(This is a stripped down version of a fantastic blog post on our site. For the full post, including media, please click here)

For most companies, cyber security has always been about keeping criminals out of their data centers with the best firewalls money could afford. Firewalls are great, they can keep most of the criminals out, but not all of them. It’s only a matter of time until a hacker is able to figure out how to get past the most recent firewall update. Then it turns into a game of cat-and-mouse, as the IT team struggles to update their firewalls, and the criminals find new ways to sneak through them.

The problem with this model is, once a criminal is able to get past those defenses, there usually aren’t many security measures blocking them from moving around the network completely undetected.

In order to remain undetected, hackers use “east-west” traffic, or server-to-server traffic within the data center. Hackers have learned not to leave the data center to access another network or anything outside the data center. Instead, they are able to stay within the system for months on end, simply by avoiding the main security measures. During that time, they can be gathering important information or creating millions of other problems.

These east-west paths were created to lower latency in the data center, and because it would be difficult to prevent threats with firewalls alone. So, most companies have not implemented many blocks for east-west traffic, instead, they have focused all their efforts on the “north-south” traffic, through the gateway.

Protecting data centers with firewalls, without trying to detect the criminals who sneak inside, means that most companies don’t even know their network has been hacked until the hackers are long gone and their data had already been comprised.

Why is Cyber Security So Important?

A recent report by CIO found that half of the professionals say that the loss of data is their top IT security risk. That’s because the average data breach in 2015 cost a company $3.79 million dollars, which translates to a loss of around $500 billion dollars around the world annually. By 2019, the cost is predicted quadruple to $2.1 trillion globally.

As businesses rely on their data centers to store more and more of their valuable information, there will be greater and greater threats to those data centers, and thus, a need for newer and smarter security methods to stop them. Here are three examples of new security measures that data centers are taking to detect attackers and prevent them from attacking in the first place.

Focus on the Threats with Cisco’s FIREPOWER

The Cisco Firepower won this year’s Interpop security award with their next generation firewall (NGFW), which claims to be the industry’s first ‘threat-focused’ NGFW.

The firewall is able to detect threats by understanding how normal users are connecting to applications, and comparing that information with threat intelligence. The threat detection allows businesses to identify and stop threats before they become any more serious.

David Goeckeler, senior vice president and general manager at Security Business Group, Cisco explains that the Firepower allows for “better protection, and faster detection and response to advanced threats. [It] will help our customers build a dynamic, resilient secure infrastructure to combat threats in real-time”

In addition, the NGFW is able to unify the management of all firewall functions, from application control to threat prevention and malware protection throughout a management console, making it a lot easier to manage your firewalls across the network.

Analyze your data center’s weaknesses with ASAP

This year, the Cyber Defense Magazine InfoSec awards named Illumio’s “Attack Surface Assessment Program,” (ASAP) the most innovative data center security solution of 2016. ASAP is an advanced algorithm that generates a map of all your data center activity and identifies all of the active and inactive pathways.

Nathaniel Gleicher, the former Director for cyber security policy at the White House, developed the program for Illumio. He says it allows users to analyze the traffic in their network, their applications, their environments, their servers, and how each of the separate parts communicate with each other.

In their two-step program, Illumio gives a business a simple script to run, which generates a roadmap of all the data center activity. Then, Illumio analyzes the data, and presents the business with a detailed report on all the weak points within the network, identifying the most likely areas an attacker could infiltrate. ASAP gives businesses the power to understand their network and the best places to defend against an upcoming attack.

Nathaniel Gleicher explains, “One of the challenges is that the attack surface can be so vast. If you try to secure everything equally, you often end up not securing everything enough,” Gleicher said. “You need to prioritize security around your most valuable information.”

In addition, ASAP can also detect where a malicious signal is coming from, and quickly allow the IT team to isolate and quarantine the server the connection is coming from. This would allow a business to stop a cyber-attack in progress, and provide the business with a lot more information about the paths that cybercriminals are utilizing, making it much easier to stop a future attack from the same paths.

Trust No One with VMware NSX & Micro-segmentation

Traditionally, businesses have segmented their networks with physical firewalls and routers, which were able to control traffic between web tiers, application tiers, database tiers, and the internet. But, all these firewalls made life difficult for IT teams. It was time-consuming and confusing to implement even small changes across a large network, and, in the end, they didn’t do a very good job of stopping breaches in the first place.

With the advent of software-defined data centers (SDDCs), companies were finally able to write software that catered to the needs of their business. Not only can micro-segmentation detect threats from anywhere within the data center, it can also create and change security policies automatically, all while matching the speed and complexity of the workloads they are protecting.

Micro-segmentation can give a zero-trust level to every individual workload, which means cyber criminals can no longer piggyback on legitimate users, or hide in the dark corners of your data center.

As it is described in the White Paper, Micro-Segmentation Builds Security into Your Data Center’s DNA, “physical security (with firewalls and routers) is like using gloves to guard against germs. It is external, limited protection (if someone sneezes in your face, you’re probably going to end up with a cold or flu). Micro-segmentation is like fortifying the immune system of the data center: germs (or malware) can’t get it.”

In addition to protecting the information on data centers, Micro‐segmentation also enables companies to use the security measures of the SDDC on their desktop computers and mobile environments alike.

Why the Future of Cyber Security is Holistic

Firewalls have their problems, but they are not going away anytime soon. However, future businesses are not going to rely solely on their walls to protect them from outside invaders. They can now keep a few guards inside of the walls to protect them in case an attacker ever gets inside.

@Reid-Cooper Yesssss. Do I get an award? Where is the VIP area? My water is too wet, I'd like a replacement. INTERN!

Glad to be here

@RojoLoco said in NTG Lab Update:

@Dashrender said in NTG Lab Update:

Any reason not to tell us what the missing part is/was?

Because it is a stolen flux capacitor that.... well, I've said too much.

Damn Libyans.

Each week, I surf around the Internet for my favorite time-wasting links and then I compile them all into one handy link roundup that we call the Friday Fun Blog.

Basically, it's a fancy time waster.

This week, we have a video of a humpback whale breach, a pretty compelling Bigfoot video, and why Hillary Clinton is talking to Tom DeLonge of Blink-182 about UFO's.

Check it out here or you can click this bitly to make my life easier here.

Lunch: tacos
Dinner: tacos
Tomorrow's lunch: tacos
Tomorrow's dinner: not tacos

@dafyre Aliens will respond back with "new phone, who dis?"

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

@scottalanmiller said in Are Security Careers Real?:

@Dashrender said in Are Security Careers Real?:

A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

I wanna say she said it was Ameritrade, but I could be wrong.

Wow wow wow. That's SEC violations right here. And privacy violations if HR is being compromised.

To make matters worse, the employee got reprimanded because of stuff done under her logon while she was out on vacation/leave/maternity leave.

Which is an identify theft problem.

Yeah, I think if she was fired over something like that, she's have a great lawsuit on her hands.

I think the legal term you're looking for is "slam dunk". Also acceptable is, "cha ching".

@scottalanmiller said in MangoCon 2016 - Hotel is NOT Fully Booked Yet:

Everyone should get busy booking now before they have more issues.

Get busy booking, or get busy dying. MANGOCON!

@Dashrender said in What Are You Doing Right Now:

@ChrisL said in What Are You Doing Right Now:

Just a word of warning, don't feed or water Coly after midnight.

So I always wondered - when does it become safe to feed them? like 1 AM? or 6?

Sunrise seems okay with me.

@DustinB3403 said in Data centers and retrofitting:

I'd say take an old building and make it work to your needs.

AC, raised floors, power...

All seems pretty simple to install in an existing building.

Exactly. Especially abandoned buildings, you'd spend far less on upgrades than you would building a whole facility from the ground up.

Plus, I think the idea of browsing Amazon while connected to a server sitting in an old mall is pretty ironic.

@RojoLoco said in Community Guidelines:

@ChrisL said in Community Guidelines:

@dafyre said in Community Guidelines:

@Minion-Queen Also, please don't attack vendors.

Plus, I was the 12-13 year old Ohio Valley Karate Grand Champion. I WILL FIGHT BACK.

With big-ass not-jenga blocks!!!

My sensei taught me to use any weapons available to me to defend myself, even if that is Legally-Not-Allowed-to-Call-It-"Jenga" wooden blocks.

Who are these people?

"Debate prep"

And by that I mean finding a bottle of vodka and a bottle of my other medicine prescribed by a guy in a Hawaiian shirt.

http://www.datacenterdynamics.com/content-tracks/security-risk/university-suffers-ddos-attack-from-iot-vending-machines/97808.article

When you want a Snickers and your entire college network goes down.

Someone come play Our-Lawyer-Said-Stop-Jenga, and drown out Piano Pilot's incessant ivory tickling.

@JaredBusch said in What Are You Doing Right Now:

Sitting at Starbucks drinking a coffee and catching up on here while the guy next to me is on a seven person video conference call using appear.in

This is all I imagined...

@travisdh1 said in Considering Colocation - What to watch for:

@scottalanmiller said in Considering Colocation - What to watch for:

@jt1001001 said in Considering Colocation - What to watch for:

Having just completed our move a couple pointers:

1. Diagram your ideal layout, even if its a "stick Figure" drawing have some sort of guide
2. LENGTH OF POWERCABLES: Our power cables were WAY WAY WAY too long requiring us to do a lot of routing and rerouting, which in turn caused the back of the rack to be somewhat blocked which limits airflow. We are going to be purchasing short (2 and 3ft) lengths and redoing all the power.
3. LENGTH OF NETWORK CABLES: 6ft were too short in some cases, and 10FT were too long. We had to use more cable management which ends up wasting 2U of space. If you can, use some string and a tape measure on your existing racks to get an idea of how much length you'll need.

Doesn't the DC handle all this for you? We've never provided cables of any sort or had access to look at the gear. Never mattered to us what length cables they chose to use or what the racking order was.

It might depend on the setup inside the DC and/or how much space you're using. It doesn't make much sense for someone with 4u of space to go through all the security steps to get inside, where as a half or full rack could easily be secured separately making physical access less of a security risk for other clients.

A lot goes into it, especially with compliancy--HIPAA/PCI/etc--but typically, we issue keycards to those with half-rack and more (if they want them), but they do need to inform us 24 hours in advance if they plan on coming in.

@scottalanmiller said in Who plans on Attending MangoCon 2017?:

@wirestyle22 said in Who plans on Attending MangoCon 2017?:

@scottalanmiller said in Who plans on Attending MangoCon 2017?:

@RojoLoco said in Who plans on Attending MangoCon 2017?:

@Minion-Queen yes, and it should read "WELCOME TO THE JENGADOME!!!!"

Is Tina Turner available to MC?

MC Hammer does talks. I'm not kidding.

That would be awesome, can't touch that.

I've heard his speaking engagements haven't been going well, but he's too legit to quit.

@DustinB3403 said in Colocation America- Ask Me Anything:

Can you send us some wiring-porn?

Cause the wiring in there has to be amazing and I want to drool for a while.

Those are the only shots I have on hand. I'm going to the facility later this month and I'll take some good ones.