Article

Making the case for network segregation

The debate has re-emerged recently around the common finding in pentest reports: "you are recommended to implement network segregation". 

We’ve worked with a number of organizations who have implemented successful network segmentation projects. However, we recognise it’s no mean feat and far easier said than done. For CISOs seeking to secure their network through segmentation, gaining the necessary budget and buy-in can be a challenge. So what makes it worth doing, and how can you make the case for a network segmentation project?

Why network segregation is worth the effort

Many attacks will originate on user endpoints (for example through phishing) rather than on an externally facing server. Once in the network, attackers will attempt to elevate permissions and find the servers that allow them to achieve objectives (file shares, customer data warehouses, financial backend systems). Therefore, the focus of segmentation is on thwarting their attempts to move laterally and escalate privileges. This requires internal perimeters like a prison or castle, rather than the armadillo model (hard, impenetrable outer with a soft centre) that is common in organisations.

A segmented network doesn’t just frustrate attackers, it can drastically aid detecting and removing them. Where we have responded to incidents on segmented networks it has been easier to identify anomalous traffic, and possible to isolate compromised subsidiaries or subnets to stop the bleeding and buy time for investigation. A very real problem for some companies is when they reach the  “ok we need to cut that unit off from the world and sort this” moment, it can take hours or days to work out which cable to pull out, during which time more damage is happening.

Effective network segregation requires buy-in from the C-suite

We’ve only ever seen segmentation be successful where it is recognised as a major change or part of a wider IT transformation. It should ideally be a collaboration between security and IT/networks, rather than wholly security-owned. It’s a significant project which needs a project manager and budget assigned, not the kind of thing which can be palmed off on a junior ops member or treated as a side line project.

To get the budget, time and expertise needed, network segmentation needs buy-in at C-level. Gaining support and securing budget relies on strong arguments, data, and compliance. 

How to make the case for segmenting your network

  • Use the statistics: pointing to metrics on the number of pentest reports that recommend segmentation ("40% of our system tests recommend it as a remediation") 
  • Point to red team results: point to specific incidents where network segmentation would have limited lateral movement and actions on objectives 
  • Position the project as a value-add: a SOC / threat hunting team can be more effective with a well-structured network. For example, traffic that may be normal in the user segment could be malicious in the server segment. This would be very hard to detect in a flat, messy network. 
  • Build a foundation: network segmentation addresses technical debt and gives organisations a more securable and manageable environment. Non-technical staff often respond well to analogies about well-designed castles that are defensible with multiple walls, killing zones, and defenders having positional advantage. 
  • Promise results: network segmentations can be large projects that take a lot of effort, however, they are likely to be able to demonstrate measurable improvement. A project to implement "behavioural AI" to catch insiders may sound good, but has a very small chance of succeeding in a measurable way. A network segmentation is made up of a huge number of small steps but with few risky leaps. This metric can be methodically going the right way, providing cover for more risky projects.
  • Name drop where necessary: use real-life examples of attacks which strike a chord with your board – for example the Wannacry / Notpetya network worm attacks. The reality that preventing these specific attacks is a challenge as they exploited Server Message Block (SMB), which often needs to be allowed between network segments. However, the principles and learnings should land with the board.
  • Call on compliance: to justify spend. Frameworks that can be used: 
    • The SWIFT Customer Security Programme mandates segmentation of payment systems. When responding to this, organisations can use the momentum to not just segment SWIFT systems, but also increase the effort to design a blueprint for all critical systems. 
    • PCI requires segmentation of the cardholder data environment.
    • ISO ISO27002 13.1.3 requires segmentation of the internal network.

Segregating a network is a thoroughly useful control and can be a security multiplier for a number of other controls. However, “segment your network” is one of those statements that sounds great on paper, but is desperately hard to implement. Pentest reports can seem flippant with such a statement, by not considering who will have to be involved for it to be successful (which the author of the blog must guiltily admit they have done in the past). However, if the right people are bought in (and brought in) these projects can provide real, measurable, uplifts to your security without putting limits on productivity.

 

 

Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.