Protecting your network only at the outer perimeter is not enough anymore. The static network segmentation within a company to form smaller groups of trust and to introduce micro-perimeters is a step towards better network security, but sadly the additional protection achieved is only limited. A better way to contain threats and block attacks is needed within our networks. To assign or revoke permissions and to isolate threats effectively a behavior based and dynamic way of segmenting the network and applying policies is needed instead of only using the physical location within a layer 3 network segment to assign rules at the perimeter firewall. To answer this need for dynamic policies and effective segmentation in a transparent way cognitix developed the concept of dynamic network objects within its threat intelligence and protection platform.
What are dynamic network objects?
At its core a dynamic network object is a simple list of devices (identified by IPv4-, IPv6- or MAC addresses) within the policy engine that can be edited by the policies during runtime. A rule in cognitix extended rule language is not limited to the classical actions of ACCEPT/DROP/REJECT when a flow is matched, it can also add the source or the destination of the flow into a dynamic network object. These dynamic network objects are then used to match source or destination of further flows in other rules and policies and thereby the effective policy set for a device is changed dynamically.
In combination with the threat intelligence and the behavior-based correlation, the policies that are in effect for a certain device can be changed automatically based upon the behavior or upon changes of behavior of the device. For example it is possible to completely isolate a device after detecting the malicious behavior of an infection. Also other detected behaviors can be used to change network permissions, for example when users or devices that access private applications like facebook or twitter are placed into a dynamic network object for ‘insecure operations’ and thereby denied access to company critical resources like production databases.
Dynamic network objects within the network
As cognitix threat intelligence and protection platform is working transparently on layer 2 within the network, the dynamic network segmentation with the behavior based correlation and dynamic network objects proves as an effective way to:
isolate infected devices completely without disrupting the other parts of the network
form static and dynamic mirco-perimeters based on behavior of devices and without changing the network infrastructure
detect and prevent lateral movement of threats within the network
apply security policies based upon user- and device behavior instead of static attributes like physical placement in the network