Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to protecting digital environments and minimizes access to digital assets for those who don’t need it, while enabling access for those who do. Should a breach occur, that threat is contained in the segmented network so it doesn’t propagate to other assets.
Let’s take a closer look at why network segmentation can be a useful tool, particularly in light of some new threats that have become public over the past few weeks.
New cyber threats and vulnerabilities highlight the need for segmentation
Network segmentation is particularly effective at mitigating the risk posed by vulnerabilities in connected devices that have yet to be patched, and aggressive strains of virus, malware, and botnets that, left unchecked, can run rampant across networks.
For example, segmentation was recently recommended as a best practice by the Food and Drug Administration (FDA), who just issued a notice to hospitals and healthcare providers informing them of cybersecurity vulnerabilities affecting GE Healthcare Clinical Information Central Stations and Telemetry Servers. Hackers could exploit this flaw and remotely interfere with the function of patient monitors, such as silencing the alarms that alert medical staff to vital health information. GE has advised hospitals to continue using the devices and is working on a patch to close the vulnerability, writes MedTech Dive. In the meantime, it recommended that hospitals isolate the devices from other networks.
In another recent case, America’s Cybersecurity and Infrastructure Security Agency (CISA) warned of an increase in the number of targeted cyber-attacks that utilize Emotet — a form of malware that proliferates within a network by brute force to obtain sensitive information. To stop the virus in its tracks, CISA recommended segmenting and segregating networks and functions.
The challenges of network segmentation
Network segmentation is an important part of reducing cyber risk across your digital ecosystem. However, it can be costly, complex, and cumbersome to achieve and manage over time — putting pressure on already stretched IT resources. Plus, if one mistake is made and access levels or other vital controls are misconfigured, entire networks can be exposed to cyber threats.
Furthermore, as organizations increasingly connect with third, fourth, and nth parties such as cloud providers, sub-contractors, and partners, they must find ways to limit the risk of doing business with vendors that may not have the best security postures. Network segmentation can help; but many organizations work with hundreds, if not thousands, of vendors — making proper separation hard to prioritize, manage, and monitor.
To segment, or not to segment
Network segmentation should be part of your security program, but it must be done at the right time, in the right way. Segmentation is particularly appropriate if you have assets that must be quarantined to reduce risk. These assets include machines that have known vulnerabilities, like Windows 7-based computers, the GE stations and servers mentioned above, or other systems that you know aren’t going to be patched anymore, but you can’t afford to take offline.
It’s also a best practice to keep an eye on notifications from government bodies about emerging vulnerabilities — such as the CISA warning mentioned above — so that you can take proactive steps to isolate those assets until a fix is put in place.
Given that segmentation can be quite an undertaking for many organizations, you need to make confident, informed decisions about when and where to implement it. As such, it’s critical that you have a good understanding of your organization’s overall cybersecurity risk posture. Start by identifying areas where known and unknown vulnerabilities exist in your network, as well as whether a system is missing a critical update, an access point is unsecured, or a botnet is lurking in your environment. And then continuously monitor for these potential vulnerabilities. Only with this level of insight can you make strategic, confident, and fast decisions about where to deploy isolation and other cybersecurity controls and resources.
Understand your third parties’ risk profiles
In today’s interconnected world, you also need this same level of visibility into the security posture and risk associated with the networks and security posture of your vendors.
Fortunately, security ratings can provide this insight and visibility. With the Bitsight Security Ratings platform, your organization can shine a spotlight on system vulnerabilities, unpatched and out-of-date systems, and other risk vectors — both internally and across nth parties on a continuous basis. Using these insights, IT teams can prioritize their network segmentation strategies, enforce isolation where it’s needed most, and allocate resources more effectively.
You can also use this increased visibility to work proactively with vendors and ensure they are implementing segmentation and/or other security recommendations based on their riskiest issues, the data and systems they have access to, and so on.
Make network visibility a priority
Used strategically, network segmentation is an effective way to strengthen your defenses and limit the reach of threat actors once they have a foothold in your network. However, to get true value out of segmentation, you must increase your security visibility across your entire infrastructure and your third-parties so that you can effectively identify changes in your security posture over time and prioritize which devices and vendors require segmentation — before you invest the necessary time and resources in this effort.