Blog

Trusting Network Segmentation in Times of Distress

Greg Liewer | June 2, 2021

Quickly and accurately ensure effective segmentation through traffic visualization

The recent Colonial Pipeline cybersecurity incident and subsequent pipeline shutdown highlights the need to limit the blast radius of incidents affecting critical infrastructure. Last year a similar but less-publicized incident occurred when an attacker gained access to a natural gas compression facility’s IT network and then pivoted to attack their operational (OT) network.

When OT systems are compromised or malfunction they can cost organizations substantially in direct costs, inconvenience and public or consumer trust. Corporate leaders are now rightly asking security and networking teams, “How do we know our IT and OT networks are properly segmented?”

Such incidents and questions are driving cybersecurity teams to look more carefully at the design of their segmentation program and its efficacy in preventing the lateral spread of breaches. If an organization does not have a dependable segmentation program that easily demonstrates policy enforcement based on rules regarding the kinds of communication that are allowed and modelling of the downstream ramifications of a system compromise, the blast radius of an incident can significantly spiral, even impacting systems that are not under threat.

Traditional IT/OT Control Methods Take Too Much Time.
For segmentation to work, however, visibility and control are key. As the saying goes, “If you can’t see it, you can’t protect it.” Historically, this has meant protection focused on which devices are connecting to the network and the data that needs protecting. Today’s most effective segmentation strategies expand the saying’s scope to include the IT and OT traffic flows between users, devices, applications and services.

But controlling based on traffic flows can be complex, and speed is critical when a breach or incident has occurred. Historically, organizations have had two primary options for determining whether improper communication was taking place across IT and OT networks: span collection tools and firewalls.

The first method uses existing flow or span collection tools to correlate traffic to specific IPs to determine whether or not an IP is an OT (e.g. PLC) or IoT (e.g. printer) source or destination. The problem is that this process is highly manual and time consuming.

In the second method, with firewalls separating IT and OT domains, dealing with incidents meant wading through firewall rules to determine what traffic is getting through that shouldn’t, as well as finding traffic that’s getting blocked that should be allowed. This process could be done on-box, via logs or using flow tools. This requires nearly the same level of manual effort as the first method and can be similarly slow.

As Breaches Unfold, Domain Shutdown Looms
Analysis through these methods, or any other, requires knowledge of business context to determine whether particular communications should be taking place. Response to a breach depends on having quick answers to two questions. 1) “What IP addresses are communicating with each other and how?” and 2) “Is that communication violating policies?”
If you can’t identify what is communicating and how, a breach might leave you without any option but to shut down an entire domain.

However, if the network security team can quickly identify traffic anomalies, remediation actions can be targeted and cause less impact on critical operations. Here’s an example:

Traffic Visualization Can Accelerate Segmentation Control
Let’s assume a manufacturing organization with multiple domains has implemented a Zero Trust program through various policies. The matrix in Image 1 represents where traffic is currently taking place, with source groups along the vertical axis and destination groups on the horizontal. (Such groups can be created through the Forescout platform, organizing logical taxonomies of users, applications, services and devices.) The blue dots represent where communication is happening between groups.

Image 1: High-level matrix indicating network communication between users, devices and domains.

At this stage, the network or security administrator simply sees who and/or what devices and apps are talking to each other. But this doesn’t tell the whole story. The matrix lets that user drill down to identify if and where a policy violation is occurring.

In Image 2, the security user has clicked to see where traffic violations are occurring. This only takes a matter of seconds. The exclamation marks indicate that violations have been detected in three different areas.

Image 2: The red boxes indicate where ‘Deny All’ policy rules are in place. The exclamation marks indicate where violations are occurring.

Upon seeing violations taking place, security personnel can investigate further with another click to identify which policy is being violated, by whom or through what device. In this instance, we find that the violation is a contractor remotely accessing a programmable logic controller (PLC) at a Denver manufacturing plant.

Image 3: Easily identify the specifics of the offending users and technologies.

With this information, network security operators can quickly act to ensure proper segmentation is maintained by modifying or creating policies, isolating the offending technology, or more.

The Bottom Line
In today’s world of persistent threats, and the erosion of the perimeter network, being able to rapidly react to incidents is critical to limit the lateral movement of attacks. Traffic visualization is a powerful tool to quickly and efficiently determine whether or not such movement is occurring and enable effective non-disruptive actions short of drastic broad measures that interrupt business operations.

To learn more about traffic visualization and its network segmentation benefits please review our eyeSegment material or schedule a demo.