Secure Beyond Breach
Mapped Out: Application Dependency Maps and the Path to Security
In this chapter:
- Why you need a real-time map for successful micro-segmentation
- The stages of application dependency mapping
- Typical outcomes of successful application dependency mapping
Everybody wants a more secure enterprise, and enterprise customers want their suppliers to be secure too. The previous chapter walked us through all the steps of implementation and how to achieve early wins. The next two chapters will drill down on two fundamental parts of a successful micro-segmentation strategy: first, the benefits of developing a mature, visual map of your applications; second, the policy decision process.
Why is it so important to have a visual representation of your application map, and to be able to see it live and in real time? Imagine that you are in charge of securing a city during a prime minister’s visit from a foreign state. The first step in that process is to understand where the prime minister will stay and where he or she will visit. For this purpose you would need a map of the city, right? You cannot secure the city if you do not understand its layout.
Your applications are no different than this fictional city. You need to understand how applications and data interact across the enterprise. For most organizations, it is impossible to develop a consensus view on how applications and systems interact because they lack a comprehensive picture of the environment.
Without a map, teams see only their own neighborhood. The security team has its own understanding, the application team has a different view, and the network team works from a completely different data set. When everyone sees part of the terrain, no one has a comprehensive view of the landscape and the organization cannot make informed, timely decisions on how to secure assets. Organizations need an application dependency map to understand their environments and then must use that map to invest in security solutions to protect the crown jewels within the system and maintain command and control of the network at a segmented level.
Imagine a submarine without compartments and another one with compartments that prevent a hull breach from sinking the ship.
The image of the compartmented submarine is a map itself: without a map you cannot see the ship in any detail, and without granular insight or control you cannot close off parts of the hull in the event of breach. Without a map or detailed control, your only choice is to take large-scale actions to protect significant portions of the data center; targeted assessments or tailored security changes are nearly impossible.
In short, the map will set you free.
From the Darkness to the Light
What does a world look like without an application dependency map? It’s like you’re wandering around in a dark and unknown land with a flickering light. This is what everyday life is like for most organizations as they face off against adversaries inside their networks.
There is a clear tension between what organizations want to achieve from a security standpoint and what they are able achieve given their current information technology stack. To get out of the dark, organizations can make a modicum of investment to map their way into clarity and security.
What are some of the tangible problems organizations face?
Most organizations struggle to quickly identify traffic that crosses environments (such as a development workload talking to a production workload), tie it to a specific application, and present the information in a coherent fashion without weeks of manual work. Yet that information is critical to informed cybersecurity decision-making.
In the modern enterprise, systems are deployed in physical or cloud locations and the traffic between locations is almost always handled by the network team and hardware firewalls, with coarse-grained rules that apply to hundreds or thousands of systems. Almost all locations are further divided into environments like production, staging, and development. These divisions create silos that degrade clear, scalable security operations, and in many cases those are only product developmental concepts that exist without clear network delineation between them.
The situation grows more complex when we look within an environment to identify traffic to and from a single application and show inter-application traffic. This is like being inside a cave without a map or a spelunking helmet. A security team would want to know about traffic that might remain within a server and pass within it. Teams across the organization would like to know about the scope and reach of core services.
But even with core services, there are a range of unanswered questions. Does anyone know that some development systems connect to production systems? Do connections exist to Active Directory domain controllers or critical applications? Often dialtone services in the data center, including DNS, backup, and domain services, extend far beyond their believed borders and no one can see it all.
Life without a map is dark indeed.
Without a map, the risk of breach increases because teams are unaware of the many paths to move between applications and often don’t realize where protection is needed. Consider that many organizations keep their primary systems in a data center that houses transaction systems such as IP security cameras, pointof-sale terminals, and other customer-facing technology exposed to the open internet by virtue of its function. Some of the most infamous hacks of the last decade followed this exact pattern.
No one wants an IP camera to connect to a core database or another critical system, but often they are connected and no one knows because they live without a map.
Most (but not all) organizations have a sense of their crown jewels – those applications and workloads that define the business and without which they cannot operate. Generally, these applications and systems are inspected by audit and compliance teams, and those teams want to know that critical systems are segmented from the rest of the data center population (as discussed in chapter 4). As with a treasure map, the security teams know the crown jewels are there but often cannot see the path or understand the environment within or around them. Critical applications connect and send data to many other systems scattered throughout the enterprise – and a hundred workloads can have thousands of interactions between them
It is impossible to secure the crown jewels without an effective micro-segmentation strategy, and the first step is to build an application dependency map. If no map exists for the most important data center services and applications, it will be impossible to tighten security across the data center in the event of a breach. But with a map and the controls that a map affords, security teams can understand their terrain and have a better chance of controlling and preventing adversaries from gaining access to an organization’s crown jewels once they have breached the perimeter.