Network Segmentation: IIoT Security and Compliance Benefits
Industrial IoT is poised to revolutionize manufacturing with intelligent operations and automated processes across devices and machines. But it also increases security risk on a scale we’ve never seen before.
Is your security team prepared to address evolving threats – where defense through traditional segmentation of business and process controls systems is proving inadequate? Do you have the necessary protection to ensure compliance?
For instance, your organization may have been compliant at one point in time or you may have a need to become compliant. But as you grow, so does your network. Your users now want – rather expect – to be mobile 24/7, in the cloud. With those expectations come increased security risk. Isolating your sensitive data and systems can help manage that risk by making it far more difficult for would-be attackers to move laterally within your network.
With the right design, network segmentation can reduce the probability of data exfiltration as well as lighten your organization’s overall compliance load. How? Network segmentation reduces attack surface making it more difficult for attackers to move laterally. These days, breaches are almost a certainty so limiting their impact is paramount. A discovery process helps us identify the best way to accomplish that.
An example of this is a clothing manufacturing company that had to attain a stricter form of PCI compliance. They had been PCI compliant in the past, however an audit had revealed significant gaps.
What was the first step to obtain PCI compliance?
The first step was tackle the technical debt the company had accrued over nearly ten years. The number of security policies on their firewall had ballooned to over 1600 policies. Going into their environment, we couldn’t tell what was talking to what – it was a bunch of subnets talking to a bunch of other subnets, lacking any context.
We sat down with the application owners and business stakeholders and took time to go through a discovery process to understand what applications were being used. Our focused was limited to a port and protocol level, but as a business application, who and what needed to talk to what?
Why is the network discovery process so important?
We found out through the discovery process that the users who tapped into the PCI data, whether they were running reports, or were delivering customer service, were all on a flat network and were intermingled – not segmented. Some users straddled multiple roles within the organization, working with customer service systems, interacting with credit card data, and also performing other business functions that weren’t necessarily PCI-related.
How does network segmentation solve the problem?
The team had to come up with a plan to segment the network based on applications, users, content, and business function. Not only did we pull those users apart, we identified user type, put them into groups, and then wrote specific security policies on a next generation firewall platform to talk to specific systems.
We also segmented the remaining flat networks from the environment. The company had a corporate wireless network, as well as a guest wireless network, which were on the same subnet and only separated by a VLAN. However they could route to each other on the back-end. So we had to separate that out so that we really boiled down to create a specific set of network security policies for users that accessed PCI data, creating actual network segmentation.
What are the benefits of segmenting the network?
With network segmentation we put the business in a much better place to continue to expand and implement new security technologies as they become available. The company’s information security team was very pleased to go from 1600+ security rules down to 234. We limited their NAT down to 120. Now, instead of having largely reactionary security posture, the company has improved their ability to be more proactive and grow in maturity from an infosec standpoint. Network segmentation also helped the company reduce their compliance burden, generate effective insights from their reporting and analysis, improve their focus on threat hunting, and reduce their overall business risk.
Click to view full video transcript
Hi, my name is Eric Shearer. I am a senior network security consultant here at Burwood, and today we're going to talk about the fundamental pillar of network segmentation as it applies to compliance driven organizations.
Why Network Segmentation?
So why talk about network segmentation? Here's the thing: you may have been compliant at one point in time. You may have a need to become compliant -- but as you grow, so does your network. Your users now want to be mobile 24/7 and in the cloud, and that means increased security risk.
Isolating your sensitive data and systems can help you manage that risk by making it far more difficult for would-be attackers to move laterally within your network. With the right design, network segmentation can reduce your probability of data exfiltration as well as lighten your overall compliance load.
A good example of this is a clothing company that had to attain a stricter form of PCI compliance. They've been PCI compliant in the past, however an audit had revealed that they had a lot of holes in a lot of gaps. The first thing we needed to do is tackle the technical debt the company had accrued over ten years or so. Their security policy on their firewall had ballooned up to over 1600 policies and we really couldn't tell what was talking to what -- it's just a bunch of subnets talking to a bunch of other subnets with really no context and no clue. We sat down with the application owners in the business itself and we took the time to go through a discovery process, understand what applications were being used, and not just on important protocol level. As a business application, who and what needed to talk to what.
We discovered that the users that tapped into the PCI data, whether they were running reports, whether they were customer service, were all on a flat network and they were all intermingled. And then some users straddled multiple different roles within the organization so they may have worked with customer service systems interacting with the credit card data and yet do other business functions which weren't necessary for PCI. So we had to come up with a plan to segment those out. So not only did we pull those users apart, we identified those users, put them into groups and then wrote some very specific security policy on a next-generation firewall platform to talk to the specific systems.
The other thing we did then is separate the other flat networks out of the the environment so they had a corporate wireless network as well as a guest wireless network, and those were on the same subnet and actually only separated by a VLAN but they could route to each other on the back end. So we had to separate all of that out so that we really boiled down a very specific set of policy for the customer service reps and all of the management that needed to run reports against the PCI systems creating actual network segmentation.
So great we definitely did our network segmentation and we put the business in a much better place going forward to continue to grow and expand and implement new security technologies as they come available. Their InfoSec team was super happy that we went from 1600+ security rules down to 234. We limited their NAT down to about 120 and we left the company in a much better state to grow and expand. And especially grow in maturity from a InfoSec standpoint.
Now instead of being largely reactionary, the company has improved their ability to be more proactive. They've reduced their compliance burden, generated more effective insights from the reporting and analysis, improved focus on threat hunting, and reduced overall business risk.
If you want to learn more from Burwood’s experts about whether network segmentation might be a good fit for your environment please get in touch with us today to schedule a discovery assessment.