Network Segmentation For Security and Compliance

Networks Need Security—Now

Industrial IoT is poised to revolutionize manufacturing with intelligent operations and automated processes across devices and machines. But it also increases security risk on a scale we’ve never seen before. 

Is your security team prepared to address evolving threats – where defense through traditional segmentation of business and process controls systems is proving inadequate? Do you have the necessary protection to ensure compliance?

Your organization may have been compliant at one point in time or you may have a need to become compliant. But as you grow, so does your network. Your users now want – rather expect – to be mobile 24/7, in the cloud. With those expectations come increased security risk. Isolating your sensitive data and systems can help manage that risk by making it far more difficult for would-be attackers to move laterally within your network.

Network Segmentation: A Case Study

With the right design, network segmentation can reduce the probability of data exfiltration as well as lighten your organization’s overall compliance load. How? Network segmentation reduces attack surface making it more difficult for attackers to move laterally. These days, breaches are almost a certainty so limiting their impact is paramount. A discovery process helps us identify the best way to accomplish that.

An example of this is a clothing manufacturing company that had to attain a stricter form of PCI compliance. They had been PCI compliant in the past. However, a network assessment had revealed significant gaps.

Tackling Technical Debt

The first step was tackle the technical debt the company had accrued over nearly ten years. The number of security policies on their firewall had ballooned to over 1600 policies. Going into their environment, we couldn’t tell what was talking to what – it was a bunch of subnets talking to a bunch of other subnets, lacking any context.

We sat down with the application owners and business stakeholders and took time to go through a discovery process to understand what applications were being used. Our focused was limited to a port and protocol level, but as a business application, who and what needed to talk to what?

Why is the network discovery process so important?

We found out through the discovery process that the users who tapped into the PCI data, whether they were running reports, or were delivering customer service, were all on a flat network and were intermingled – not segmented. Some users straddled multiple roles within the organization, working with customer service systems, interacting with credit card data, and also performing other business functions that weren’t necessarily PCI-related.

A Strategy to Solve the Problem with Network Segmentation

The team had to come up with a strategy to segment the network based on applications, users, content, and business function. Not only did we pull those users apart, we identified user type, put them into groups, and then wrote specific security policies on a next generation firewall platform to talk to specific systems.

We also segmented the remaining flat networks from the environment. The company had a corporate wireless network, as well as a guest wireless network, which were on the same subnet and only separated by a VLAN. However, they could route to each other on the back-end. So we had to separate that out so that we really boiled down to create a specific set of network security policies for users that accessed PCI data, creating actual network segmentation.

What are the benefits of segmenting the network?

With network segmentation we put the business in a much better place to continue to expand and implement new security technologies as they become available. The company’s information security team was very pleased to go from 1600+ security rules down to 234. We limited their NAT down to 120. Now, instead of having a largely reactionary security posture, the company has improved their ability to be more proactive and grow in maturity from an infosec standpoint.

Network segmentation also helped the company reduce their compliance burden, generate effective insights from their reporting and analysis, improve their focus on threat hunting, and reduce their overall business risk.