Data centre hacking
In the last three years we have seen the focus of attackers shift wholesale from exploiting individual consumer devices to enterprise data centres. Whether on premises, in the cloud or more likely a mixed hybrid-cloud environment – hackers are shifting to data centre based attacks for two reasons.
First, data centre hacking presents a bigger pot of money. Data centres are goldmines when it comes to revenue generating capabilities. Why attack a single browser of an individual to steal his/her account information when you can harvest perhaps tens of millions of accounts and personally identifiable information?
Furthermore, the resale of industrial and business secrets makes data centre information volumes additionally appealing. Also, data centres offer great computing power and Internet bandwidth. This offers attackers several additional revenue generating opportunities using hijacked enterprise resources.
The cybercriminal black market on the darknet offers the use of DDoS-as-a-service, and RAT-as-a-service giving attackers access to hijacked compute infrastructure, to inject malware or to achieve remote access for resale. These are also popular solutions for attackers looking to obfuscate or mis-attribute an attack’s origin by using the hijacked compute power.
Here at Guardicore, we’ve also seen attackers pursue additional revenue making opportunities by utilising Monero crypto coin mining or out and out ransomware.
Second, analysing attacks over the last three years, we’ve found the shift to attacking data centres is not just because targets offer dramatically better money making opportunities. It’s also because data centres tend to be surprisingly easy targets. In fact data centre security is often full of holes. Data centres repeatedly fall prey to attacks that could have been easily prevented.
The top 5 data centre trends for 2019: Edge will drive change
Better protection — the need for segmentation
Basic security hygiene improvements such as better vulnerability/patch management are essential. Use of strong password enforcement married with two factor authentication, better account management and merely adding security checks into existing heavily utilised DevOps scripting would certainly do much to raise the security posture and make things much more difficult for attackers.
But the biggest problem is a lack of segmentation. Segmentation comes in many forms and is used to isolate assets, servers, network segments and applications for security purposes.
Many organisations fail to segment because their enterprise administrators simply lack access to the necessary tools. This is exposing data centres to a significant risk of attack. This risk is growing rapidly too. For example, IoT and virtual desktop infrastructure (VDI) initiatives have added devices and users into data centres creating additional risk when (as is often the case) they have not been segmented or isolated off. And data centres, by becoming increasingly open to including business partners, distributors, customers, contractors and vendors, are at the same time increasingly vulnerable to those third parties (the supply chain) introducing their own security risks.
One can look at several recent examples of “cross-contamination,” where attackers used various methods to breach an enterprise either by targeting a weaker, easier to exploit third party, breached a VDI user or have taken advantage of an IoT device.
Beyond the risk of attack, segmentation is also often required for industry regulatory compliance like GDPR, SWIFT and PCI; so there’s really no excuse. Facing potential regulatory penalties, enterprises need to take appropriate measures to be compliant, isolating particular workloads, assets and applications. Finally, data centres have their fair share of legacy end of life operating systems and platforms that are essential to the success of the business and must be well protected.
Data centre AI: Getting the most from it
Out with traditional segmentation
When deciding to segment, it’s important to realise that methods have evolved significantly in the last four years. Traditional methods don’t cope well with the dynamics of the modern cloud-based data centre. Take firewalls, VLANs and routing ACLs on the premises side and Security Groups on the cloud. These are networked based, statically assigned and often platform specific. These techniques worked well in on-premises environments where changes weren’t frequent and in early cloud environments when enterprise investment was in the initial experimental phases.
But these traditional techniques are manual techniques. They require a great deal of effort to manage moves, adds, changes and deletes and they fail because modern data centres are fluid, dynamic and autoscaling. They also fail because older techniques lack perimeters to ferry traffic through next generation firewalls.
The use of DevOps scripting and playbooks to spin up, provision and manage workloads dynamically and automatically provide businesses with tangible competitive advantages through accelerated delivery of business objectives, but in a traditional segmentation environment would require multiple manual segmentation techniques to deploy, and would introduce great latency. For an enterprise to make VLAN and IP address changes alone, even for enterprises with only a thousand servers, would take months.
Firewalls are no longer as helpful as they are not in the middle of most of the data centre traffic. Even with virtualised data centres, any attempt to funnel traffic through firewalls leads to bottlenecks and latency. Furthermore you still have the issues of manual moves, adds, changes and deletes. Finally such traditional techniques only focus on the machine and port level; they do not provide protection at the application process level. This means any processes, including malicious ones, can easily bypass port-based rules, thereby exposing applications to threats that have successfully breached the perimeter.
Securing todays ever changing cloud environment
In with modern segmentation
Based on software defined segmentation that follows workflows, modern techniques work seamlessly across all platforms and are designed for today’s dynamic, automated and scripted DevOps world. Modern methods provide segmentation to easily secure the data centre, without moves, adds, changes and deletes having to be handled manually.
Addressing key portions of the People, Workloads and Network elements of the security model, modern segmentation is arguably the optimal choice. Of equal importance, with the right tools and a little thoughtful planning, modern segmentation can today be implemented quickly in ways that allow easy management and maintenance. In fact, recent testing has demonstrated that modern segmentation can be deployed 30 times or so faster than traditional firewall implementations. Those time savings and efficiencies translate to significantly lower costs over the deployment lifecycle.
Get it right
Modern segmentation overcomes the inherent inefficiencies of traditional segmentation techniques and, perhaps more importantly, results in stronger security for enterprise environments. Furthermore it takes the concept of network segmentation down to a very granular, process-to-process level. It entails the creation of security policies around individual or logically grouped applications, regardless of where they reside in the hybrid data centre. These policies dictate which applications can and cannot communicate with each other — true zero trust at the application level.
Modern segmentation methods also make it possible to apply policies in a dynamic fashion, so that as new workloads are spun up or down – or even moved, they are attributed to the correct policy automatically. This saves considerable resources by eliminating the need for manual moves, adds, changes and deletes.
The key to implementing modern segmentation is to begin the process with a graphical visualisation of all assets in the environment, whether bare metal, virtual machines or containers, and the dependencies between them. This deep visibility dramatically accelerates the process of identifying, grouping and creating security policies around the tiers of the applications.
By using modern segmentation enterprise administrators can provide security and enforcement at the application and process level, containing threats and alerting operators to their presence.
In this way, modern segmentation is the most effective solution for reducing a company’s attack surface and risk profile. Above all, using modern segmentation methods to build a stronger security posture means reduced risks and liabilities without sacrificing speed of innovation.