The Guardicore webinar discusses software-defined segmentation, highlighting its necessity due to challenges with traditional segmentation methods, particularly in terms of visibility and management. It outlines rollout steps for software-defined segmentation and emphasizes its advantages over older techniques, including numerous use cases like compliance and protection of sensitive data. Key elements for successful implementation include broad platform support, policy granularity, and real-time visibility.

1. 1 // Guardicore – Security Boulevard Webinar
Dave Klein
Senior Director
Engineering & Architecture
Guardicore

2. 2 // Guardicore – Security Boulevard Webinar2 // Guardicore – Security Boulevard Webinar
Goals of Today’s Webinar
1. What are the
Challenges Driving
Software-Defined
Segmentation?
3. What are the
Software
Segmentation Rollout
Steps?
FINAL GOAL:
Software-Defined
Segmentation Done
Easily, Quickly & Right!
4. Why Traditional
Segmentation, Firewalls
& First Generation of
Software-Defined
Segmentation Failed?
2. Why Software-
Defined
Segmentation? What
are the Use Cases?
5. What are the Solution
Requirements for
Software
Segmentation?

3. 3 // Guardicore – Security Boulevard Webinar
The Challenges that Have Led to
Software-Defined Segmentation

4. 4 // Guardicore – Security Boulevard Webinar4 // Guardicore – Security Boulevard Webinar
The Era of Software-Defined Segmentation
Current Challenges
 Even in enterprises that haven’t moved to cloud.
 Even in traditional environments and use cases.

5. 5 // Guardicore – Security Boulevard Webinar5 // Guardicore – Security Boulevard Webinar
The Era of Software-Defined Segmentation
Current Challenges
For Both…

6. 6 // Guardicore – Security Boulevard Webinar6 // Guardicore – Security Boulevard Webinar
The Era of Software-Defined Segmentation
Current Challenges
For IT…
Visibility & Management

7. 7 // Guardicore – Security Boulevard Webinar7 // Guardicore – Security Boulevard Webinar
The Era of Software-Defined Segmentation
Software-Defined
Segmentation
The Solution

8. 8 // Guardicore – Security Boulevard Webinar8 // Guardicore – Security Boulevard Webinar
A Point on the Name
▪ Also known as Micro Segmentation
• But term is often misconstrued/misinterpreted as a single use case
where segmentation is used between the tiers of an application.
▪ Software-Defined Segmentation
• A better term for the solution.
• Hundreds of use cases where Software-Defined Segmentation can be
utilized.

9. 9 // Guardicore – Security Boulevard Webinar9 // Guardicore – Security Boulevard Webinar
Sample Software-Defined Segmentation Use Cases
Point of Sale Systems
Medical Devices
Dev/User Acceptance/Production Environment
Separation
Separation of IoT/Building Controls/Users/Data Centers
Protection of Legacy Apps/OS’
Micro-Segmentation Between Tiers of an Application.
Digital Crown
Jewels Protection
Compliance
Data Center
Transformation

10. 10 // Guardicore – Security Boulevard Webinar10 // Guardicore – Security Boulevard Webinar
Sample Software-Defined Segmentation Use Cases
PCI
SWIFT
HIPAA
GDPR
California Privacy
NY SHIELD
Digital Crown
Jewels Protection
Compliance
Data Center
Transformation

11. 11 // Guardicore – Security Boulevard Webinar11 // Guardicore – Security Boulevard Webinar
Sample Software-Defined Segmentation Use Cases
Digital Crown
Jewels Protection
Compliance
Data Center
Transformation
Mergers & Acquisitions
Cloud Migration
Hybrid Cloud Integration

12. 12 // Guardicore – Security Boulevard Webinar
Steps to Rollout Software-
Defined Segmentation

13. 13 // Guardicore – Security Boulevard Webinar13 // Guardicore – Security Boulevard Webinar
5 Steps To Software Defined Segmentation
Discover,
Visualize &
Map
Label &
Group
Define
Policies
Monitor &
Refine
Enforce

14. 14 // Guardicore – Security Boulevard Webinar
Learning from Traditional
Segmentation Fails

15. 15 // Guardicore – Security Boulevard Webinar15 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
Platform Specific
VLANs for on-premises only
Security groups only for cloud
Security Groups per VPC per cloud
provider
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
VLANs & ACLs Security Groups
Premises Clouds

16. 16 // Guardicore – Security Boulevard Webinar16 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Multiple management platforms means
resource and cost intensive
“It takes me months to change VLANs”
“IP address changes are a nightmare”
Delays, stalled or failed projects
VLANs & ACLs Security Groups
Premises Clouds

17. 17 // Guardicore – Security Boulevard Webinar17 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
Can’t easily identify traffic flows & app
dependencies
Leads to delays, false positive blocks.
Production downtime
VLANs & ACLs Security Groups
Premises Clouds
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity

18. 18 // Guardicore – Security Boulevard Webinar18 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Web Server
tomcat
Policies are only IP address & port based!
Doesn’t segment enough!
Doesn’t reduce risk!
Doesn’t lead to compliance!
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity

19. 19 // Guardicore – Security Boulevard Webinar19 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO PROCESS LEVEL POLICIES
Web Server
tomcat
Desired Rule
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
nginx
Proxy Server
Port 443
evil
Web Server
Tomcat

20. 20 // Guardicore – Security Boulevard Webinar20 // Guardicore – Security Boulevard Webinar
Process based policies? = NO
nginx
Proxy Server
Port 443
evil
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO PROCESS LEVEL POLICIES
tomcat
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Actual with VLANs, ACLs & Security Groups
Web Server
Tomcat
Policies are only IP address & port based!

21. 21 // Guardicore – Security Boulevard Webinar21 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Web Server
NO IDENTITY BASED RULES
accounting
databases
Alison
Diane
putty
putty
Accounting
Appsshd
sshd
diagnostics
accounting
Desired Rule
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity jumpbox

22. 22 // Guardicore – Security Boulevard Webinar22 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
Web Server
accounting
databases
Alison
Diane
putty
putty
Accounting
Appsshd
sshd
diagnostics
accounting
Actual with VLANs, ACLs & Security Groups
NO IDENTITY BASED RULES
Identity based policies? = NO
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity jumpbox
Policies are only IP address & port based!

23. 23 // Guardicore – Security Boulevard Webinar23 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO FQDN RULES
accounting
databases
Port 443
accounting
GitHub
Web Server
Internet
Ubuntu
DevOps
Web Servers
DevOps
Other Servers
Desired Rule
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity

24. 24 // Guardicore – Security Boulevard Webinar24 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
VLANs & ACLs Security Groups
Premises Clouds
NO FQDN RULES
accounting
databases
FQDN based policies? = NO
Port 443
accounting
GitHub
Web Server
Internet
Ubuntu
DevOps
Web Servers
DevOps
Other Servers
Actual with VLANs, ACLs & Security Groups
Multiple Segmentation Techniques
Have to be Combined.
Management & Resource Intensive
Zero Visibility
Lack of Granularity
Policies are only IP address & port based!

25. 25 // Guardicore – Security Boulevard Webinar
Segmentation Fails
Firewalls

26. 26 // Guardicore – Security Boulevard Webinar26 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
Firewalls
Perimeter
Perimeter Based
Not at the right location.
Doesn’t follow the workloads
Cost prohibitive

27. 27 // Guardicore – Security Boulevard Webinar27 // Guardicore – Security Boulevard Webinar
Traditional Segmentation
Firewalls
Perimeter
Not at the right location.
Doesn’t follow the workloads
Cost prohibitive
Perimeter Based
You need to be
every where

28. 28 // Guardicore – Security Boulevard Webinar
Segmentation Fails
First Generation Software-Defined
Segmentation

29. 29 // Guardicore – Security Boulevard Webinar29 // Guardicore – Security Boulevard Webinar
First Gen Software Defined Segmentation Vendors
Means L4 policies – same problems
as traditional segmentation
methods
Not platform agnostic. Have to
have the hypervisor firewall
proximity
Two the three vendors in this space
have moved on to non-hypervisor
methods using agents
Clouds
Vendors Who Offer Limited Visibility
Through a Secondary or Tertiary
Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with
enforcement done by native OS
firewalls

30. 30 // Guardicore – Security Boulevard Webinar30 // Guardicore – Security Boulevard Webinar
First Gen SDS Vendors
In Linux means IP Tables – this
means the same L4 IP and Port
only policies. Just like traditional
methods
In Windows while you have better
granularity you are missing
important other policy types
No Black Lists/Deny Lists
Means you are fighting local admins
for the policies on the box
More latency in native OS firewalls
Clouds
#1 ISSUE FOUND TODAY IN MOST
SOLUTIONS
Vendors Who Offer Limited Visibility
Through a Secondary or Tertiary
Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with
enforcement done by native OS
firewalls

31. 31 // Guardicore – Security Boulevard Webinar31 // Guardicore – Security Boulevard Webinar
First Gen SDS Vendors
Integrated visibility is essential in
order to create appropriate labels
and policies
It accelerates segmentation
projects
Visibility means you won’t make
mistakes
Clouds
Vendors Who Offer Limited Visibility
Through a Secondary or Tertiary
Package
Vendors who Focus on Hypervisor(s)
Vendors who use agents with
enforcement done by native OS
firewalls

32. 32 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation
Done Right

33. 33 // Guardicore – Security Boulevard Webinar33 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Segmentation
Done Fast
Segmentation
Done Right
Segmentation
Done Easily
We’ve covered the use
cases, the why, the steps,
now the how…

34. 34 // Guardicore – Security Boulevard Webinar34 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Widest Possible
platform Support
Platforms
Bare Metal Hypervisors Clouds Containers
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

35. 35 // Guardicore – Security Boulevard Webinar35 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

36. 36 // Guardicore – Security Boulevard Webinar36 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

37. 37 // Guardicore – Security Boulevard Webinar37 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Orchestration meta-data integration
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

38. 38 // Guardicore – Security Boulevard Webinar38 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Enterprises run a very wide array of OS’ imaginable
Automated way to ingest new OS kernels/releases quickly
Support end of life systems as well
Legacy/End of Life Modern
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

39. 39 // Guardicore – Security Boulevard Webinar39 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Policy Granularity
Alison
Diane
putty
putty
Accounting Appsshd
sshd
diagnostics
accounting
accountin
g
GitHub
Web Server
Intern
et
Ubuntu
DevOps
Web
Servers
DevOps
Other
Servers
By Process
By User
By FQDN
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)
nginx
Proxy Server
evil
Web Server
Tomcat

40. 40 // Guardicore – Security Boulevard Webinar40 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Policy Black Lists
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)
Production
ftpd
telnetd
tftpd
To=cat

41. 41 // Guardicore – Security Boulevard Webinar41 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
No Contention with Admins for Control
Consistent Policies & Enforcement Across All Platforms & OS’
Less Latency
Server
tomcatOS Firewall
Agent FW
You have control
Admin/Root
SDS
System
You have less latency
Widest Possible
platform Support
Meta-data Integration
Broadest OS Support
Agent with Own
Firewall (not OS
Native)

42. 42 // Guardicore – Security Boulevard Webinar42 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Real time an historical visibility.
Easily allows you to create/apply labels
Easily understand application dependencies
Allows you to sort in a variety of ways that people
wish to see the enterprise
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

43. 43 // Guardicore – Security Boulevard Webinar43 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
By Platform
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

44. 44 // Guardicore – Security Boulevard Webinar44 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
By Environment
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

45. 45 // Guardicore – Security Boulevard Webinar45 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
By Compliance
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

46. 46 // Guardicore – Security Boulevard Webinar46 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
By Application
Dependencies
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

47. 47 // Guardicore – Security Boulevard Webinar47 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Allows for flexible visibility (as shown prior)
Allows for dynamic workload automation
Thus removing the need for manual Move, Adds,
Changes & Deletes
Within UI & DevOps Scripting
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

48. 48 // Guardicore – Security Boulevard Webinar48 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Easy policy creation based on your particular role
and need
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

49. 49 // Guardicore – Security Boulevard Webinar49 // Guardicore – Security Boulevard Webinar
Software-Defined Segmentation – Key Elements
Ways to digest additional enterprise data like CMDB
Ways to to push and pull additional information
Automation
Visibility
Flexible Labeling
Schema
Policy Wizards
RESTAPI

50. 50 // Guardicore – Security Boulevard Webinar
Dave Klein
Senior Director
Engineering & Architecture
Guardicore
Q & A

51. 51 // Guardicore – Security Boulevard Webinar
Dave Klein
Senior Director
Engineering & Architecture
Guardicore
Web: https://www.guardicore.com
Email: Dave.Klein@guardicore.com
Thank You