A couple of weeks ago, P.F. Chang's confirmed a long-term breach (from September 2013 to June 2014), where an estimated 800,000 cards per month may have been stolen. While details of how attackers accessed the restaurants network are still emerging, it wouldn't be surprising to learn that like with Target, Michaels, Neiman Marcus, and Sally Beauty, the attackers gained access to POS systems through another system.
While details into the P.F. Chang's breach are still sparse, I am willing to bet that it could have been limited in scope, had there been a greater emphasis placed on Network Segmentation.
As many a security and networking practitioner knows, network segmentation is the practice of separating networks with systems containing sensitive information from those that do not. The idea is to limit risk and damage to a network, should an attacker be able to gain access.
While the principle behind network segmentation is quite simple, putting it into practice is another story. The typical enterprise network consists of hundreds of firewalls and routers. Each device can have hundreds of rules enforcing complicated security policies. As a result, tens of thousands of rules must be taken into account when segmenting the network, to ensure security and policy compliance.
To further complicate matters, the enterprise network is a dynamic entity. IT organizations make dozens of network changes a week to support new business applications. These changes render network segmentation efforts out of date almost immediately. This is particularly problematic if the IT organization makes the mistake of approaching network segmentation as a “set it and forget it” effort. To be successful, network segmentation must be properly managed, and security policies must also be continuously enforced.
How to Approach Network Segmentation
As you map out zones to segment your network, consider business drivers such as regulatory compliance requirements, industry or company-specific risks, third-party contractual requirements and company-specific business processes. The resulting map will provide visibility that can help you determine how best to segment the network. Network segmentation must also take into account business applications needs such as POS. To get the best security, you must understand what the business is trying to achieve.
These efforts help ensure proper network segmentation at a point in time, but organizations also require a means of becoming aware of policy changes. Security administrators must be alerted to gaps between desired and actual segmentation, and changes made “out of band” must be remediated immediately. Furthermore, every network change across multi-vendor firewalls must be analyzed against your security and segmentation policies for continuous governance and compliance.
Although there is a fine balance between striking the right network segmentation as opposed to over-segmenting it, automation will ensure that no matter how complex your network, changes can be made more accurately for better risk management and business continuity as well as remaining compliant with regulations.
To help organizations address all of these challenges, and to reduce the manual time and labor required to (poorly) keep up with network segmentation challenges, we at Tufin added some new functionality to the latest version of our Orchestration Suite. Having already simplified the network segmentation process by delivering visual zone-to-zone mapping, version R14-2 now automates network segmentation management within our SecureChange offering and provides central violation and exception management. This will help reduce the risk of policy violations going unnoticed or simply unaddressed due to resource constraints. Since the reality of business is that policy exceptions are often required, by centrally managing them, you can track why as well as who approved the exception, and the firewall rule and ticket ID correlates to that exception. Moreover, when an exception expires, recertifying it becomes simple and never goes unnoticed, minimizing unnecessary network exposure.
This results in comprehensive auditability and reduced network exposure, delivering much-needed automation for controlling an organization's desired segmentation amidst the increasing complex and constant stream of network changes. We are enabling our customers to automate network segmentation-related policy changes in a controlled fashion, while maintaining the levels of agility and confidence that have become synonymous with the Tufin Orchestration Suite.