here as well and then we're gonna jump into approaches to micro segmentation jaemin's gonna cover that as well as some best practices we've got a couple of video demonstrations for you as well and then a little bit of a fun analogy that jaemin's put together how many have seen this kind of slide or attack before anyone that was in the plenary session yesterday was a yesterday the red and the red and the blue team this is exactly what happens right somehow someway an attacker finds their way in if you remember yesterday the red team was able to get in through a phishing email here it's a vendor portal once the attackers found a way inside of the environment they're then able to move and spread laterally inside of the environment so they can move from the vendor portal into maybe the servers where they then find a juicy target in this case the point-of-sale system and the demonstration yesterday it was the code server and then finally they exfiltrate the data so this is a very common attack pattern that that attackers like to use and it depends on the lateral spread inside of the data center so networks are really good at doing what I told you there's gonna be participation what are networks really good at doing sorry it's hard to hear what they're really good at connecting things they're really good at letting things talk to one another right so most data center networks are from a security perspective relatively flat so machine a can talk to machine B even if machine a has no need to talk to machine B right there on the same subnet they're able to ping each other but they can be part of two completely separate in different applications but because they're connected to the same network they're allowed to communicate and this is exactly what hackers leverage is that ability to move laterally inside of the environment so how does micro segmentation help so the goal of micro segmentation is to both identify and prevent the spread of unknown threats inside of the data center so it's about reasserting control over your environment it's about taking those networks that are really good at connecting everything together and letting you decide and have visibility and control over what is allowed to talk to what there's three goals for micro segmentation the first one is around reducing the attack surface some of you might also hear it called the protect surface there's in different terms that are being thrown around out there in the industry but it's really about creating these smaller and smaller segments within the network so that if any one of them ends up getting compromised the attackers not able to move laterally or it's very difficult for them to move laterally inside of the data center second thing is being able to contain it right so once if they're able to get in and they will find a way in how do you then prevent them from moving to other parts of the data center so how do you contain that compromise and limit that lateral movement and then the last part is around restricting that outbound connection and providing visibility into that outbound connection to prevent the exfiltration of that sensitive data alright so micro segmentation prevents the lateral spread of threats if there's one thing you take away from this session if you didn't know a micro segmentation was before hopefully you do now all right so this sounds pretty basic you know all right it makes sense this is something that that makes a lot of sense but when you start looking at these environments that we're all trying to secure it's actually very difficult to do in in practice so you've got your traditional data centers you've got a migration into software-defined data centers you got this migration into the cloud so you've got all of these different computing environments your applications are spread across these different environments your data is spread across these different environments you've got a high volume of east-west traffic flows estimated anywhere between 75 and 80 percent of your traffic ends up being internal and within the data center so it becomes very challenging to secure these environments because of the hybrid nature because of the fact that they're constantly changing through automation and orchestration nothing is static right if you remember back well I'm older some of you guys are about my age if you remember back 20 years right it was four walls in a datacenter and you had a rack and you knew exactly where everything was as someone said oh well where's the ERP application hosted you could walk them over and show them the exact server where it was all the head has changed right things you get this virtual world the VMS are moving all over the place you've got cloud you've got containers it becomes much more challenging to create security policy that works across all of these different environments and that's one of the things that here Pelt the networks were very committed to is figuring out how to have consistent security policy that works across all of these different environments so the key here is that security has to be extended wherever your apps are and enable that security to work wherever those apps and workloads move to so 75% of that traffic flows east west on flatten networks hackers know and they exploit this right they take advantage of this fact you saw yesterday that we're at attacker like gleefully like all right I'm in I'm just gonna be able to move laterally within network so being able to prevent that spread is absolutely essential in addition to some of the trends I've already mentioned you've also got other things that are happening right so you I've talked about the data center public cloud internets as apps but you've got all of these different locations you've got mobile users they're working from a variety of different locations whether it's the home or on the road from the local coffee shop you've got managed workloads you've got unmanaged workloads you've got this new thing well not new it's been around forever but IOT right so you've got all of these different embedded devices whether they're IP phones or thermostats or controls or badge reader systems these are all part of the network and they're all points of entry for a potential hacker to get into the environment so you've got to take into consideration all of these things and make sure that your security is able to work even though your your business isn't neatly contained inside those four walls of the data center somewhere right it's a highly heterogeneous highly distributed environment so again hackers know and exploit this these are complicated environments and they're very difficult and very challenging to secure so how do you figure out where the attacker is going to come in and how do you prevent them if they are able to get in from moving inside of the environment how do you prevent that lateral spread so this is not lost right on the compliance bodies that are out there so the EU the NIS directive to be able to isolate systems many of you may be familiar with this particularly particularly those of you that are involved in securing critical infrastructure each of the different Member States of the EU have implemented this in their own laws so an Zee within France or the national cybersecurity center within the UK or the Ministry of Information in Germany so each country is taking that director and translated that into their local laws they all require some form of system isolation that's part of the requirement for being able to secure that critical infrastructure within specific industries there are other compliance scheme so Swift if any of you are in the banking industry then you've got Swift infrastructure that needs to be secured the Swift CSP program mandates and requires the Swift system be separated from isolated from segmented from the rest of the infrastructure and the reason for that is if an attacker is able to get in and attack some piece of the network or some piece of the infrastructure they don't want the attacker to be able to spread and move inside of the Swift Network ok PCI DCSS so if you're involved in processing credit card transactions same thing and then finally Gartner so Gartner in 2018 I believe it was number 5 on their list of projects to consider for enhancing your security micro segmentation ok so you're seeing this from legislative bodies you're seeing this from industry organisations and you're seeing this from the analysts everyone's saying the micro segmentation is a good idea ok again great and concept difficult to implement in practice and jaemin's going to walk us through some of the practical approaches that we can use to be able to implement micro segmentation so with that I'm going to shift gears and invite Jamin up to the stage and have him talk through some of the approaches to micro segmentation thanks Brian thanks Brian for wonderfully explaining why micro segmentation is more important than ever before but I would like to shift gears a bit and let me have some fun how many of you have watched Game of Thrones by cocking come on guys forty percent of the room that's it all right if you look at Game of Thrones right it's micro segmentation in action and by end of this session I will prove you that it is it is the same my goal is to help you here to understand the deep micro segmentation strategy when you are in front of your seaso you should be in a position to to convince him that the best way to micro segmentation to implement the micro segmentation is this way you may or may not implement all the pieces of it but whatever bits and pieces you implement you'll be able to understand that this is just a partial implementation and where the gaps are right so there is my goal but before we go into Game of Thrones things because it's a technical breakout session and you guys have paid quite a bit of money to come here so let's talk a little bit more technical here cyber security industry and networking industry together have formed four approaches of doing micro segmentation these are also called enforcement points the first one is network fabric if you are implementing micro segmentation through network fabric you may think about this as Cisco ACI for instance or restore vision micro segmentation so those are the prime examples of network fabric based micro segmentation so here you are implementing micro segmentation inside the network fabric itself the second one is the hypervisor VMware NSX part of Software Defined Networking technology neutronics flow are some of the examples of hypervisor based micro segmentation implementation third one is endpoint agent here the there is no you are not doing enforcement in the network or in the far wall these are endpoint agents that go into your workload VMs which is completely agnostic of how you have designed the network the fourth one is next-gen firewall obviously this is what we will talk about in this session but I would like you to understand some pros and cons of each of those four approaches if you look at network fabric based micro segmentation in this scenario the networking and security is very much coupled together you are using the same network fabric to do the security aspect as well right so you are enforcing security we are the network so networking and security is tightly coupled the exact same thing when you are going with the hypervisor based micro segmentation implementation here again if you are enforcing micro segmentation inside using VMware NSX the networking is also provided by nsx security is also provided by nsx so here again network and security is coupled if you look at endpoint agent based approach security and networking is completely decoupled because these agents are completely agnostic of the network they do not care how do you have the design in the network because they are enforcing the security policies right inside the VMS or the workloads next-gen firewall on the other end depending on how you are implementing her and how much network functions you want the firewall to perform networking and security could be coupled or it could be completely decoupled if you are for instance if you are putting our firewall in a V Y or more and not doing any routing in that case firewall is just doing a pure security function it is not participating in anything in Network hi so these are the four approaches every single vendor out there they have different definitions of micro segmentation if you talk to VMware if you talk to Cisco if you talk to us all the vendors out there they have different definitions but the goal is to identify and prevent the lateral movement of the threats that is the goal that nobody in the industry is disputing so let's keep that goal as the uber goal here and let's evaluate this four approaches across two dimensions the first one is the environment and the second one is the security well so if you are talking about the environment wherever your applications are deployed if you look at network in particular let's say you are using Cisco ACI or our stress cloud vision or any other third party switches if you are doing enforcement via network fabric you can definitely do do that implementation in traditional data center as well as in Software Defined a dozen but your Cisco and Arista switches are not necessarily coming with you in public cloud because there is no space for it so you cannot do the consistent micro segmentation in public law if you are doing hypervisor based micro segmentation because this hypervisor based micro segmentation is applicable only for software-defined data centers only for virtualized workloads and if you have bare metal workers in your traditional data center obviously the micro segmentation cannot be performed again hypervisor for instance if you are running VMware hypervisor ESXi or KVM or etcetera in public cloud when your applications move those hypervisors are not accessible so hypervisor based micro segmentation essentially fails there the last two agent based and next-gen firewall based micro segmentation are universally extensible across all these three environments right be traditionally design a software-defined or public are let's evaluate this for approaches again on a different dimension the value of the security you can extract from each of them so network fabric based approach will definitely give you layer 2 to 4 visibility and enforcement but neither of Network fabric hypervisor or agent based approach will give you the layer 7 based visibility and enforcement and definitely if you look at the goal which is to identify and prevent the lateral spread of the threat that goal cannot be achieved by by those three approaches only next-gen firewall is in a position to give you the best security value from micro segmentation perspective its primary because the goal is to identify and prevent their lateral threat you are not being micro segmentation for fun right you have a goal which is to to prevent the little spread of the threat and how can you do that that's what I'm saying I'm also not saying that you do everything inside the next-gen firewall be it hardware or virtual firewall that's not the goal that's not what I'm saying there is a value-add and you enforce saying some pieces of micro segmentation inside a network bid in the hypervisor or even through the agents for instance if there are backup traffic why do you want to west fargo's bandwidth in doing micro segmentation for non critical workloads or non-critical flows you can definitely leverage network or hypervisor or the agent to just simply denied the traffic before even hit hits the far wall so sometimes you not only have to do micro segmentation just through the firewall but sometimes you have to leverage a combination of this for so but if you are leveraging multiple combination of this approaches don't worry that you will not be don't worry at all that you will not be able to extract the maximum security value out of this it is because Palo Alto Networks has partnered with each of these vendors with vmware cisco AAC is a cloud vision to give you the best of security value that you can get from the micro segmentation perspective so you can leverage the cisco ACI fabric iris track loud vision fabric to do layer 2 to 4 with reinforcement but because of our integration you'll be able to get layer seven visibility and enforcement in a very seamless manner it's quite frictionless there is a CA session at about 11:30 if you are interested in it do participate so that you can understand how we can do micro segmentation with a CI and Palo Alto Networks together hypervisor based we have a six years old integration with VMware NSX so you can do layer 2 to 4 enforcement using VMware NSX is distributed firewall and you can leverage the layer 7 firewall from us you can also leverage Palo Alto Networks Prisma cloud twistlock agents to do agent based enforcement if you are interested in right so let's shift gear a little here and talk about the five pillars of a best micro segmentation strategy and these are five it's complete visibility zero trust architecture work load tagging automated security actions with adaptive security and comprehensive policy again let's keep the goal in mind you will realize when I walk you through each of this five steps you will realize that it is not just about technology but it is as much about the process as it is about technology the process that you implement in your organization is equally important here Brian mentioned that seventy-five percent of the traffic nowadays plus sometimes I talk to the customers and they say it's about ninety percent plus of data center traffic flows the east-west but your firewalls are sitting on the perimeter and you do not necessarily have the visibility into your east-west traffic flows so obviously you cannot protect what you cannot see so visibility is all about inspecting those packets which are really important and every single packet flow that you need to inspect you can gain the visibility in multiple ways you can use our panorama logs you can use cortex app beat by third party or the partner or you can build your own cortex app to gain that visibility the customer called Arizona Federal Credit Union Arizona is one of the states in the United States they came on stage and the customer mentioned that hey I didn't have to use any expensive application dependency mapping tools he could leverage panorama logs to simply identify how the traffic flows are happening and then exported into into Excel and vzo to just visualize how the flows are working and then implemented the entire micro segmentation using VMware NSX and Palo Alto Networks VM series far was it was as simple as that so you can use as cheap as panorama logs but if you have a lot of money then you can definitely buy the expensive application dependency mapping tools out there so once you map the transaction flows it's time for you to consider implementing zero trust architecture now there are a couple of terms that I am throwing out here which is really important for you to understand it is the difference between the attack surface and the protect surface attack surface is massive while the protect surface is orders of magnitude smaller attack surface is huge like you when you move from traditional data center to software-defined data center to public cloud that attack surface is just exploring but protect surface is your crown jewel the most important applications that you want to protect and that is your protec surface in your whole messy data center you may not know what that protect surface looks like today but it is definitely knowable and will talk to you about how you can know about this so we identify the protect surface using this acronym called dance data applications assets and services so you can define this protec surface as one or multiple combination of these four elements let's take an example of healthcare industry in that case what is the data that is most important patient health information thi what is the most important application that is containing those sensitive information and the data points it would be epic they're all scripts or Cerner what are the assets that are really sensitive to to to some of these threats let's say the assets are medical equipments that is such a city scanner the services that can be easily compromised and there there are really vulnerable to that acts in in this case let's say it's single sign-on or a DNS server or Active Directory server so once you identify this - that is called protect surface now the next step for you would be to prioritize you can prioritize based on some of the value of this protect surface compliance requirements and the relationship to the application owner organizations typically have found this quite troubling where and you have the parameter based firewalling approach and you do not have inspection at a east/west level because if you have just a parameter firewall which is very far from your protec surface protec surface is sitting quite inside the data center so it's time for you to consider moving those controls from the edge of the parameter from the edge of your data center to a little bit downstream way closer to where your protec surfaces once you identify that protect surface it's time for you to connect it to the segmentation gateways next-gen firewall is a classical example of segmentation gateway so that the traffic going in and coming out can be inspected by that segmentation gateway and you can connect that segmentation gateway or multiple such gateways to the policy manager in our case it's panorama so let's talk about workload tagging the third most fundamental piece in the puzzle like I mentioned you must have the process for workload tagging how many of you have your all the workloads tagged today other than IP address how many of you are tagging the workloads to people so about 2% of it so definitely have a strategy to tag your existing and the new workloads because it will make your life super easy when we talk to the customers they tag their workloads across this four or six categories it is about role application location environment classification and compliance at most for any VM workload that your application team is spinning out do not have more than four to six tags for VM but definitely mandate the tagging as part of your strategy the role could be web app DB and I have the example of your application could be your Skara a pic HR sales etc classification it could be liberal one level two classification or Avery says sacred compliance if you are doing the segmentation because of some compliance reasons then you can tag those workloads as PCI workload on HIPAA workload you can also have the environment such as my dev test production workload right those are the three environments taken you can have more location which data center this is located right previously people used to tag those workloads using this data center this aisle but because of the virtualization those workers can move anywhere so there is no point in you giving a very fine location just identify where that workload is located so I have some demo for you but before that here is the topology I have some user segments here the web admin and database admin trying to access web VM and database VM that WebM and database VM are protected by VM cities and obviously VM series has a connected to the internet connection to the Internet and it is also connected to panorama panorama has the plug-in architecture now you must know about this if not then we can talk offline about it I'm more than happy to to tell you a little bit more about the plug-in architecture that we have implemented panorama has multiple plugins I'll be demoing the vCenter so again primarily but this panorama plug-in helps you build dynamic address crew based policies based on the text those text could be native to V central environment if you are running VMware workloads we have also implemented this plugins for AWS as your google cloud cisco ACI and even neutronics right and we are now in the middle of building some other container based plugins so let's start the demo how we will do the workload tagging so this is the VMware vCenter environment here you go to text and customer category attribute so let's create those four or six categories role is Bay is one then let's create application category then we will create those environmental and classification compliance and location-based categories and this is all there's everything that you can do from V Center like you are not doing anything in Panorama so your application teams who are very familiar with V Center can create all these categories then it's time for you to create the tags so for each category you can define the tags in this case the role could be your web app or DB that and similarly we if we just create there are bunch of tags that you will be creating now it's time for you to apply those tags to a workload so like I mentioned every workload can have up to four to from four to six tags here in this case we'll apply this is my Amsterdam location there's level one PCI compliance and it is my production workload running on HRM application right so four to six tags and you will be tagging your work to existing wardrobes and once you mandate this for any new application that is being rolled out you also need to make sure that they are being tagged now panorama has the plug-in so you go to panorama tab and then under the plugins architecture you will see VMware vCenter then you connect panorama to V Center by giving the credentials of V Center just validate those credentials and then once you do ok panorama has now a connection to visa you can manage up to 16 we centers from a single panorama right up to 16 now it's time for you to create the monitoring definition which is just a combination of V Center and the notify group notify group is a set of device groups that where you want to populate the text then do a commit into panorama so here is when all the configuration is stored now you can go back and do a refresh you will see the status s success and now you can start creating the dynamic address groups you go under objects create the address groups and then instead of static just and dynamic here you no longer have to write IP address and subnet based policies but you are just selecting a bunch of tags let's say you want to write a rule before web so you're just selecting the tags that we just created in Vienna for where it is role web and in whatever location you want to say similarly you create bunch of dynamic address groups here based on application and rule right and once you do a commit you will see that panorama reached out to vCenter hold we Center with all the associated IP addresses of each of those dynamic address groups so now that IP address to tag mapping is all done behind the scene you no longer have to write the policies on IP addresses so tomorrow your application team rules out any new workload and tags with the right tags and categories that IP address is automatically populated in the dynamic address group and you no longer had to write or update the policies right so it is as powerful as this all right fourth block comprehensive policy I tell this to my customer that networking industry in general this policy keyword is very much abused by them when I was working somewhere else not here the only definition I knew about the policy was a can or cannot talk to be there was the definition of the policy is very simple a can or cannot talk to me so the whole there's a whole industry out there it's a policy policy policy but what it means is just a can or cannot talk to be that's not the policy definition when I came to Palo Alto Networks I realize the true definition of policy and this is what we'll talk about so micro segmentation just understand it is more than a distributed way of enforcing access control list this allowed deny kind of policy is just an access control list it is not true security the other thing that most of the customers miss out is having a very strong security at the perimeter but having very weak security policies and the approach when it comes to protecting the micro parameter so what is your micro parameter it is the same protec surface that we just define using data applications and services that is your micro parameter and you must have a very strong security to protect that micro parameter a well-defined segmentation policies will include all these five elements right it is not about a can or cannot talk to B it is about who can talk to who what can they talk where can they talk when and how and that is the comprehensive policy that we are talking about so your policy when you define it it must have this five elements F ID user ID URL filtering threat prevention policies and the file based restrictions when you have all these five elements in your policy your policies really comprehensive and maybe we should develop a feature to give you a score in Panorama when you write a policy out of 100% how strong that policies we have not implemented this but maybe we can consider and just understand that you are our customers so you have a Ferrari you have bought a Ferrari so don't drive at 20 miles per hour right just utilize it fully it doesn't it doesn't take more time to write this comprehensive policy and it's not just because we have a product we are talking about writing this comprehensive policy it's because if you don't write it in your micro segmentation approach these are the use cases that will not be solved the first one is if you don't write that policy how will you prevent DNS tunneling for command and control operations how will you segment your HTTP to applications which are riding on the same port but there are different applications on the very same port if you just keep on writing layer 3 layer 4 based policies HTTP 2 it is the same port but you have multiple applications writing on it how will it inspect SSL encrypted traffic for most of issuers most of datas and traffic is the east-west where it is also encrypted and how will you prevent the credential theft and many more use cases like this so I have another demo for you but here we will talk about the user ID ID based segmentation and tag based segmentation so the same topology I have web admin and database ID main part of the Active Directory group called web admins and the database administrator base admin group and here all other users can access the internet only for web browsing and no social media so here we will allow only web admin to access web DM because database admin should not have any access at the same time where Bedwin also should not have any access to database VM then we will also make sure that vice versa and if you look at tag based segmentation that will do we will be tagging all those wars we have already tagged them so on DBM so the web server called web server tag is assumed to be web server so we definitely need to make sure that your application teams are tagging the workloads in a very right way if they missed a get there will be screw up in the in the security policies and here we will make sure that web servers can initiate only my sequel sessions towards the database server and database servers cannot initiate any other sessions right and web DM will have the exes coming from coming outside and all the users can access the web DM so let's let's look at the demo so you go 200 policy we have already created the dynamic address scripts so now we will create a policy called user to web servers here this is a and we'll just give a tag to give a tag to the panorama policy that we created here the users because we are writing user based policies we will say Oh web web server should be accessed only by web admins the destination in this case would be web dynamic address group so here the zone is web and the dynamic address group we all recreative called role web if you remember based on the tags that we selected and the applications we want to allow web admins to do web browsing plus for troubleshooting reasons they may have to access do SSH into those web servers so SSH is allowed no more application web browsing app ID is very more is way more secure than just opening the port 80 and 443 so now let's have threat prevention policies so here we are writing antivirus policies and then vulnerability protection and other policies will just inherit so threat prevention policies there are three or four segments to it wildfire policy also comes under threat prevention so when you write this antivirus policy you are you are writing the you are enhancing the same policy with threat prevention app ID and user ID both now assume we are just doing fast forward here so now vulnerability protection is done anti spyware policy is also done and now time for you to write the URL filtering policies so say oh social networking is not allowed we need to block it and the fifth component in the must-haves policy block was file based restriction so let's start writing file blocking policies here will create a custom policy for while blocking so some some high-risk file extensions that we want to prevent here let's just specify all the file types that we want we want to prevent so P being one then we'll write 7z and bunch of files that you want don't want to allow so we'll block all the other files being transported if there is any data exfiltration that you want to prevent you'll be able to achieve that here and set some alert and this is the policy that we talked about but policy had the component called who can talk to who what where and when so here will also specify the schedule that this policy should be effective only during that schedule from start time to end of time and that is it so it is as you can see the policy is not just about a can or cannot talk to be it's not a simple allow deny policy it has all five fundamental blocks of a comprehensive policy right ok hope this helps the last but not the least block is adaptive security those days are gone when you had to write those subnet based policies so what we are doing with our depth of Security's you'll be writing their policies based on dynamic address groups and you will take some automated security actions and you can take those automated secure reactions by looking at the locks so threat prevention locks malware and phishing locks data filtering locks once you identify that this particular server is compromised you will be tagging it and that tagging can be done natively within panorama ok here in this case we have identified this IP address as compromised once it is compromised you would have pre-populated a policy called all the call dynamic address group called compromised any IP that belongs to that dynamic address group using compromised tag will now start enforcing multi-factor authentication right and that's the policy that we can do natively within panorama you can do that even today and that policy is now posted we have done as TTS poster we can do it in on ServiceNow we can post it into NSX and any other risk API so if this makes sense or it's too complex to digest all right if it is too complex to digest let me try a different approach going back to Game of Thrones analogy when we talk about complete visibility it's not just about north-south security it's all about having the visibility at east-west so you don't want to just have Night's Watch which is just a north-south security for those who have watch this you wanna be brand the broken a three-eyed raven who can literally see everything so heavy stress visibility who said breach of the perimeter was not possible what is a North Pole of your data center is typically a firewall this north wall was also broken right comprehensive policy and planning again must ensure you have all five fundamental blocks in your policy make sure it is comprehensive when you find who will do what where when so zero trust don't forget zero trust or you'll be the cyber victim this is the saddest episode of the entire season Ned Stark right just like and the analogy here is King's Landing if you have King's Landing or the iron Thrones that you have to protect it that is your micro perimeter you must have very strong security we are not talking about more and more security is about a very strong security that you need to have around the micro parameter adaptive security this is this is the episode where the night's king was was lured into to come to - bran and was sort of quarantined so you can do quarantining actions by a some techniques such as dns sink holing everyone has anyone has used in dns sinkhole all right many of you so right so that is that is the feature that there is like adaptive security actions alright so if you if whatever I talked about was too difficult to digest you can just remember these five things in this analogy right so be three-eyed Raven heavy stress visibility zero trust architecture you must implement if you have a I on Thrones which are your most important applications and assets or data and services that you want to protect just tag them so have the strategy for workload tagging it will make your life very easy when it comes to implementing micro segmentation comprehensive policy and planning right and like I said you have our next-gen firewall as a product that means you have a dragon glass it has the power to prevent the threats from coming in so use that dragon glass fully you have that Ferrari drive it read full suite some closing advice for success one you cannot protect what you cannot see so always have that complete visibility in mind segments in phases don't boil the ocean when you start this micro segmentation journey do not start with the the idea where you will be micro segmenting all applications at once pick the ones where you can have a quick win and that be more strategic in terms of what your applications you pick there is absolutely no reason for you to have segmentation policies managed differently from threat policies you must write segmentation policies and threat prevention policies from a very same UI you need to have that single pane of glass where you are doing not only micro segmentation but also third prevention if you start segmenting the policies where some teams are managing segmentation some teams are managing security you will have fragmented and inconsistent security in the end imagine you are not just doing micro segmentation for one environment if you want to do micro segmentation across traditional it doesn't a software-defined plus probably cloud keep always this goal in mind that you want to write both the policy everything in one one one place again never settle for layer three layer four policies like I mentioned the Ferrari example use policy optimizer many of you must how many of you are familiar with our policy optimizer alright some of you if not then do take a look at it it will help you move automatically from layer 3 layer 4 policies to layer 7 right just by looking at the app ID logs it will help you move to to a more secure state and what our customers tell us is micro segmentation is the project we could bring in all our teams application stream network team and security name under one umbrella right it was the project that United this team so take this project when you are embarking on this project take that as an opportunity to unite the teams right next steps these are some of the resources available so the slides are going to be posted so do take advantage of the slides and some of the resources so check them out I just have this last quote for you guys don't have this microsegmentation as your end goal once you start viewing it as a necessary approach to preventing successful cyber attacks you will achieve much greater security in the end so just see microsegmentation as one of the ways to get there one of the ways to just achieve a bigger security but keep that bigger security goal in the mind micro segmentation alone is not a full-fledged security right with that your feedback really matters both brian and i value your feedback this is how we grow both personally and professionally so do take some minutes to to give us the feedback so that next ignite we can improve on our presentation demos what you liked what you did not like but with that thank you so much and we are open for Q&A I don't know how much time I think they are almost out of time but we'll make ourselves available right after the session here okay so thank you so much thanks [Applause]

Info

Channel: Palo Alto Networks Ignite

Views: 3,751

Rating: 4.8139534 out of 5

Keywords: Automation/Orchestration, Datacenter/Private Cloud, Hybrid Cloud, Network Security, NGFW, Segmentation/Zero Trust, VM-Series

Id: -Ell-hksJcc

Channel Id: undefined

Length: 48min 7sec (2887 seconds)

Published: Wed Dec 11 2019