Network Segmentation is a Continuous Journey That Every Organization Should Take
The amount of time that threat actors have to wreak havoc on an organization is on the rise. The 2018 Cost of a Data Breach study by Ponemon Institute finds the current dwell time has increased to 197 days from 191 the year prior. With flat networks, once threat actors get in, they can go anywhere. They stay below the radar, moving laterally across networks with relative ease until they accomplish their mission.
Segmentation can prevent lateral movement and effectively improve security. But it can be challenging to implement, scale, and manage when the network perimeter is ever-evolving with new devices, business models, expectations for access, regulatory requirements and threats. Your strategy must be flexible to adapt to an environment that is continuously in flux, and comprehensive to cover the campus, data center, and cloud.
Despite these complexities, you can’t afford to wait to create and implement a segmentation program. Not when dwell time continues to increase and major breaches that remain undetected for months and years continue to make headline news.
In part one of this article, I outlined the first three steps to develop a segmentation strategy that matches your needs. Here, I’m going to pick-up with number four and discuss the final three steps which focus on implementation and ongoing operation of your segmentation program.
4. Technology Design and Policy Development. There are two aspects to a functioning segmentation solution: detailed technology designs and thoughtful segmentation policies.
– Technology designs should be driven by your priorities, technology capability, and operational impact. The goal is to develop a specific set of equipment, designs, and configurations that are required to deploy your segmentation strategy, and have it function as intended. These designs are used as a deployment blueprint and typically include detailed information about the router/switch infrastructure, network architecture, IP address ranges/subnets, policy enforcement solutions, switches with dynamic access control lists, and other segmentation technologies.
– Segmentation policies should align with your business objectives and be consistent across the organization. A good segmentation strategy balances simplicity with granularity, placing devices in segments by functional characteristics that are commonly understood, not likely to fluctuate, and generally make sense for your organization. For example, a hospital may start with general groups of systems such as hospital administration, labs, pharmacy, and bio-med. This higher-level approach improves security posture while minimizing complexity and operational impact. Later phases can provide more granular segmentation with less overall business impact. Grouping similar devices by function also helps. There is no need to create individual segments for each brand of MRI device. Instead, placing all MRI devices in one segment, along with other imaging devices, achieves the objective of increased security and less complexity.
5. Validating Design and Policy. With a detailed technology design and segmentation policies in place, you are now ready to review the final deployment model against the original business objectives developed in step one. All key stakeholders should be included in the review and sign-off as this is the final point in the segmentation planning process to make major adjustments before deployment begins. Bring together all critical business, IT, and security leads to confirm the design meets both functional and technical business objectives so that implementation can move forward.
6. Enforcement and Monitoring. The right approach to enforcement can ensure your policies are dynamic in nature and that your segmentation program is sustainable. A solution that provides enterprise-wide visibility into network traffic flow data across campus, data center, and cloud environments can assist in multiple ways. First, network traffic flow data can be used in combination with User and Entity Behavior Analytics (UEBA) and machine learning to create a baseline for the network and connected devices. By comparing observed network behavior derived from flow data to define policy, the solution can confirm if the deployed policies are in fact being enforced as expected. This accelerates the audit process and provides assurances that segmentation policies are effective at reducing the attack surface area and enterprise security risk. If policies are not operating as intended, or if new devices are discovered, the solution can also modify or create enforcement policy files and update enforcement platforms.
Segmentation is a continuous journey that every organization should take. Whether you have in-house staff who can drive your segmentation project or are considering third-party advisory services, these six steps can put you on the path to success.
What’s more, with a segmentation program in place you’ll soon realize additional benefits, beyond protecting critical assets by limiting lateral movement when threat actors get in. Visibility and segmentation technologies can help to strengthen your overall security operations. When integrated with your security operations center, your security teams will be able to use the data these tools produce to detect and respond to breaches faster and, ultimately, reduce dwell time.