The debate has re-emerged recently around the common finding in pentest reports: "you are recommended to implement network segregation".
We’ve worked with a number of organizations who have implemented successful network segmentation projects. However, we recognise it’s no mean feat and far easier said than done. For CISOs seeking to secure their network through segmentation, gaining the necessary budget and buy-in can be a challenge. So what makes it worth doing, and how can you make the case for a network segmentation project?
Many attacks will originate on user endpoints (for example through phishing) rather than on an externally facing server. Once in the network, attackers will attempt to elevate permissions and find the servers that allow them to achieve objectives (file shares, customer data warehouses, financial backend systems). Therefore, the focus of segmentation is on thwarting their attempts to move laterally and escalate privileges. This requires internal perimeters like a prison or castle, rather than the armadillo model (hard, impenetrable outer with a soft centre) that is common in organisations.
A segmented network doesn’t just frustrate attackers, it can drastically aid detecting and removing them. Where we have responded to incidents on segmented networks it has been easier to identify anomalous traffic, and possible to isolate compromised subsidiaries or subnets to stop the bleeding and buy time for investigation. A very real problem for some companies is when they reach the “ok we need to cut that unit off from the world and sort this” moment, it can take hours or days to work out which cable to pull out, during which time more damage is happening.
We’ve only ever seen segmentation be successful where it is recognised as a major change or part of a wider IT transformation. It should ideally be a collaboration between security and IT/networks, rather than wholly security-owned. It’s a significant project which needs a project manager and budget assigned, not the kind of thing which can be palmed off on a junior ops member or treated as a side line project.
To get the budget, time and expertise needed, network segmentation needs buy-in at C-level. Gaining support and securing budget relies on strong arguments, data, and compliance.
Segregating a network is a thoroughly useful control and can be a security multiplier for a number of other controls. However, “segment your network” is one of those statements that sounds great on paper, but is desperately hard to implement. Pentest reports can seem flippant with such a statement, by not considering who will have to be involved for it to be successful (which the author of the blog must guiltily admit they have done in the past). However, if the right people are bought in (and brought in) these projects can provide real, measurable, uplifts to your security without putting limits on productivity.