Segmentation eBook
Segment Your Network
for Stronger Security
Protecting Critical Assets with Cisco Security
    © 2018 Cisco and/or its affiliates. All rights reserved.
    © 2017 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
                                                                      The threat landscape
                                                                      continues to evolve
                                                                      We know that perimeter defenses, however
                                                                      necessary, cannot do it all. Attackers will get
                                                                      into your network, and oftentimes, they will
                                                                      bypass the perimeter altogether.
                                                                      ZK Research estimates that 80% of
                                                                      breaches originate inside the network, not
                                                                      through the perimeter. According to Cisco
                                                                      principal engineer TK Keanini, “Threat actors
                                                                      are not breaking in anymore. They are
                                                                      simply logging in.”
80%
                                                                      So what can we do about it?
                          of breaches originate inside the network,
                                                                      One essential way to protect your
                          not through the perimeter.                  network from intruders is through network
                                                                      segmentation. In fact, several of the most
                                                                      high-profile data breaches in recent years
                                                                      could have been prevented this way.
2 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
                                                               “Network segmentation has been around for a long time, but many
Network Segmentation can                                       organizations have forgone implementing it because traditional methods
secure critical assets, but it                                 have some key shortcomings,” said Keanini. “The main challenge of
has its shortcomings…                                          conventional network segmentation is that it is impractical to implement
                                                               and maintain in large corporate environments.”
Segmentation involves the partitioning of
your network into various zones. You restrict
access for each zone to only those users,
applications, and devices that require it to run
                                                               Due to such shortcomings, VeraQuest Research found that only one in four companies
the business. That way, if attackers slip into
                                                               employ an end-to-end segmentation strategy.
the network undetected, they will be able to
access only a small portion of your data and                   Networks continue to modernize, digitize, and expand. How can we properly segment
assets, instead of gaining the keys to your                    them to keep them secure without unnecessary cost and complexity? The answer lies
entire kingdom.                                                in software-defined segmentation, an important element of an intent-based network.
3 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Software-defined
segmentation changes
the game
Traditionally, network segmentation has
been done through firewalls, virtual LANs
(VLANs), and extensive access control
lists (ACLs). But according to Keanini, “In
networks with thousands of users and
multiple environments, such as the cloud
and specialized IoT networks, this quickly
becomes nearly impossible to manage.”
Segmentation policies become outdated as
users and assets are added to a network. To
protect themselves effectively, organizations
need to constantly adjust segmentation
policies as the network evolves.
Software-defined segmentation enforces
policies based on user, application, or
device instead of IP address. You can
centrally manage policies across the
network, so segmentation is more effective
and can more easily adapt to changes
in network topology. You can implement
and alter segmentation policies without
reconfiguring network devices, amounting
to massive operational improvements.
4 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Our solutions deliver                                          of network endpoints, users, or servers is
                                                               assigned a security group tag (SGT) for
greater visibility and                                         enforcement. You don’t have to whitelist IP
streamlined segmentation                                       addresses manually across every switch.
for better security                                            A study by Forrester Consulting found that
                                                               with Cisco TrustSec technology, customers
Cisco offers solutions that embrace your
                                                               can experience an 80 percent reduction in
existing network infrastructure to deliver better,
                                                               operational costs and a 98 percent reduction in
more streamlined segmentation and security.
                                                               time to implement policy changes.
With Cisco Software-Defined Access (SD-
Access) customers get a Network Visibility
and Segmentation solution that simplifies                      Cisco IOS NetFlow
the delivery of highly secure, identity-based                  Cisco IOS NetFlow was created by Cisco
policy for users and devices across wired                      to track network conversations. It delivers
and wireless networks. The Network Visibility                  valuable details including the source,
and Segmentation solution consists of four                     destination, timing, and protocol. It can tell
main offerings: Cisco TrustSec® technology,                    who is talking to whom, with which device,
Cisco IOS® NetFlow, Cisco® Stealthwatch,                       from where, and for how long. It can also
and the Cisco Identity Services Engine (ISE).                  measure how much data is exchanged.
It is complemented by Cisco Software-                          NetFlow is embedded in Cisco routers,
Defined Access.                                                switches, and other networking devices.
                                                               It simply has to be turned on to begin
Cisco TrustSec technology                                      delivering network insight.
Embedded in more than 40 Cisco product
families and third-party offerings, Cisco
TrustSec software-defined segmentation                             “With TrustSec, you have no bandwidth restrictions versus the firewall
provides a role-based approach to policy
                                                                   approach. So we have less investment risk with TrustSec. And from an
enforcement. It does this by defining roles
through security groups. Traffic from a set                        operational cost point of view, TrustSec is quite inexpensive.”
5 | © 2018 Cisco and/or its affiliates. All rights reserved.       Cisco customer interviewed by Forrester Consulting
Segmentation eBook
“The guest network
                                                               76%                of IT professionals say visibility is their biggest security
                                                                                  challenge, according to the Ponemon Institute.
should never talk to
internal services –                                            Cisco Stealthwatch                           To create segmentation policies that do
                                                                                                            not impede security or hinder business
like budgetary and                                             Once NetFlow is turned on, the data needs
                                                               to be collected and analyzed so security     productivity, you need to know exactly which
personnel systems…                                             teams can easily digest and understand it.   users and devices are on your network, and
                                                                                                            what each of them is doing. The visibility
                                                               The Cisco Stealthwatch solution collects
Stealthwatch can tell                                          and analyzes large amounts of NetFlow        provided by Stealthwatch is critical for building
                                                               data to provide a comprehensive picture of   and testing segmentation policies, and
us if this happens.”                                           network activity.                            monitoring their efficacy once in place.
Passaic County Technical Institute
6 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Cisco Identity Services Engine (ISE)
Cisco ISE is a secure access control platform
used by more than 17,000 organizations
to help ensure that only authorized users
and devices can access their network
infrastructure. Providing secure access
requires insight into user and device details.
ISE gathers this information to deliver
valuable context that can be shared with
other network and security solutions. ISE
also serves as the controller for defining
and enforcing segmentation policies through
technologies like Cisco TrustSec software-
defined segmentation.
“The Cisco solution gives us a precise way, from
the wireless access point or the switch, to identify
who is trying to access what. It allows us to place
users in the right category and have the right policy
to match information security demands.”
Mondi Group International
7 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
                                                                                   Cisco Software-Defined Access
                                                                                   Cisco Software-Defined Access
                                                                                   (SD-Access) complements the Cisco
                                                                                   Network Visibility and Segmentation
                                                                                   solution by allowing customers the ability
                                                                                   to provide network access in minutes for
                                                                                   any user or device to any application,
                                                                                   without compromising security. SD-Access
                                                                                   simplifies the delivery of consistent, highly
                                                                                   secure, identity-based policy for users
                                                                                   and devices across wired and wireless
                                                                                   networks and segments IoT from user
                                                                                   devices, providing additional security. The
                                                                                   SD-Access solution is built on the Cisco
                                                                                   Digital Network Architecture (DNA) Center,
                                                                                   and integrates Cisco ISE, Cisco Catalyst
                                                                                   switches, Cisco Aironet access points, and
                                                                                   routers. It enables faster deployments of
                                                                                   new business services and significantly
                                                                                   improves issue resolution time.
                                                               “SD-Access is transformational
                                                               in how our IT can securely and
                                                               remotely provision cruise ships
                                                               around the world.”
                                                               Royal Caribbean Cruises
8 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
How do these technologies work together?
Here’s how these technologies work together to provide effective network segmentation:
                Organizations get in-depth                     Cisco ISE uses TrustSec
                network visibility from NetFlow                technology to define and
                and Stealthwatch, which is                     enforce network segmentation
                enhanced by user and device                    policy, allowing or denying
                context from Cisco ISE. This                   access to specific users,
                combination is known as the                    devices, applications, or whole
                Cisco Network as a Sensor                      areas of the network.
                solution. It plays a key role in
                helping organizations develop
                                                               Cisco Stealthwatch continues
                accurate segmentation policies.
                                                               to monitor network and
                                                               user behaviors. It alerts
                Hosts are segmented according                  administrators if segmentation
                to Cisco TrustSec SGTs.                        policies are violated so that they
                                                               can be quickly reconfigured.
                                                               When Stealthwatch identifies
                                                               a security event that requires
                                                               investigation or remediation,
                                                               it can also notify Cisco ISE to
                                                               change the device or user policy
                                                               to contain the threat.
9 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Professional Services
                                                                                             A practical process
If you wish to simplify segmentation even further, Cisco also offers a service that can
automatically segment the network on your behalf. This service builds segments based on
                                                                                             for segmentation
Stealthwatch flow traffic analysis. It gets additional context from Cisco ISE, customer IP   Cisco’s Keanini recommends the
address management systems, and/or customer domain controllers. The service can then         following process for implementing
develop segmentation enforcement policies or build Stealthwatch host groups to               network segmentation:
segment assets based on various criteria.
                                                                                                        Model:
Contact Stealthwatch-CustomerSuccess@cisco.com for more information on this option.
                                                                                                        Model your digital business.
                                                                                                        Try different segmentation
                                                                                                        policies and see the results
                                                                                                        without disrupting operations.
                                                                                                        Implement and enforce:
                                                                                                        Use the power of Cisco ISE,
                                                                                                        TrustSec, and SD-Access
                                                                                                        technology to enact the
                                                                                                        segmentation models that
                                                                                                        fit your organization.
                                                                                                        Monitor:
                                                                                                        Use Stealthwatch to detect
                                                                                                        any network behavior that
                                                                                                        violates your segmentation
                                                                                                        policies either by mistake
                                                                                                        or with malicious intent.
10 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Simplicity leads to
improved security
Cisco’s network segmentation solutions
bring many benefits to an enterprise.
With these solutions, you can:
               Restrict the lateral movement
               of attackers across the
               network, thwarting a wide
               range of attacks such as
               malware and insider threats.
               Streamline network and
               security operations, resulting
               in a dramatic savings of
               time, cost, and resources.
               Better comply with industry
               and government regulations by
               walling off sensitive parts of the
               network from the rest of your
               environment.
               More easily digitize and expand
               your network infrastructure
               through cloud, personal device
               onboarding, and the Internet of
               Things (IoT).
11 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
                                                                Prestigious hospital,
                                                                outdated network
                                                                A large national hospital system was
                                                                lagging far behind on security. It had
                                                                a flat network without segmentation.
                                                                Doctors, staff, students, and medical
                                                                equipment all shared the same
                                                                network, multiplying the attack surface
                                                                and exposing the hospital to threats.
                                                                The hospital system transformed its
                                                                environment with Cisco. Now, even if
                                                                attackers get in, their access is limited
                                                                to one network segment.
                                                                Read the full case study
                                                                Children’s Hospital
                                                                Los Angeles and
                                                                Cisco DNA
                                                                See how Cisco DNA and SD-Access
                                                                help Children’s Hospital Los Angeles
                                                                securely connect and manage
                                                                thousands of network devices and
                                                                deliver excellent patient care.
                                                                View the video
12 | © 2018 Cisco and/or its affiliates. All rights reserved.
Segmentation eBook
Additional Resources
Software-Defined Segmentation (video - 3:04 min.)
Software-Defined Access Solution Overview
Software-Defined Access Getting Started Guide
Cisco TrustSec Technology for Network Segmentation (blog)
For more information, visit https://www.cisco.com/go/stealthwatch
13 | © 2018 Cisco and/or its affiliates. All rights reserved.
  © 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or
its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party
 trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
                                             between Cisco and any other company. (1110R) 07/18