When implemented effectively, network segmentation breaks a network into logical zones, limiting the ability of attackers to move laterally across a network and compartmentalizing access. It has long been one of the most tried-and-true methods of ensuring regulatory compliance, mitigating advanced threats, reducing risks to operational technology and reducing the attack surface of Internet of Things (IoT). However, despite many organizations’ massive investments in segmentation products, fragmented technologies have prevented effective implementation of enterprise-wide segmentation.
Most organizations have implemented some form of network segmentation, albeit with disjointed technologies and policies. Typically, organizations end up over-segmenting or under-segmenting their networks, so they’re never truly sure if they’ve succeeded in filling the gaps. The industry answer to these challenges and gaps has been multiple types of segmentation and enforcement technologies, including infrastructure-native controls or overlay controls like next-generation firewalls and agent-based controls.
“The lack of standards for isolating or segmenting devices on multivendor campus networks makes deploying a strategic framework for all devices difficult.”
–Gartner, September 20191
Despite all these efforts, recent attacks have proven that current approaches are not working effectively. Take the case of WannaCry. Victims have learned the hard way that inadequately segmented networks fail to prevent this potent form of worm-like malware from propagating across their enterprise. Why is that?
- Most organizations lack complete device visibility and context into their traffic flows. They might see an IP address talking to another IP address, but don’t understand what that device is, or the broader user and business context surrounding it. This means that they don’t actually know what they’re segmenting and are unsure whether their actions could disrupt legitimate business processes.
- Most enterprises lack consistent segmentation policies because they need to leverage fragmented technologies from switches, firewalls, cloud and SDN.
- Creating segmentation policies on fragmented technologies expands their complexity over time, requiring more resources to reactively monitor and manually modify these policies to meet changing business and compliance requirements. This quickly increases policy management complexity, and without the appropriate skills and resources, results in ballooning operational costs.
“In a Gartner customer survey, 80% of IT organizations noted they had found Internet of Things devices on their networks that they did not install, secure or manage.”
–Gartner, September 20191
Without proper tools, it is very hard to measure the impact of controls until there is abnormal behavior in a network. And by then it could be too late. This further exacerbates operational complexity.
The net result is that organizations lack the confidence to move forward with segmentation as an enterprise-wide strategy.
Enterprise-wide segmentation requires a context-driven, multilayered architecture to address today’s broad diversity of device types—regardless of where they connect to the network. The Forescout platform, including Forescout eyeSegment, bridges disparate enforcement technologies to accelerate the design, planning and deployment of dynamic network segmentation across the extended enterprise.
Forescout recommends a three-layered architecture as a best practice for enterprise-wide network segmentation:
Control orchestration layer – A vendor agnostic control orchestration layer to orchestrate controls across underlying enforcement technologies.
Enforcement Layer – An enforcement layer that coordinates multivendor enforcement points, enabling the execution of segmentation controls across physical and virtual networks.
As the new addition to the Forescout platform, eyeSegment enables the policy layer and accelerates the design, planning and deployment of dynamic network segmentation across the extended enterprise. It simplifies the process of creating context-aware segmentation policies and allows visualization and simulation of policies prior to enforcement for proactive fine-tuning and validation.
Accelerate Enterprise-Wide Network Segmentation with Forescout eyeSegment
Register for our upcoming webinar to learn more about Forescout platform, tools and best practices to help you efficiently plan and implement your network segmentation projects so you can move forward with confidence.
1Gartner, “Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices,” Tim Zimmerman, 26 September 2019