How to reduce your attack surface with network segmentation

The key to moving on from flat networks is network segmentation: putting blocks in between different sections of a network or infrastructure so that, if one area has a problem, it won’t spread instantaneously.

Segmentation limits open access between every device, and communication is only allowed after it’s been through an approval process.

Network segmentation requires change

Traditionally, networks are flat so that, inside an organisation, any server can talk to any other server without checks or barriers. This makes for easy management, but means that anything getting through the firewall immediately has unrestricted access across the network. The NotPetya attack on Maersk was a prime example of this – one server was infected, and it spread like wildfire. Yet many organisations are holding back from moving away from this flat set up, worried about the upheaval involved and about having to introduce more complex management systems to implement network segmentation.

The virtual equivalent of ‘flat network syndrome’ is organisations not properly activating the security controls that come with cloud environments. Cloud providers have built in tooling for network segmentation, but it needs to be set up correctly, and the problem is, these controls are incredibly complicated. They come with a million switches and dials to let an organisation customise them and it’s tempting to just mirror the flat network by making a single application security group and leaving things open. Often organisations intend to go back and tighten the security groups, but doing that brings more admin, more restrictions and more complications, so they put it off. Gartner is very clear about where responsibilities lie, saying “through 2025, 99% of cloud security failures will be the customer’s fault”.  Cloud providers give users ‘locks’ and ‘keys’, so it’s the user’s fault if they leave the door open for an attacker to walk through.

SolarWinds thrived on a lack of segmentation

The recent SolarWinds attack is a prime example of where organisations left the door of their networks open. On the face of it, breaching SolarWinds didn’t give attackers anything useful – just access to a network management device – when what they really wanted was some valuable data. But a lack of segmentation made it easy for the attackers to move around laterally inside networks, compromising one thing after another to see if they could end up at some sensitive data.

Think of your network as a river with servers and applications as stepping-stones. The SolarWinds attackers were able to jump from stone to stone because there were no barriers within the river, until they got to where the picnic was. They stole the best bits of the picnic (the valuable data) and then jumped back to the riverbank without leaving any wet footprints, so no one knew they’d been there. So, potentially, the organisation might not know if they’d been attacked or not.

3 stages to effective network segmentation

It’s clear that separation within your network is critical to stopping attacks like these and I have three straightforward steps to recommend:

Step 1. Understand how data and users interrelate

Map out what data is where and who or what needs access to it. Work out how important each data set and asset is, and what level of protection is appropriate. What levels of inconvenience are you willing to put people through?

Step 2. Plan your architectural layout

Understand what parts of your infrastructure you need to group together to make them accessible to different environments, putting in the thinking now, so you won’t trip yourself up later down the line. Then work out how you’re going to build your network or application security groups.

Step 3. Manage change

Recognise that your environment will change over time as your organisation evolves. New applications will come along, some apps will get more users, others will be used less, others will be used differently. Review your infrastructure environment continuously so you can modify your architecture and structure on an ongoing basis. Bring in experts to test your environment and to make sure you have your cloud tooling configurations set correctly, so you’re not vulnerable.

To find out more about how you can use network segmentation to reduce your attack surface and improve breach containment by restricting attacker lateral movement, visit our micro-segmentation page.

Or read our ‘Assume breach – Managing a dirty network’ paper to discover how network segmentation can play a key role in managing the risk of a breached network.