Microsegmentation Solution
Unlike existing solutions that are based on virtualized and/or host-based firewalls, FireEye Cloudvisory leverages the Cloud Provider’s existing cloud-native security controls to enforce workload microsegmentation. Using cloud-native APIs for infrastructure and data flow discovery – Cloudvisory accelerates deployments, eliminates misconfigurations and minimizes the overhead associated with managing least-privilege polices at scale.
Microsegmentation Benefits
Cloudvisory provides intuitive and scalable microsegmentation solutions, empowering organizations of any size to achieve microsegmentation, for all cloud workloads, by default.
Leverage cloud-native security controls
Allowlist allowed traffic
Minimize the attack surface
Prevent (insider) threats from spreading
Automatically learn desired-state policies
Prevent configuration drift
Detect anomalous and/or malicious behavior
Respond to undesirable and/or unauthorized changes
Implement a “zero trust” model for users and applications
“Micro‑segment by default. As a best practice, all security policies should be applied based on tags and memberships.”
- Gartner
Microsegmentation Solutions
Contextual Microsegmentation
Cloudvisory enforces microsegmentation rules by comparing policy intent against workload context (e.g. tags, region, provider, provider account, group membership, etc.), dynamically orchestrating policy updates in response to environmental changes.
Golden-State Microsegmentation
Cloudvisory enforces microsegmentation rules based on static policies for IP addresses, providing recommendations for policy updates by leveraging Machine Learning correlations between actual network flows and and current network policies.
Choose a single approach – or mix-and-match
both solutions –
to tailor the implementation of
microsegmentation policies to meet the needs
of distinct
Business Units and/or Organizations.
Contextual Microsegmentation
Cloudvisory enables a Contextual approach to Microsegmentation to stop cyber-attacks in public- and private-cloud environments. Cloudvisory automatically discovers existing workloads and their data flows across multiple cloud providers to generate segmentation policies based on Workload Context. Granular allowlist (i.e. microsegmentation) policies only allow required network connections to/from a workload or application, blocking everything else. As the environment changes (e.g. as Workloads are added and/or removed), Cloudvisory immediately calculates and provisions the required microsegmentation policies based on Workload Context. This results in highly consistent and immutable security policies spanning complex hybrid- and multi-cloud environments.
Contextual Microsegmentation provides operational agility to Business, DevOps & Security Teams by removing the complexity of managing microsegmentation rules at scale. Unlike legacy solutions which have limited context, Cloudvisory’s unique architecture imposes no limits on logical groupings of cloud assets for purposes of Contextual Microsegmentation.
Golden-State Microsegmentation
Microsegmentation is not achieved in a vacuum. Organizations with mature cloud security practices may already implement "golden state" network policies aligned with existing operational processes and technology. In such cases, the Contextual Microsegmentation approach may not be appropriate. Yet, "golden state" is often far from perfect and – in any case – requires refinement over time.
Cloudvisory recognizes the need to work with existing processes and technologies while also providing a path forward for improving existing security controls in concert with environmental changes. Therefore, Cloudvisory enables microsegmentation based on "golden state" through:
- automatic discovery and enforcement of existing network security policies (i.e. Security Groups);
- learning desired-state behavior through agentless collection and analysis of actual network flows;
- recommendations for network security policy improvements based on Machine Learning;
- "dry-run" testing of the impact of such changes prior to implementation.
Cloudvisory learns existing policies and suggests intelligent improvements based on actual network flows. Mature cloud security teams may use Cloudvisory to learn and enforce existing "golden state" cloud security policies, automatically detecting changes and generating corresponding alerts and recommendations without interfering with existing business automation processes.
“Use the cloud IaaS provider’s native security capabilities…to automate security controls throughout the application life cycle.”
- Gartner
Leverage Cloud-Native Security Controls
Public and Private Cloud environments have powerful security controls embedded in their infrastructure. When configured correctly, these native security controls provide the strongest support to protect dynamic applications and micro-services running in the cloud. Legacy security controls are static, difficult to scale, complex to configure, and were not designed for cloud environments. These legacy tools cannot be retro-fitted to work smoothly in cloud environments. Due to the allowlisting nature of cloud infrastructures, legacy segmentation’s own controls will not work if cloud security controls are not configured accurately. Cloudvisory automatically provisions, secures, and monitors multiple cloud environments using enforcement controls that are native to each cloud provider.
Public Cloud Environments
- Static controls with heavy admin overhead
- Zone-based firewalls at central points of ingress / egress
- One or more subnets / VLANs per zone
- Explicit trust between zones
- Implicit trust within zones (i.e. all traffic within a zone is allowed)
- Allowlist and blocklist rules
- Centrally controlled by security teams
- Designed for perimeter protection
- Minimal to no restriction of East-West traffic (i.e. lateral movement)
Private Cloud Environments
- Dynamic controls for easy self-service
- Per-asset firewalls
- Every Workload (or Port) is itself a segment / zone
- Explicit trust only, even within a subnet / VLAN
- No implicit trust
- Primarily focused on allowlisting authorized traffic only
- Controlled by Cloud Provider API calls
- Designed for per-Workload protection
- Prevents East-West traffic (i.e. lateral movement) unless explicitly allowed
“The perimeter is dead.”
- Anonymous
Prevent Attacks and Isolate Threats
Whether in modern cloud environments or legacy datacenter deployments, attackers know that most organizations:
- Focus on perimeter-based, preventive security controls.
- Lack the internal controls to restrict internal, east-west network traffic.
- Lack the visibility to detect long-lived, low-level attacks within enterprise environment(s).
Attackers do what works, and prevention eventually fails.
Since most organizations focus most of their defense efforts on perimeter-based, preventive controls – modern attackers still spend most of their time and resources attempting to breach perimeter defenses. Experience has taught them that getting "beyond the castle walls" is the hard part. Once inside, attackers expect to be able to navigate with relative impunity and, thus, can take their time poking and prodding their way through the enterprise – maintaining Command & Control while moving laterally toward their high-value target(s).
As enterprises move to multi-cloud deployments, the enterprise "perimeter" has gone from being centralized, static and physically defined – to distributed (think "multi-cloud"), dynamic (configurable through Cloud Provider APIs) and logically defined (think "floating / public IPs"). On top of this, self-service cloud (virtualization) technologies have improved efficiency and scalability at the expense of security and visibility. There are simply more security-relevant assets and controls, changing more often, than ever before.
Thus, a new approach is needed – one that allows organizations to continue to benefit from the efficiency and scalability made possible by the cloud while enhancing security operations through deep Visibility, continuous Compliance, and enforceable Governance.
Behavior WITHOUT Microsegmentation
- Attackers use advanced techniques to breach the enterprise perimeter (North-South).
- Minimal internal segmentation allows attackers to move laterally (East-West) within the enterprise.
- Lack of visibility compounds internal weaknesses, allowing attackers to persist their presence through Command & Control – undetected within the enterprise – for as long as necessary.
- Attackers eventually reach and extract high-value data assets from enterprises.
- Most attacks are never detected, and those that are go unnoticed for an average of 6 to 12 months.
Behavior WITH Microsegmentation
- Attack surface is minimized.
- Lateral movement (i.e. East-West traffic) is minimized as microsegmentation ensures that internal segmentation controls are equally as strong as external (perimeter) segmentation controls.
- Deep visibility into actual network behavior enables rapid detection of anomalous network activity, including detection of Command & Control communications and/or connections to known threats (i.e. actionable Threat Intelligence).
- Microsegmentation prevents attacks at the earliest possible stage.
“The journey of one-thousand miles begins with one step.”
- Lau Tzu
The Microsegmentation Journey
Microsegmentation represents a subset of the cloud-native Governance features found in Cloudvisory.
Good Governance relies on deep Visibility and continuous Compliance. To complete the microsegmentation journey, one must understand where to begin and must also have the tools (stepping stones) to move quickly down the right path.
VISIBILITY
Visibility into actual network behavior provides the first step in achieving microsegmentation.
COMPLIANCE
Visibility provides a foundation for Compliance Guardrails, which set sensible limits on allowed (self-service) policies while providing stepping stones on the road to microsegmentation-by-default.
GOVERNANCE
Governance goes beyond Compliance in order to set explicit policies for specific cloud workloads, enforcing consistent security policies across cloud providers, accounts & regions.
Cloudvisory Delivers
CSPM+CWPP
Only FireEye Cloudvisory merges
CSPM and CWPP features into
a single cloud security platform.
Microsegmentation
Cloudvisory leverages the cloud provider’s existing cloud-native security controls to enforce workload microsegmentation.
DevSecOps
Cloudvisory provides an array of integrations and solutions to enhance and empower DevSecOps practices.
Ready to get started?
Learn more about FireEye Cloudvisory or contact sales to schedule a demo.