Poor East-West Visibility Gives Hackers a License to Steal

NPA - Cloud Security Solutions
East-west traffic is communications that moves between servers and applications inside the same network segment, but which doesn’t traverse any network firewall or inspection layer of the network. Often times and by design, this internal traffic accounts for most of a data center’s workload in order to decrease latency, improve user experience and overall performance.  Having said that, security measures are typically focused on monitoring the north-south traffic that is either entering or exiting the data center perimeter or going between internal network segments inside the data center.

Lack of visibility into east-west traffic is a problem for data-center operators and their ongoing battle to prevent a breach or theft of sensitive and confidential information. If organizations cannot monitor and log internal network segments, they cannot respond to active threats or prevent hackers from stealing confidential and sensitive information which often times includes customer and employee data. This vulnerability puts core infrastructure at risk and keeps attacks from being detected until compromised traffic crosses the perimeter firewall. Unfortunately, by that time sensitive and confidential data has been exfiltrated from your environment.

Most data center traffic is moving laterally and is unmonitored

Cybercriminals understand that east-west traffic is vulnerable. It is why they focus their attacks on breaching the network edge and establishing a foothold inside your infrastructure. To breach a network, hackers only have to phish a single person to begin a ransomware attack or find a vulnerable internet-facing device. Once embedded in the network, they can begin co-opting standard tools and moving their attack laterally across nodes, servers, or devices.


Lack of visibility often allows hackers who have stolen sensitive data (financials, customer records, source code, and more)  to go undetected by the compromised organization until that organization is notified by another third party or by their own customers. Data breaches negatively affect customer confidence and stains an organization’s public reputation. It also subjects an organization to significant fines under state, federal, and national laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX Act), the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Australian Privacy Principles (APP).

In 2017, Anthem Inc. paid $16 million for violating HIPAA after more than 78.8 million records were stolen from its data center.[1] Facebook is the subject of multiple, ongoing GDPR-related investigations in the European Union. In an action brought by the U.S. Federal Trade Commission, the company has already been fined $5 billion for violating consumer privacy.[2]

Microsegmentation isolates east-west traffic for monitoring, control, and auditing


Creating visibility into east-west traffic and enforcing fine-grained policies used to be difficult. Microsegmentation has simplified things by allowing an organization to divide its physical or virtual network into smaller subnetworks (or subnets) while keeping control and management centralized. 

Partitioning the network into these logical workloads makes it easier to monitor and log traffic as it moves between subnet segments and block suspicious activity before attacks spread laterally or data is exfiltrated beyond the perimeter.

Micro-segmentation enables an organization to group similar workloads to mitigate risk. IT can decide to locate all its financial information on a PCI-compliant segment, for example. IT can classify customer data, restrict access, and then ensure that alarms are triggered whenever the data is queried or moved.

Microsegmentation allows IT to allocate high- and low-bandwidth workloads to segments optimized for each type of traffic, and it keeps production, quality assurance, and development workloads isolated from each other. It is equally valid for on-premise, cloud, and hybrid infrastructure.

These actions allow IT to implement granular monitoring by installing network visibility tools or container-security-type tools at the host or container layers. With these improvements, IT can log and monitor communications between each device or host and receive centralized reports and alerts. Agents installed within the perimeter also allow organizations to enforce policies, such as blocking certain types of problematic activity.

Creating east-west visibility enhances core network resources


East-west visibility is essential for warding off cyberattacks and protecting valuable assets. Designing and implementing a solution is a complex but manageable task. Most organizations benefit from a phased approach that migrates individual workloads over multiple, carefully planned steps.


Implementers may begin by establishing visibility into a segment and then monitoring its traffic for several weeks or months. This step establishes a baseline for understanding how the segment communications and behavior performs over time and during different conditions.

As the monitoring progresses, the implementers can talk to unit owners about the behaviors they are seeing, take corrective actions where appropriate, and look for opportunities to improve performance while mitigating risk. During this time, the implementers and other stakeholders can create the new policies and enforcement mechanisms for ensuring security on the device or application’s east-west traffic.

For example, an organization might decide a particular microsegment is so valuable it needs to be subject to a zero-trust policy, which assumes every user and communication is compromised until proven trustworthy. More organizations are implementing zero trust as a necessary defense for preventing cyberattacks.

Staying safe is about being a less attractive target

Securing east-west traffic requires some combination of end-point or container agent or network monitoring technology. Microsegmentation of network resources makes it possible to deploy these technologies in ways that facilitate control and enforcement.

As long as organizations fail to monitor east-west traffic, they will remain tempting targets for hackers and other cybercriminals. Microsegmenting, additional controls between nodes and servers, and more rigorous log-in requirements provide practical strategies for addressing this vulnerability and reducing each network’s attack surface.

But waiting until a breach occurs to address this risk is a mistake. The potential financial, brand, and marketplace penalties for losing sensitive information are just too severe. Building east-west visibility is no longer an optional investment. It must be a central strategy for your core environments. 

If you have a technical question, a suggestion for a future post, and would like to chat outside this public forum, please email me at Sam.Curcio@eplus.com.


 

[1] “HIPAA Violation Cases.” HIPAA Journal. 2017.

[2] Sam Schechner. “EU Nears Decisions in Facebook Privacy Cases.” The Wall Street Journal. August 12, 2019.

Comments

Load more comments
Thank you for the comment! Your comment must be approved first
* Required
comment-avatar

Related Posts

Want to Learn More?

We have proven success engineering and deploying solutions that enable our customers to thrive in today's constantly changing, complex technology landscape.

 

Let us know how we can help