Network segmentation is providing a critical network security defense against increasingly sophisticated cyber-threats
Years ago, many IT departments weren’t focusing network security efforts on the “inside” of the network. Rather than layering security solutions or leveraging security automation, the firewall was the singular line of defense against cyber-threats. Tempting intellectual property and data assets lay on the other side of the firewall once the network perimeter was breached. The attacks often originated from insiders, third parties or partners with valid credentials to access the network. Once inside the network, these malicious users could roam freely across the network. Companies needed to find a way to contain these threats.
Today, the payoff for hackers and malicious insiders has diminished as more controls are put in place. Organizations are increasingly aware that perimeter security alone isn’t enough to prevent ‘unpreventable’ cyber-attacks and cyber-threats. Furthermore, the insider threat to network security continues to grow. According to the IBM 2015 Cyber Security Intelligence Index, 55 percent of all attacks were carried out by either malicious insiders or inadvertent actors. When an internally or externally driven threat emerges, network segmentation provides the essential layer of security designed to protect valuable data assets from unauthorized users.
Key 1: Understand Network Segmentation
So what is network segmentation?
Simply put, network segmentation is the act of splitting a network into many “sub networks” known as segments. This approach allows organizations to group applications and like data together for access by a specific group (e.g., finance). It also limits the range of access provided to an insider, partner, or a third party.
With increasing numbers of high profile breaches, organizations have been forced to re-evaluate their network access approach. Some organizations implement network segmentation simply to comply with regulatory mandates such as HIPAA and PCI standards. Others are aware of larger potential security risks that loom with a flat network. Business questions arise including: how important is it to protect your brand, avoid lost sales, prevent stock losses, and avoid class action lawsuits?
Key 2: Don’t Let a Flat Network be an Invitation for a Breach
Is Network Segmentation the Silver Bullet to Prevent a Breach?
Network segmentation may have been the silver bullet that could have prevented a breach such as the one experienced by Target. We’ve all heard the story – a hacker gains access to third party HVAC vendor’s login credentials and subsequently gains access to Target’s Point of Sale (POS) devices. The hacker deploys malware and gains access to 40 million customers’ data including debit and credit card information during the 2013 holiday season.
What would have happened if Target’s HVAC vendor’s credentials didn’t even allow them near customer data on the network? What if the user had been contained to just the segment of the network containing systems they needed to manage the HVAC systems? Could security automation in the form of security events triage, automated threat response and containment prevented this attack? Perhaps the resignation by the CEO after the breach and a series of legal settlements (with estimates ranging from a total of nearly $300 million (according to Sophos’ Naked Security news report)) could have been avoided. Online publications have gone a step further to state that Target’s breach happened “because of a basic network segmentation error”. (Source ComputerWorld Report by Jaikumar Vijayan, Feb 6, 2014).
Other organizations that have suffered similar attacks on their networks include Sony, in late 2014. Large amounts of confidential information were accessed and leaked. In a 2015 BBC report, Rick Holland, a security and risk management analyst at Forrester Research, recommended that companies make more efforts to segment their networks. Mr. Holland suggests, “What you need is a bulkhead approach like in a ship: if the hull gets breached you can close the bulkhead and limit the damage.”
When a network is not segmented, hackers and malicious users are free to roam across the network and easily access intellectual property and data assets. With network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access. In addition, standards such as PCI-DSS provide clear guidance on data separation.
Key 3: Leverage Network Segmentation to Simplify Maintenance
So why are Some Organizations Rolling the Dice with their Network Security?
Setting up a network segmentation approach requires first laying a solid foundation. Organizations need to classify and group related data items. From there, they have to understand who should and shouldn’t have access to those items or assets.
Segmentation should never be a “set it and forget it” policy as network access policies change as a business changes. Historically, the maintenance of network segmentation was a big piece of the equation. Maintenance added a significant manual workload on the IT department to update access policies. Thankfully, that has changed for the better.
Simplified Network Segmentation
Bradford’s network access policy engine dynamically changes network access and enables segmentation based on the who, what, where and when of the network. IT professionals no longer have to manually change network access on multiple network devices. Instead, they simply make a policy change within Network Sentry , which adjusts network access based on user profile, device type, application usage and so on. Network Sentry also helps to secure a PCI-DSS network, by granting access based on who should have access. We invite you to read our whitepaper on how to create a secure PCI-DSS network.
So there you have it. Three keys that will help keep malicious insiders, external adversaries or other unauthorized parties away from your data assets and intellectual property. There’s never been a better time to leverage network segmentation and automated threat response to safeguard your business and brand.