easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114You hear a lot about zero trust microsegmentation these days and rightly so. It has matured into a proven security best-practice to effectively prevent unauthorized lateral movement across network\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b<\/p>\n You hear a lot about zero trust microsegmentation these days and rightly so. It has matured into a proven security best-practice to effectively prevent unauthorized lateral movement across network resources. It involves dividing your network into isolated segments, or \u201cmicrosegments,\u201d where each segment has its own set of security policies and controls. In this way, even if a breach occurs or a potential threat gains access to a resource, the blast radius is contained.<\/p>\n And like many security practices, there are different ways to achieve the objective, and typically much of it depends on the unique customer environment. For microsegmentation, the key is to have a trusted partner that not only provides a robust security solution but gives you the flexibility to adapt to your needs instead of forcing a \u201cone size fits all\u201d approach.<\/p>\n Now, there are broadly two different approaches you can take to achieve your microsegmentation objectives:<\/p>\n A host-based enforcement approach where the policies are enforced on the workload itself. This can be done by installing an agent on the workload or by leveraging APIs in public cloud. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the workloads, it may not always be a pragmatic approach for a myriad of reasons. These reasons can range from application team perceptions, network security team preferences, or simply the need for a different approach to achieve buy-in across the organization.<\/p>\n Long story short, to make microsegmentation practical and achievable, it\u2019s clear that a dynamic duo of host and network-based security is key to a robust and resilient zero trust cybersecurity strategy. Earlier this year, Cisco completed the native integration between Cisco Secure Workload and Cisco Secure Firewall delivering on this principle and providing customers with unmatched flexibility as well as defense in depth. Let\u2019s take a deeper look at what this integration enables our customers to achieve and some of the use cases.<\/p>\n The journey to microsegmentation starts with visibility. This is a perfect opportunity for me to insert the clich\u00e9 here \u2013 \u201cWhat you can\u2019t see, you can\u2019t protect.\u201d In the context of microsegmentation, flow visibility provides the foundation for building a blueprint of how applications communicate with each other, as well as users and devices \u2013 both within and outside the datacenter.<\/p>\n The integration between Secure Workload and Secure Firewall enables the ingestion of NSEL flow records to provide network flow visibility, as shown in Figure 1. You can further enrich this network flow data by bringing in context in the form of labels and tags from external systems like CMDB, IPAM, identity sources, etc. This contextually enriched data set allows you to quickly identify the communication patterns and any indicators of compromise across your application landscape, enabling you to immediately improve your security posture.<\/p>\n Figure 1: Secure Workload ingests NSEL flow records from Secure Firewall<\/strong><\/p>\n\n The integration of Secure Firewall and Secure Workload provides two powerful complimentary methods to discover, compile, and enforce zero trust microsegmentation policies. The ability to use a host-based, network-based, or mix of the two methods gives you the flexibility to deploy in the manner that best suits your business needs and team roles (Figure 2).<\/p>\n And regardless of the approach or mix, the integration enables you to seamlessly leverage the full capabilities of Secure Workload including:<\/p>\n Policy discovery and analysis:<\/strong> Automatically discover policies that are tailored to your environment by analyzing flow data ingested from the Secure Firewall protecting east-west workload communications. Figure 2: <\/strong>Host-based and network-based approach with Secure Workload<\/strong><\/p>\n\n This use case demonstrates how the integration delivers defense in depth and ultimately better security outcomes. In today\u2019s rapidly evolving digital landscape, applications play a vital role in every aspect of our lives. However, with the increased reliance on software, cyber threats have also become more sophisticated and pervasive. Traditional patching methods, although effective, may not always be feasible due to operational constraints and the risk of downtime. When a zero-day vulnerability is discovered, there are a few different scenarios that play out. Consider two common scenarios: 1) A newly discovered CVE poses an immediate risk and in this case the fix or the patch is not available and 2) The CVE is not highly critical so it\u2019s not worth patching it outside the usual patch window because of the production or business impact. In both cases, one must accept the interim risk and either wait for the patch to be available or for the patch window schedule.<\/p>\n Virtual patching, a form of compensating control, is a security practice that allows you to mitigate this risk by applying an interim protection or a \u201cvirtual\u201d fix to known vulnerabilities in the software until it has been patched or updated. Virtual patching is typically done by leveraging the Intrusion Prevention System (IPS) of Cisco Secure Firewall. The key capability, fostered by the seamless integration, is Secure Workload\u2019s ability to share CVE information with Secure Firewall, thereby activating the relevant IPS policies for those CVEs. Let\u2019s take a look at how (Figure 3):<\/p>\n The Secure Workload agents installed on the application workloads will gather telemetry about the software packages and CVEs present on the application workloads. Figure 3: Virtual patching with Secure Workload and Secure Firewall<\/strong><\/p>\n\n With Secure Workload and Secure Firewall, you can achieve a zero-trust security model by combining a host-based and network-based enforcement approach. In addition, with the virtual patching ability, you get another layer of defense that allows you to maintain the integrity and availability of your applications without sacrificing security. As the cyber threat landscape continues to evolve, harmony between different security solutions is undoubtedly the key to delivering more effective solutions that protect valuable digital assets.<\/p>\n Learn more about Cisco Secure Workload<\/a> and Cisco Secure Firewall<\/a><\/p>\n Sign up for a\u00a0Secure Workload workshop<\/a><\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!<\/em><\/p>\n Cisco Security Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n \u00a0\u00a0Discover the flexibility of achieving zero-trust microsegmentation with Cisco Secure Workload and Secure Firewall, combining host-based and network-based enforcement, along with virtual patching for added defense.\u00a0\u00a0Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>","protected":false},"excerpt":{"rendered":" <\/p>\n You hear a lot about zero trust microsegmentation these days and rightly so. It has matured into a proven security best-practice to effectively prevent unauthorized lateral movement across network\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b<\/p>\n You hear a lot about zero trust microsegmentation these days and rightly so. It has matured into a proven security best-practice to effectively prevent unauthorized lateral movement across network resources. It involves dividing your network into isolated segments, or \u201cmicrosegments,\u201d where each segment has its own set of security policies and controls. In this way, even if a breach occurs or a potential threat gains access to a resource, the blast radius is contained.<\/p>\n And like many security practices, there are different ways to achieve the objective, and typically much of it depends on the unique customer environment. For microsegmentation, the key is to have a trusted partner that not only provides a robust security solution but gives you the flexibility to adapt to your needs instead of forcing a \u201cone size fits all\u201d approach.<\/p>\n Now, there are broadly two different approaches you can take to achieve your microsegmentation objectives:<\/p>\n A host-based enforcement approach where the policies are enforced on the workload itself. This can be done by installing an agent on the workload or by leveraging APIs in public cloud. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the workloads, it may not always be a pragmatic approach for a myriad of reasons. These reasons can range from application team perceptions, network security team preferences, or simply the need for a different approach to achieve buy-in across the organization.<\/p>\n Long story short, to make microsegmentation practical and achievable, it\u2019s clear that a dynamic duo of host and network-based security is key to a robust and resilient zero trust cybersecurity strategy. Earlier this year, Cisco completed the native integration between Cisco Secure Workload and Cisco Secure Firewall delivering on this principle and providing customers with unmatched flexibility as well as defense in depth. Let\u2019s take a deeper look at what this integration enables our customers to achieve and some of the use cases.<\/p>\n The journey to microsegmentation starts with visibility. This is a perfect opportunity for me to insert the clich\u00e9 here \u2013 \u201cWhat you can\u2019t see, you can\u2019t protect.\u201d In the context of microsegmentation, flow visibility provides the foundation for building a blueprint of how applications communicate with each other, as well as users and devices \u2013 both within and outside the datacenter.<\/p>\n The integration between Secure Workload and Secure Firewall enables the ingestion of NSEL flow records to provide network flow visibility, as shown in Figure 1. You can further enrich this network flow data by bringing in context in the form of labels and tags from external systems like CMDB, IPAM, identity sources, etc. This contextually enriched data set allows you to quickly identify the communication patterns and any indicators of compromise across your application landscape, enabling you to immediately improve your security posture.<\/p>\n Figure 1: Secure Workload ingests NSEL flow records from Secure Firewall<\/strong><\/p>\n The integration of Secure Firewall and Secure Workload provides two powerful complimentary methods to discover, compile, and enforce zero trust microsegmentation policies. The ability to use a host-based, network-based, or mix of the two methods gives you the flexibility to deploy in the manner that best suits your business needs and team roles (Figure 2).<\/p>\n And regardless of the approach or mix, the integration enables you to seamlessly leverage the full capabilities of Secure Workload including:<\/p>\n Policy discovery and analysis:<\/strong> Automatically discover policies that are tailored to your environment by analyzing flow data ingested from the Secure Firewall protecting east-west workload communications. Figure 2: <\/strong>Host-based and network-based approach with Secure Workload<\/strong><\/p>\n This use case demonstrates how the integration delivers defense in depth and ultimately better security outcomes. In today\u2019s rapidly evolving digital landscape, applications play a vital role in every aspect of our lives. However, with the increased reliance on software, cyber threats have also become more sophisticated and pervasive. Traditional patching methods, although effective, may not always be feasible due to operational constraints and the risk of downtime. When a zero-day vulnerability is discovered, there are a few different scenarios that play out. Consider two common scenarios: 1) A newly discovered CVE poses an immediate risk and in this case the fix or the patch is not available and 2) The CVE is not highly critical so it\u2019s not worth patching it outside the usual patch window because of the production or business impact. In both cases, one must accept the interim risk and either wait for the patch to be available or for the patch window schedule.<\/p>\n Virtual patching, a form of compensating control, is a security practice that allows you to mitigate this risk by applying an interim protection or a \u201cvirtual\u201d fix to known vulnerabilities in the software until it has been patched or updated. Virtual patching is typically done by leveraging the Intrusion Prevention System (IPS) of Cisco Secure Firewall. The key capability, fostered by the seamless integration, is Secure Workload\u2019s ability to share CVE information with Secure Firewall, thereby activating the relevant IPS policies for those CVEs. Let\u2019s take a look at how (Figure 3):<\/p>\n The Secure Workload agents installed on the application workloads will gather telemetry about the software packages and CVEs present on the application workloads. Figure 3: Virtual patching with Secure Workload and Secure Firewall<\/strong><\/p>\n With Secure Workload and Secure Firewall, you can achieve a zero-trust security model by combining a host-based and network-based enforcement approach. In addition, with the virtual patching ability, you get another layer of defense that allows you to maintain the integrity and availability of your applications without sacrificing security. As the cyber threat landscape continues to evolve, harmony between different security solutions is undoubtedly the key to delivering more effective solutions that protect valuable digital assets.<\/p>\n Learn more about Cisco Secure Workload<\/a> and Cisco Secure Firewall<\/a><\/p>\n Sign up for a\u00a0Secure Workload workshop<\/a><\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!<\/em><\/p>\n Cisco Security Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n
\nA network-based enforcement approach where the policies are enforced on a network device like an east-west network firewall or a switch.<\/p>\nUse case #1: Network visibility via an east-west network firewall<\/strong><\/h2>\n
Use case #2: Microsegmentation using the east-west network firewall<\/strong><\/h2>\n
\nPolicy enforcement:<\/strong> Onboard multiple east-west firewalls to automate and enforce microsegmentation policies on a specific firewall or set of firewalls through Secure Workload. (For more on this capability, Topology Awareness<\/em>, read my colleague\u2019s blog Topology Matters).<\/a>
\nPolicy compliance monitoring:<\/strong> The network flow information, when compared against a baseline policy, provides a deep view into how your applications are behaving and complying against policies over time.\u00a0<\/strong><\/p>\nUse case #3: Defense in depth with virtual patching via north-south network firewall<\/strong><\/h2>\n
\nA workload-CVE mapping data is then published to Secure Firewall Management Center. You can choose the exact set of CVEs you want to publish. For example, you can choose to only publish CVEs that are exploitable over network as an attack vector and has CVSS score of 10. This would allow you to control any potential performance impact on your IPS.
\nFinally, the Secure Firewall Management Center then runs the \u2018firepower recommendations\u2019 tool to fine tune and enable the exact set of signatures that are needed to provide protection against the CVEs that were found on your workloads. Once the new signature set is crafted, it can be deployed to the north-south perimeter Secure Firewall.<\/p>\nFlexibility and defense in depth is the key to a resilient zero trust microsegmentation strategy<\/strong><\/h2>\n
\nA network-based enforcement approach where the policies are enforced on a network device like an east-west network firewall or a switch.<\/p>\nUse case #1: Network visibility via an east-west network firewall<\/strong><\/h2>\n
Use case #2: Microsegmentation using the east-west network firewall<\/strong><\/h2>\n
\nPolicy enforcement:<\/strong> Onboard multiple east-west firewalls to automate and enforce microsegmentation policies on a specific firewall or set of firewalls through Secure Workload. (For more on this capability, Topology Awareness<\/em>, read my colleague\u2019s blog Topology Matters).<\/a>
\nPolicy compliance monitoring:<\/strong> The network flow information, when compared against a baseline policy, provides a deep view into how your applications are behaving and complying against policies over time.\u00a0<\/strong><\/p>\nUse case #3: Defense in depth with virtual patching via north-south network firewall<\/strong><\/h2>\n
\nA workload-CVE mapping data is then published to Secure Firewall Management Center. You can choose the exact set of CVEs you want to publish. For example, you can choose to only publish CVEs that are exploitable over network as an attack vector and has CVSS score of 10. This would allow you to control any potential performance impact on your IPS.
\nFinally, the Secure Firewall Management Center then runs the \u2018firepower recommendations\u2019 tool to fine tune and enable the exact set of signatures that are needed to provide protection against the CVEs that were found on your workloads. Once the new signature set is crafted, it can be deployed to the north-south perimeter Secure Firewall.<\/p>\nFlexibility and defense in depth is the key to a resilient zero trust microsegmentation strategy<\/strong><\/h2>\n