Guest Column | October 3, 2016

Avoiding A Hatton Garden-Style Data Center Heist

BSM Donald Meyer, Check Point

Donald Meyer, Head of Product Marketing, Data Center at Check Point Software

In April 2015, one of the world’s biggest jewelry heists occurred at the Hatton Garden Safe Deposit Company in London. Posing as workmen, criminals entered the building through a lift shaft and cut through a 50-cm thick concrete wall with an industrial power drill. Once inside, the criminals had free and unlimited access to the company’s secure vault for over 48 hours during the Easter weekend, breaking into one safety deposit box after another to steal an estimated $100 million worth of jewelry.

So why weren’t the criminals caught? How did they have free reign into all the safety deposit boxes? It turns out the security systems only monitored the perimeter, not inside the vault. Despite the burglars initially triggering an alarm to which the police responded, no physical signs of burglary were found outside the company’s vault. So the perpetrators were able to continue their robbery uninterrupted. In other words, the theft was made possible by simply breaching the vault’s perimeter — once the gang was inside, they could move around undetected and undisturbed.

Most businesses do not have store gold, diamonds or jewelry. Instead, their most precious assets are data. And they’re not stored in reinforced vaults, but in data centers. Yet in many cases, both vaults and data centers are secured against breaches in similar ways. Organizations often focus on reinforcing the perimeter and less on internal security.

If attackers are able to breach the external protection, they can often move inside the data center from one application to the next, stealing data and disrupting business processes for some time before they are detected — just like the criminal gang inside the Hatton Garden vault were able to move freely and undetected. In some recent data center breaches, the hackers had access to applications and data for months, due to lack of visibility and internal security measures.

Security Challenges In Virtualized Environments
This situation is made worse as enterprises move from physical data center networks to virtualized networks to accelerate configuring and deploying applications, reduce hardware costs, and reduce management time. In this new data center environment, all of the infrastructure elements — networking, storage, compute, and security – are virtualized and delivered as a service. This fundamental change means the traditional security approach of securing the network’s perimeter is no longer suitable to address the dynamic virtualized environment.

The two main security challenges are:

  • Traffic behavior shifts: Historically, the majority of traffic was “north-south” traffic, which crosses the data center perimeter and is managed by traditional perimeter security controls. Now, intra-data center “east-west” traffic has drastically increased as the number of applications has multiplied and those applications need to interconnect and share data in order to function. With the number of applications growing, hackers have a wider choice of targets: they can focus on a single low-priority application and then use it to start moving laterally inside the data center, undetected. Perimeter security is no longer enough.
  • Manual configuration and policy changes: In these newly dynamic data centers, traditional, manual processes for managing security are too slow, taking too much of the IT team’s time — which means security can be a bottleneck, slowing the delivery of new applications. Manual processes are also prone to human errors which can introduce vulnerabilities. Therefore, automating security management is essential to enable automated application provisioning and to fully support data center agility.

Until recently, delivering advanced threat prevention and security technologies within the data center would involve managing a large number of separate VLANs and keeping complicated network diagrams and configuration constantly up-to-date using manual processes. In short, an unrealistically difficult and expensive management task for most organizations.

Micro-Segmentation: Armed Guards Inside The Vault
But what if we could place the equivalent of a security guard on every safety deposit box in the vault so that even if an attacker breaches the perimeter, there is protection for every valuable asset inside? As data centers become increasingly software-defined with all functions managed virtually, this can be accomplished by using micro-segmentation in the software-defined data center (SDDC).

Micro-segmentation works by coloring and grouping resources within the data center with communication between those groups applied with specific dynamic security policies. Traffic within the data center is then directed to virtual security gateways. The traffic is deeply inspected at the content level using advanced threat prevention techniques to stop attackers attempting to move laterally from one application to another using exploits and reconnaissance techniques.

Whenever a virtual machine or server is detected executing an attack using the above techniques, it can be tagged as infected and immediately quarantined automatically by the “security guard” in the data center: the security gateway. This way, a system breach does not compromise the entire infrastructure.

Once an application is added and evolves over time, it is imperative for the security policy to instantly apply and automatically adapt to the dynamic changes. Using integration to cloud management and orchestration tools, the security in the software defined data center learns about the role of the application, how it scales and its location. As a result, the right policy is enforced enabling applications inside the data center to securely communicate with each other. For example, when servers are added or an IP address changes, the object is already provisioned and inherits the relevant security policies removing the need for a manual process.

Just as virtualization has driven the development of scalable, flexible, easily-managed data centers, it’s also driving the next generation of data center security. Using SDDC micro-segmentation delivered via an integrated, virtualized security platform, advanced security and threat prevention services can be dynamically deployed wherever they are needed in the software-defined data center environment. This puts armed security guards around inside the organization’s vault, protecting each safety deposit box and the valuable assets they hold – helping to stop data centers falling victim of a Hatton Garden-style breach.

Donald Meyer, Head of Product Marketing, Data Center at Check Point Software Technologies, has more than 14 years of networking and security industry experience. In his current role, Meyer is responsible for Check Point data center and cloud security solutions.  Prior to Check Point, Meyer served as Sr. Manager, Product Marketing at Aruba Networks where he was responsible for marketing wireless security, network access control, and network operations product lines. Subsequently, Meyer held various Marketing positions at Juniper Networks, Nokia, Inc., Mitel, AlitGen Communications and the Associated Press. Meyer holds a Bachelor’s of Science in Business Administration, marketing concentration, from San Jose State University.