Network Segmentation: Your Last Line of Defense?

Network segmentation is a critical part of any organization’s security strategy. Insider threats, lateral movement and privilege escalation are becoming severe threats and network segmentation can often be the last line of defense against a malicious actor who has already penetrated your network. Read on to see how organizations are using network segmentation to improve security and learn how to avoid important pitfalls.

What Is Network Segmentation?

Network segmentation is an architecture you can use to isolate critical elements of your network. When segmenting a network, you divide your systems into individual subnets or segments with each acting as its own network. Traffic between these subnets is controlled by your network administrator, allowing you to restrict which services or users access which subnets.

Why Is Network Segmentation Important?

Traditional networks focus on protecting the network perimeter. These architectures use firewalls or intrusion prevention systems (IPS) to restrict traffic. Traditional networks assume that attacks come from the outside and that the assets and applications inside the network don’t need to be as well protected. 

This is effective as long as malicious traffic originates outside a network and is caught before entering. However, this offers little to no protection against malicious insiders or successful outside attackers. When a network is unsegmented, it has a flat internal architecture that enables users to easily move laterally across resources. This same structure can be abused by attackers.

When a network is segmented, however, it creates internal barriers in addition to external ones. These barriers help restrict the damage that can be caused by successful attacks no matter where an attack originates.

Network Segmentation Benefits

Segmenting your network can provide several benefits, including the following:

Improves monitoring – A segmented network requires the ability to control and filter traffic. By nature, this leads to better monitoring since you can see all traffic moving between segments or services. It also gives  you better insight as to how services and users are connecting to your various resources. 

Improves performance – In a segmented network topology, there are fewer hosts per subnet and thus less local traffic. Broadcast traffic can be isolated to the local subnet. This reduces network congestion and improves capacity with existing resources.

Increases data security – With network segmentation, you have a greater ability to customize system protections. You can use segmentation to layer assets based on priority. For example, placing critical assets behind greater protections while leaving less critical assets more accessible is one approach. When you stack protections and strategically focus your efforts, you are better able to protect your most valuable and most likely to be targeted data. Security benefits of segmentation include:

• Network traffic can be isolated or filtered to limit or prevent access between network segments.
• Access Control allows users to only access specific network resources.
• Containment – when a network issue occurs, its effect is limited to the local subnet.

Protection from adversary attacks – Being able to limit attacker movement is the primary benefit of network segmentation. With segmentation, if an attacker manages to breach your network, they only gain access to the specific segment they breached. 

To reach other assets, attackers must breach additional barriers. This takes time and creates additional opportunities for your detection systems to recognize, alert to and block attack activity. The longer it takes an attacker to reach your assets, the better your chances are to prevent or reduce damage. Network segmentation is not complete security, but it makes it much more difficult for adversaries to reach your most important assets.

Network Segmentation Use Cases

Network segmentation can help increase the security of any network but there are a few specific use cases for which it is often implemented. 

Guest wireless network – Frequently, organizations want to offer guest networks for clients or contractors, rather than allowing access to their main network. Network segmentation enables you to accomplish this while restricting access to wider resources. For example, guests may be given credentials that only provide access to Internet resources rather than internal. 

User group access – Within your network, you likely have data or services that are department-specific. Network segmentation lets you restrict access to these services and data to only those departments or users that need it. For example, developers need access to codebases and testing environments but not to HR resources or employee records. With segmentation, you can directly block access or trigger alerts for suspicious access. 

Public cloud security – If you are using public cloud services you should be familiar with the concept of shared responsibility for security. The shared responsibility model typically requires cloud users to manage their own security around applications, data and system access. However, cloud engineers and support still need at least some access to your resources and data. Network segmentation allows you to achieve this protection more consistently, by more finely controlling who specifically has access. 

Regulatory compliance – Network segmentation can help you ensure regulatory compliance by applying necessary controls to affected data. For example, if you need to collect credit card information, you can segregate where the data is stored and exactly who can access it. This lets you  meet PCI compliance without requiring the heavier necessary restrictions across your network.

Network Segmentation Challenges

Network segmentation can provide significant benefits but it can also be a challenge to implement correctly. Below are a few of the most common challenges.

Undertaking too much

Network segmentation enables organizations to gain greater control over their systems but can quickly lead to micromanagement. This can happen if you try to segment every aspect of your network or are unsure how or where to start. 

Highly granular segmentation, or nano-segmentation, creates more work for security and operations teams without producing significant additional benefits. It requires more network barriers and is more likely to create bottlenecks for users.

Additionally, trying to segment your entire network in one go requires more upfront planning and can create the need to redo work. It’s much easier to begin by creating just a few segments so that you can test and refine configurations as you go.

Failure to respond to alerts

Segmenting a network creates many more channels for alerts and audits but can also lead to information overload. If security teams are suddenly receiving even twice as many alerts as before, incidents are likely to be missed or ignored. This is problematic for obvious reasons; a segmented network is only useful if it increases security. 

For segmentation to work, you need to incorporate tooling and solutions that help you process and manage additional traffic data. This often means adopting systems with configurable automated responses. It also involves using solutions that centralize data, eliminating the need to individually monitor segments. 

How to further improve the security of network segmentation

After your network is segmented, it can be tempting to assume that your configuration is good and to move on. However, assets, users and access methods change. To adapt to these changes, you need to periodically audit your segmentation configurations. Auditing helps you confirm that your systems are operating efficiently and effectively. 

Additionally, you should adapt your segmentation measures to account for changing attack strategies. As segmentation methods and tooling become common, attackers find ways to work around these systems. To ensure that your assets remain secure, you need to adapt as well. 

Network Visibility: A Companion to Segmentation Strategies

Although network segmentation does bring in many benefits as listed above, enterprises should have full visibility to networks, data, users and devices. They should constantly monitor and adjust their security policies to comply with their own business and security requirements. Enterprises may also consider a zero trust network architecture to enforce network segmentation at every layer of the network. 

To further improve visibility into networks, users and devices, enterprises employ SIEM technology which assembles all the data from disparate sources to look for anomalies and are able to track lateral movements, distributed attacks, and changes in user behavior across various network zones. 

The Exabeam Security Management Platform is a next-generation SIEM that collects unlimited log data, detects advanced threats using user and entity behavior analytics (UEBA) and can automate and orchestrate incident response. This provides a scalable, easy-to-manage infrastructure for network visibility, an essential complement to a strong network segmentation strategy.