Cybersecurity is also a lifecycle and ideally one should build in continuous improvements and assessments. One of the best ways to ensure you are bolstered against the threat landscape is to take lessons learned from investigations and build a programme that can implement those recommendations. Constraints to budgets and time make it difficult to implement every single recommendation. However, 10% readiness is better than no readiness. It is not purely about monetary investment, but about making internal improvements to your processes and procedures. This brings us to the subject of network segregation and why it is worth the effort.
Many attacks will originate on user endpoints (for example through phishing) rather than on an externally facing server. Once in the network, attackers will attempt to elevate permissions and find the servers that allow them to achieve objectives – such as file shares, customer data warehouses and financial backend systems. Therefore, the focus of segmentation is on thwarting their attempts to move laterally and escalate privileges. This requires internal perimeters like a prison or castle, rather than the armadillo model – i.e. a hard, impenetrable outer with a soft centre that is common in organisations.
A segmented network doesn’t just frustrate attackers, it can drastically aid detecting and removing them. In responses to incidents on segmented networks it has been easier to identify anomalous traffic and possible to isolate compromised subsidiaries or subnets to stop the bleeding and buy time for investigation. A very real problem for some companies is when they reach the “ok we need to cut that unit off from the world and sort this” moment, it can take hours or days to work out which cable to pull out, during which time more damage is happening. Effective network segregation also requires buy-in from the C-suite, i.e. the executive management in an organisation that includes the CEO, CIO COO etc. Segmentation is only successful where it is recognised as a major change or part of a wider IT transformation. It should ideally be a collaboration between security and IT/networks, rather than wholly security-owned. It’s a significant project which needs a project manager and budget assigned, not the kind of thing which can be palmed off on a junior ops member or treated as a side line project. To get the budget, time and expertise needed, network segmentation needs the buy-in at C-level as gaining support and securing budget relies on strong arguments, data and compliance.
Making the case to the C-suite for segmenting an organisation’s network can be achieved with numerous important inputs. This includes using statistics to justify actions by pointing to metrics on the number of pentest reports that recommend segmentation – e.g. “40% of our system tests recommend it as a remediation”. Also point to red team results for specific incidents where network segmentation would have limited lateral movement and actions on objectives. And then Position the project as a value-add. A security operations’ centre or threat hunting team can be more effective with a well-structured network. For example, traffic that may be normal in the user segment could be malicious in the server segment. This would be very hard to detect in a flat, messy network. One can also build a foundation. Network segmentation addresses technical debt and gives organisations a more securable and manageable environment. Non-technical staff often respond well to analogies about well-designed castles that are defensible with multiple walls, killing zones, and defenders having positional advantage. Then promise results. Network segmentations can be large projects that take a lot of effort. However, they are likely to be able to demonstrate measurable improvement. A project to implement ‘behavioural Artificial Intelligence’ to catch insiders may sound good, but has a very small chance of succeeding in a measurable way. A network segmentation is made up of a huge number of small steps but with few risky leaps. This metric can be methodically going the right way, providing cover for more risky projects. Also, name drop where necessary. Use real-life examples of attacks which strike a chord withthe board – for example the Wannacry and NotPetya network worm attacks. The reality is that preventing these specific attacks can be a challenge as they exploited Server Message Block, which often needs to be allowed between network segments. However, the principles and learnings should land with the board. Finally, call on compliance to justify spend. The frameworks that can be used for this include the SWIFT Customer Security Programme which mandates segmentation of payment systems. When responding to this, organisations can use the momentum to not just segment SWIFT systems, but also increase the effort to design a blueprint for all critical systems. There is also PCI which requires segmentation of the cardholder data environment. And then ISO ISO27002 13.1.3 requires segmentation of the internal network.
Segregating a network is a thoroughly useful control and can be a security multiplier for a number of other controls. However, ‘segment your network’ is one of those statements that sounds great on paper, but is desperately hard to implement. Pentest reports can seem flippant with such a statement, by not considering who will have to be involved for it to be successful. However, if the right people are bought and brought in these projects can provide real, measurable, uplifts to your security without putting limits on productivity.
The bottom line is that every organisation, no matter what its size or the industry it is in, needs to invest time and effort, with some financial investment as well, in securing their IT resources against cyber-attacks because it is unfortunately not going to ever go away completely. The sooner organisations start with these protective measures, the better the chances that they will survive the outcome of a cyber-attack and defend themselves against future attacks.