Digital transformation has ushered in interconnected networks that enable information sharing and collaboration. That’s great for efficiency and productivity, but many networks are flat, leaving organizations susceptible to cyberthreats that can move laterally, even across distributed environments, enabling hackers to exploit openings and pivot into their most valuable data.
Why are such openings still commonplace? Certainly, the growing number and diversity of assets, many of them unmanaged IoT and OT devices, has increased risk. Oftentimes, unwanted communication links go unchecked and vulnerabilities hide in plain sight based on the assumption that assets and networks are separated when they are not. Meanwhile, network perimeters are disappearing due to mobile work and globalized operations. Together these forces increase the attack surface.
But there’s another pernicious obstacle: network segmentation and the challenges organizations face trying to implement it across their digital terrain.
Network segmentation is a core tenet of zero trust and least-privilege initiatives and a top priority across industries. The vast majority of cyber threats can be mitigated with segmentation that restricts traffic flows to only those assets that should be communicating with each other and isolating vulnerable devices until they can be remediated. Unfortunately, network segmentation projects experience a high failure rate, and many never progress beyond the planning stages. Without the right approach, segmentation projects can be overly complex, costly and potentially harmful to operations.
A sure-fire way to kill your network segmentation project – and larger zero trust strategy – is to cause business disruption. That doesn’t have to be the case. Here is a practical approach that will get you unstuck.
Why network segmentation projects fail
As with all cybersecurity projects, the foundation of network segmentation is complete visibility into what’s in your digital terrain. Many organizations spend months gathering asset data and still fail to identify all connected assets. Manual log analysis of traffic flows between devices adds to their pain. The process is extremely slow and prone to human error, leading to uncertainty about the validity of results. Built on such shaky ground, IT lacks confidence in how to design effective policies, which can be a delicate process even with a solid understanding of the environment.
Impact analysis can be even more intimidating. Like other implementations, network segmentation occurs in brownfield environments, among a mix of users and assets who may be serving customers, producing goods or processing payroll. Policies must be effective in restricting access to sensitive resources while still allowing critical operations to function.
Without adequate visibility into how assets are communicating and what might break when network segmentation policies are introduced, IT teams feel compelled to further slow deployment. Fearing costly outages and downtime, they end up aiming low, attempting to strike a balance between limiting security risk and negatively impacting critical business processes.
A five-step approach to streamlined network segmentation
So, let’s start with a clean slate. Here are five steps to make your network segmentation project successful:
- Achieving 100% visibility of all devices on the network
- Mapping of communication and traffic flows
- Simulation to assess the impact of segmentation policies before implementation
- Continuous monitoring of segmentation policies for violations
- Orchestration of controls across different technologies to enforce policies when violations are detected
The first two steps – visibility and mapping – must be automated to accelerate the design and planning phases and to instill confidence in the approach. The third step, simulation, needs to support rapid iteration to bring a rapid close to the planning phase. Once deployed, you need a simplified way to continuously monitor adherence to segmentation policies and orchestrate controls across various security tools to enforce policy compliance.
Before even thinking about segmentation, you must first ask, what are all my assets and how are they communicating with each other? What is their business criticality, risk level and compliance status?
Leveraging automated, agentless discovery, you can achieve 100% device visibility, yielding the insights needed to understand asset classification in business context relevant to your organization. You can then apply this insight and context to group all connected devices into a logical business hierarchy, thereby accelerating the planning phase of your network segmentation project.
Network traffic mapping
Next you want to automatically map traffic flows to a logical taxonomy of users, applications, services, and assets across your environment. Again, visibility is foundational here. What if you could see all your endpoints in a matrix that identified traffic between them and enabled you to filter and group them as needed to facilitate policy design?
With such a matrix, you could clearly see how all connected assets are currently interacting and easily determine how they should be communicating, over what ports and protocols, based on what users or services need to do. Viewing traffic and assets (from managed endpoints and servers to unmanaged IoT, OT and specialized assets like medical devices) in this way, automatically collected and ready to be analyzed, is dramatically easier than going through logs.
Turning on policies in simulation mode lets you analyze their impact on traffic flows before rolling out new controls. Again, visualization is essential. A traffic matrix helps identify where you have policies in place, the level of compliance with those policies, and how they may overlap or conflict with one another. It can also flag where unwanted policy violations would occur based on new policies so you can fine-tune and validate them without causing actual harm before going live.
The NIST SP 800 -207 guidance for Zero Trust Architecture calls for the logical separation of a single policy decision point (PDP) in the control plane from multiple policy enforcement points (PEPs) in the data plane. The PDP acts as a macro policy engine, writing all the necessary enforcement policies and enforcing them across disparate PEPs and network domains. Segmentation policy decisions and enforcement are one piece of this design.
Your PDP should never change; it reflects your security framework based on risk reduction principles and business context. PEPs, on the other hand, constantly change as companies expand, go through mergers and acquisitions, refresh hardware and so on. How do you ensure that what you have segmented by design remains segmented under such dynamic conditions? With continuous monitoring and alerting of any deviations from an intended policy.
Once deployed, enforcing segmentation policies provides ongoing challenges, as administrators struggle to align them across multivendor enforcement technologies and ensure no gaps. Typically, network segmentation projects require a combination of firewalls, access control lists (ACLs), SDN controllers, virtual LANs and more, calling for different policies and controls. These are difficult to manage across disparate infrastructure technologies for campus, data center, cloud, remote and other networks and often leads to policy sprawl as business needs and threats evolve.
To maintain segmentation hygiene, you need a unified framework (that is, a single PDP) to orchestrate controls across the different security tools in your environment and enforce compliance with segmentation policies. The same tool used for visibility and continuous monitoring should be able to orchestrate segmentation controls across different technologies and network segments.
Automate to accelerate
Successful network segmentation limits the impact of any breach that may occur and helps keep your digital terrain aligned with your security framework. Getting there is difficult – if you rely on legacy, manual tools that fail to provide a complete understanding of all your assets and the context in which they communicate. By mapping assets and traffic using automated, interactive visualization, Forescout Continuum Platform accelerates segmentation policy design, simulation and deployment so you don’t get stuck.
Follow this five-step, automated approach to accelerate progress toward zero trust, reduce regulatory risk and minimize threat exposure.
Have 30 minutes? See how automated, visualized asset and traffic mapping makes network segmentation intuitive.
About the Author
A.J. Dunham has deployed more than 150 Forescout installations and currently architects customer strategies to address growing IT, IoT, IoMT and OT/ICS challenges at enterprise scale. He holds a bachelor’s degree in computer networking and information security from NSA-accredited Champlain College and a master’s degree in information assurance from Northeastern University.