The 7 Things I Know About Cyber Security After 25 Years | April 2024
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
1. Shrink Your Attack Surface with Micro-
Segmentation
Avishag Daniely
Director, Product management
@avishugz
2. 2 // Guardicore Confidential
Segmentation:
It was never easy. It’s only getting harder.
Many enterprise networks
are too flat
Why?
No visibility
Tied to infrastructure
App changes & downtime required
Slow to implement
Multiple teams involved
Because VLANs are painful
and restrictive
But segmentation is more
important than ever
85%
of data
center traffic
is now east-
west1
191 days
Average
dwell time
after a breach is
1Source: Cisco Global Cloud Index
2Source: Ponemon Institute 2018 “Cost of a
Data Breach” report
2
10. Simple to
Manage
Centralized
Management
Distributed
Enforcement
Simple to
Deploy
One policy approach for
all on-premises and
cloud environments
Completely decoupled
from underlying
infrastructure
Broad ecosystem and OS
integration and support
Intuitive, human
readable visualization
and policy creation
Software Defined Segmentation Simplifies Hybrid
Cloud Security
Highly
Effective
Precise control down to
the individual process
level
11. 1. Rules for IT hygiene
▪ Block undesired ports, services like Telnet, internet access to databases, etc
1. Rules for infrastructure services (e.g., Jumpboxes, IoT)
2. Separate environments (e.g., Dev/Lab/Prod)
3. Ring-fence sensitive and/or regulated apps (e.g., SWIFT, PCI, etc.)
4. Micro-segment applications
Strive to Make Segmentation Simple
18. Real-World Example:
Securing Access Based on User Identity
Environment: Production
Application:
Accounting
Application:
DMS
Andy Doug
Jumpbox
19. 19 // Guardicore Confidential
▪ Project target:
10 critical applications
▪ Project scope:
1. Application ring-fencing
2. 3rd party access control
3. Cloud migration readiness
▪ No data center traffic visibility
▪ Complex IT infrastructure
▪ Heavy dependence on
infra team
Time: 1.5 years with
VLANs and FW
▪ Granular east-west traffic visibility
▪ 10 critical applications ring-fenced
▪ 3rd party access restricted
▪ Dependencies mapped for
seamless migration
▪ Full process automation with DevOps
Time: 2 months
People: 1 Architect
Legacy Segmentation
Software-Defined
Segmentation
Use Case
Protect Your Digital Crown Jewels
Top 25
Global Bank
20. 20 // Guardicore Confidential
Use Case
Simplify and Accelerate Compliance
▪ Need to ring-fence SWIFT
application
▪ Complex environment with
bare-metal, VMware and
OpenStack servers
▪ Hard to define segments
across complex infra
▪ No visibility into applications
and dependencies
▪ Requires downtime
Time: ~8-12 months
People: at least 5
▪ Completed SWIFT application
mapping in hours
▪ Segmentation policies automatically
suggested and fine-tuned
▪ No need to purchase and deploy new
HW and FWs
▪ No downtime
Time: 2 weeks
People: 1 architect
Legacy Segmentation
Software-Defined
Segmentation
Multinational
Commercial Bank
21. 21 // Guardicore Confidential
▪ Project target:
30 PCI applications
▪ Project scope:
1. Separate PCI and non-PCI
apps
2. Unify security controls
3. Multi-cloud support
▪ Compliance blind spots
▪ Difficult to manage security
controls across OpenStack,
VMware, Azure, Oracle Cloud
Five Separate Policy
Engines
▪ 30 PCI applications ring-fenced
▪ From 5 security policy engines to 1
▪ Contextual visibility into PCI related
traffic
▪ Integration into DevOps cycles
▪ Breach Detection added value
Time: 3 months
People: 2 Architects
Legacy Segmentation
Software-Defined
Segmentation
Use Case
Adopt Cloud and PaaS Securely
Global
Online Retailer
22. 22 // Guardicore Confidential
Use Case
Simplify and Accelerate Compliance
▪ Extremely slow progress
▪ Audit failures, fines and
production errors
▪ Production outages due to
application downtime
Time: 2 Years with
VLANs
▪ 10,000 non-compliant assets
segmented
▪ Zero application downtime
▪ 10x faster implementation saving
compliance costs
▪ Reduced manual effort with DevOps
Time: 6 Months
People: 3 Architects
Legacy Segmentation
Software-Defined
Segmentation
▪ Project target:
Dev/Prod/UAT separation
▪ Project scope:
1. Restrict traffic between
production and non-
production environments
2. App ring-fencing readiness
Top 25
Global Bank
23. 23 // Guardicore Confidential23 // Guardicore Confidential
With Software-Defined Segmentation
• Gain as much visibility as possible (real-time, historical, detailed)
• Consume large amounts of visibility data simply and clearly
• Support any environment – on-premises or cloud
• Create flexible policies based on objectives instead of infrastructure
• Support multiple use cases simultaneously
• Make life simpler for both security teams and application owners
24. 24 // Guardicore Confidential
About Guardicore
Top 25 Promising Young
Start-ups for 2017
Gartner 2018 Cool Vendor 2018 InfoSec Awards winner
for Cloud Security
5/5 Stars Rating - Best Buy
Recommendation third year in a row
5/5 Stars rating on Glassdoor
Our Mission 250% growth
2018
Customers in
5 Continents
160+
employees
$110M
in funding
(Series C)
Chosen to be an AWS Security
Hub Partner
Guardicore is a data center and cloud security
company.
We provide the simplest, most intuitive way to
protect your organization’s critical assets
through micro-segmentation.