From a security perspective, bad actors often use the tactic of “land and expand.” Once a network is breached, if east/west or lateral movement is not restricted, an attacker can spread quickly within a network from a small compromise.

The ease of management in a network is usually inversely proportional to the amount of segmentation in that network. Highly segmented networks have a lot of potential complications and management overhead. In practice, this often leads to administrators being confused or implementing shortcuts that circumvent the very security that was intended with the segmentation in the first place.

Network segmentation projects should not be viewed as singular or “one and done.” Services and users on a network are constantly evolving; the network segmentation strategy must adapt with these changes. Be sure to monitor and audit segmentation deployments and change or update them as required to maintain a proper risk posture.

Networks are meant to facilitate communication, and when devices on a network cannot communicate, it is generally seen as an issue. The simplest answer to this is to design flat, permissive networks. With the proliferation of malware, ransomware, and advanced persistent threats (ATPs) a flat or permissive network is an invitation for bad actors to deliver more damage at an increased pace.

Cyber insurance may be viewed as a simpler mitigation than network reconfiguration or redesign, but this is not a preventative solution, and the audits done before policies are issued will flag flat networks as a concern.

Network segmentation is not a “bolt on” fix. To properly implement a minimum viable product for segmentation you must, at a minimum:

• Understand the endpoints and their appropriate traffic flows.
• Understand the technologies available to implement segmentation.

Implementing appropriate segmentation often involves elements of (if not a full) network redesign.

To ensure the best results in a timely fashion, Info-Tech recommends a methodology that consists of:

• Understand the network (or subset thereof) and prioritizing segmentation based on risk.
• Align the appropriate segmentation methodology for each surfaced segment to be addressed.
• Monitor the segmented environment for compliance and design efficacy, adding to and modifying existing as required.

Compartmentalization of risk:

Segmentation is the practice of compartmentalizing network traffic for the purposes of mitigating or reducing risk. Segmentation methodologies can generally be grouped into three broad categories:

1. Physical Segmentation

The most common implementation of physical segmentation is to build parallel networks with separate hardware for each network segment. This is sometimes referred to as “air gapping.”

2. Static Virtual Segmentation

Static virtual segmentation is the configuration practice of using technologies such as virtual LANs (VLANs) to assign ports or connections statically to a network segment.

3. Dynamic Virtual Segmentation

Dynamic virtual segmentation assigns a connection to a network segment based on the device or user of the connection. This can be done through such means as software defined networking (SDN), 802.1x, or traffic inspection and profiling.

Common triggers for network segmentation projects

1. Remediate Audit Findings

Many security audits (potentially required for or affecting premiums of cyber insurance) will highlight the potential issues of non-segmented networks.

2. Protect Vulnerable Technology Assets

Whether separating IT and OT or segmenting off IoT/IIoT devices, keeping vulnerable assets separated from potential attack vectors is good practice.

3. Minimize Potential for Lateral Movement

Any organization that has experienced a cyber attack will realize the value in segmenting the network to slow a bad actor’s movement through technology assets.