Networks are meant to facilitate communication, and when devices on a network cannot communicate, it is generally seen as an issue. The simplest answer to this is to design flat, permissive networks. With the proliferation of malware, ransomware, and advanced persistent threats (ATPs) a flat or permissive network is an invitation for bad actors to deliver more damage at an increased pace.
Cyber insurance may be viewed as a simpler mitigation than network reconfiguration or redesign, but this is not a preventative solution, and the audits done before policies are issued will flag flat networks as a concern.
Network segmentation is not a “bolt on” fix. To properly implement a minimum viable product for segmentation you must, at a minimum:
- Understand the endpoints and their appropriate traffic flows.
- Understand the technologies available to implement segmentation.
Implementing appropriate segmentation often involves elements of (if not a full) network redesign.
To ensure the best results in a timely fashion, Info-Tech recommends a methodology that consists of:
- Understand the network (or subset thereof) and prioritizing segmentation based on risk.
- Align the appropriate segmentation methodology for each surfaced segment to be addressed.
- Monitor the segmented environment for compliance and design efficacy, adding to and modifying existing as required.