Ways to unstick, stuck segmentation projects
Today, information has surpassed oil as the foremost economic driver in the world. Attempts to steal valuable data have risen dramatically in recent years and will only continue to increase. In response, network segmentation has become a valuable tool to protect data and limit the blast radius of any incidents that do occur. It is also a key component that underscores zero trust programs and organizations’ ability to maintain compliance with the vast number of numerous regulations being introduced by governments and industry bodies.
Yet, segmentation projects experience a high failure rate, and many never progress beyond the planning stages. When we speak to organizations about why their segmentation programs have stalled, we hear four common themes:
- “We’re not sure where to begin.”
- “We don’t have visibility into what is on our network.”
- “Digging through log data and data flows is taking too much time.”
- “Our security stack is diverse and requires multiple protocols.”
Sometimes, only one or two of the above themes apply to a single company, but often, they all do, and more. Once projects stall, they rarely restart, as smaller, less complex projects take precedence. The good news is that organizations that follow a proven approach to network segmentation succeed with it and take a valuable step toward protecting their most valuable asset – information.
Here are some tips to include in your network segmentation process to help keep projects on track and overcome the common challenges that organizations face.
Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.” The same can be said for organizations take on too much in their initial network segmentation projects. To avoid taking an early hit, start by planning to solve for just one or two use cases, even if they are as simple as preventing printers from talking to the internet or forbidding contractor workstations to communicate with admin databases. Limiting project scope and size helps you ease into learning what works best while avoiding disruptive production environments.
Demonstrating quick wins rapidly builds confidence throughout the organization.
Know what is on your network and how it communicates
“You can’t protect what you can’t see” is the wise adage when it comes to cybersecurity and risk management. It holds especially true for network segmentation. With network segmentation, you need gain certainty that you have visibility into everything connected to your network, including IoT and OT. Knowing what and who is on your network will allow you to segment with confidence.
Visualize your traffic flows
Traditional methods of determining traffic flows, such as using span collection tools and firewall data, consume too much time and require significant manual effort. They also make it difficult to perform current-state and desired-state analysis and reviews.
By using a visualization tool that provides context-aware mapping and visualization of traffic flows to business groups and segments, you can easily build, test, and monitor policies to determine their impact – prior to deployment. A traffic matrix will help identify where you have policies in place, the level of compliance with those policies, and how they may overlap or conflict with one another. Visualization can also help to quickly validate the blast radius of an incidentand speed an organization’s mean time to detect (MTTD) and mean time to respond (MTTR) if an adverse event occurs.
Simulate to validate segment design and avoid disruption
Under- and over-segmenting can cause headaches for many teams. While under-segmenting leaves too much room for lateral movement, over-segmenting introduces resource and management challenges. Build on the ability to visualize traffic patterns by simulating how new or updated policies will affect business operations ensures proper segmentation and speeds implementation. Certainly, nobody wants the CEO to call support due to a new policy blocking his/her file access.
Decouple policy enforcement points from policy decision points
NIST published an architecture for zero trust deployments, referring to a significant portion of that guiding architecture as ‘policy enforcement points’ and ‘policy decision points.’ Within enterprise network segmentation, the policy enforcement points (e.g., firewalls, SDN controllers, switches, etc.) constantly evolve and change as companies expand, go through mergers and acquisitions, refresh hardware, make network perimeter changes and more. However, policy decision points should never change, as they are based on risk reduction and business context.
Effective network segmentation calls for decoupling policy enforcement points from policy decision points. A solution like Forescout makes for the ideal policy decision point, because it can integrate with any policy enforcement point. It is the visibility tool and policy monitoring tool that can orchestrate the segmentation policy across any decision point that it encounters.
Leveraging visibility and policy monitoring, you can align with the zero trust architecture and the logical separation between decision points and enforcement points. The latter is like a filter that says either “Yes, you can proceed” or “No, you may not proceed.” Yet, the policy decision point contains all the logic that details why a specific policy is needed on a specific enforcement point. It reflects the same security framework or security logic that you already have in place and never changes, regardless of your business, network or IT environment changes.