Black Core Rising: Microsegmentation in the Software-Defined Perimeter, commissioned by Unisys® and produced by Aite Group, demystifies what the software-defined perimeter (SDP) is, how it’s implemented, and, specifically, how Unisys Stealth® applies software-defined microsegmentation and cloaking to prevent post-exploitation pivoting in a breach.
Key takeaways from the study include the following:
- With so many breaches over the past two decades, we aren’t short of empirical data regarding the importance of organizations moving away from flat networks. Organizations must implement segmentation and microsegmentation to limit the dwell time and pivoting potential of an adversary in a breach. SDP gives organizations a more efficient and effective way of implementing microsegmentation using software.
- Segmentation and microsegmentation are different concepts. Segmentation is taking a flat network where all hosts are reachable from the other hosts on the network and breaking it into smaller subnetworks (subnets). Traffic filtering is implemented using VLAN access control lists (VACLs) or firewall rules to prevent hosts in one subnet from reaching every port and protocol to hosts in other subnets. The VACLs or firewall rules determine which subnets can talk to which other subnets. Microsegmentation brings that traffic control down even further to hosts within the same subnet. VACLs and firewall rules can take action only on traffic between subnets, not on hosts within the same subnet.
- An SDP is often conflated with the concept of software-defined networking (SDN)— the two are different but not mutually exclusive. The concept of SDN is to decouple network management (the control plane) from the flow of traffic (the data plane) in switches and routers that enable network administrators to build more intelligent, programmable networks using a central pane of glass. Before SDN, a hardware controller that manages the network, along with routers and switches, combined hardware devices with software to perform these functions. By virtualizing the network, networks can be spun up and torn down and can grow and shrink dynamically as needed. Networks can be purpose-built for the needs of specific protocols or optimized to meet the needs of specific protocols, such as H.323. SDN is now extending outside of the data center, where companies are using it to create SDNs in the wide-area network between physical locations (SD-WAN), aggregating the different types of network connections. Because the two are not mutually exclusive, they can exist together, meaning companies are even applying SDP to SDN, where the different SD-WAN connections are microsegmented to prevent pivoting between those connections. In SDN, what were previously expensive hardware-based appliances are now being replaced by software running on commodity hardware (network function virtualization). In this new hybrid and multicloud world, organizations are now using SDN to connect physical locations to their cloud service providers using microsegmentation. What this essentially means is that SDN brings the concept of virtualization to networking.
- Organizations looking to implement a zero-trust (ZT) architecture in their environment should implement SDP and consider Unisys Stealth® as the technology to apply it. A Stealth™-aware network would severely limit an attacker’s ability to pivot within the network, footprint the network, reach high-value targets, harvest credentials, and perform man-in-the-middle attacks. Stealth™ effectively constrains traffic onto a single system, limiting the ability to move laterally around the network in order to harvest data and compromise other accounts.