Microsegmentation Best Practices

Preventing ransomware with microsegmentation

Microsegmentation is an increasingly popular proactive network security approach that involves dividing an organization’s internal network into smaller, isolated segments to tightly control lateral communications between workloads.

Microsegmentation limits access to only what is explicitly required, dramatically reducing the attack surface and preventing threats from propagating across the network.

Implemented properly, microsegmentation provides organizations with granular access controls, focused monitoring of lateral traffic flows, and improved containment of threats.

However, designing and implementing effective microsegmentation requires careful planning and execution. This comprehensive guide provides best practices for strategically leveraging microsegmentation.

1. Define A Microsegmentation Strategy

The first critical step is defining a clear Microsegmentation strategy tailored to your organization’s specific assets, risks, regulatory requirements and business objectives. A strategic approach is required for success. 

Key elements include:

  • Asset Identification  –  Perform exhaustive asset discovery across on-premise data centers, private/public cloud environments, remote offices, and IoT to inventory all systems, applications, databases, virtual machines, containers, unmanaged devices, and data repositories. Identify, categorize and prioritize your crown jewels, regulated data, mission critical systems, and high value assets for immediate Microsegmentation based on value and risk exposure. Maintain a dynamic, up-to-date inventory.
  • Regulatory Requirements  –  Understand relevant laws, regulations, and compliance standards such as PCI DSS, HIPAA, SOX, GDPR, and CCPA that necessitate network security controls like Microsegmentation for compliance. Factor associated segmentation, audit logging, encryption, and access control requirements into your strategy.
  • Logical Zone Model  –  Develop a logical zone model that sensibly groups assets into network segments based on levels of trust, functionality, data criticality, and compliance requirements. Find the right balance between appropriately granular isolation and manageable complexity. Avoid overly fragmented environments. Define consistent naming conventions.
  • Risk Analysis  –  Conduct an in-depth lateral movement and data flow analysis to identify potential attack paths and vulnerabilities across your extended network. Review past incidents and penetration tests. Use this risk assessment to directly inform your optimal Microsegmentation architecture and priorities. Update regularly.
  • Phased Rollout  –  Given the complexity of micro segmenting production environments, plan a pragmatic phased, priority-based implementation approach over time. This allows you to incrementally achieve wins and learn in the process. Avoid trying to boil the ocean upfront.
  • Stakeholder Buy-In  –  Socialize the Microsegmentation strategy across business, application, and infrastructure owners to achieve buy-in. Clearly communicate expected benefits like reduced risk exposure, compliance enablement, cost optimization, and improved focus for monitoring and access controls. Emphasize alignment to business goals.

2. Start with Critical Assets

Once your strategy is defined, it is best practice to start micro segmenting the highest value assets and systems based on the priorities identified in your risk analysis.

This allows you to deliver some quick wins and ROI instead of trying to segment your entire environment at once.

Use a pragmatic risk-driven approach focusing first on assets requiring isolation due to compliance, risk exposure, or threat landscape.

  • Prioritize Rollout  –  Consider factors like known vulnerabilities, likely attack vectors, exploitable trust relationships, compliance drivers, asset value, and threat intelligence to intelligently prioritize your rollout schedule. Schedule quarterly or bi-annual phases focused on most critical areas first.
  • Deliver Quick Wins  –  The goal of your initial segments should be to generate visibility into lateral traffic flows and quickly reduce exposure, not attempt to build your ideal end-state architecture. Pragmatically start small.
  • Refine Over Time  –  Your Microsegmentation strategy will evolve and improve as you gain experience and risk profiles change. View it as an ongoing journey, not a one-time project. Maintain flexibility to adapt.

3. Align to Application Architectures

Leverage microsegmentation to significantly improve the security posture of business-critical applications.

Sensibly align segments to application tiers, domains, and environments which allows enforced logical isolation between presentation, middleware, business logic, and database layers.

This limits exploitable trust connections.

  • Granular Application Access Controls  –  Microsegmentation also facilitates granular least-privilege application-level access controls between users, accounts, groups, processes, applications, and environment types. Build zero trust models.
  • Isolate Sensitive Applications  –  Strategically isolate higher risk applications like ERP systems that access sensitive data into hardened segments with minimal ingress and egress access. Extra controls may be warranted for apps handling highly confidential data.
  • Align to SDLC  –  Use shifts like new application development to introduce Microsegmentation aligned with modern application architectures and DevOps environments using infrastructure-as-code automation.

4. Monitor Communications

Continuous monitoring of all lateral traffic flows between microsegments is required to quickly identify anomalous patterns that could indicate compromised credentials, malfunctioning applications, or active threat actor movement.

  • Focus on East-West Traffic  –  Specifically monitor internal east-west traffic between segments, hosts, and applications – not just north-south flows to the Internet. This lateral traffic is how attackers propagate.
  • Detect Policy Violations  –  Watch for any traffic attempting to connect between microsegments that violates defined firewall policies, which signals either a misconfiguration or breach attempt.
  • Threat Hunting  –  Actively hunt through traffic and logs for suspicious internal communications, unusual users, signs of reconnaissance, and other IOCs of potential compromise.
  • Granular Analytics  –  Leverage UEBA and advanced analytics capabilities to analyze inter-segment network flows and identify high-risk patterns warranting investigation.
  • Continuous Tuning  –  Use monitoring insights to continuously tighten allowed communications to align with principle of least privilege access between microsegments.

Simplify Recovery

With critical assets and data already logically isolated in hardened microsegments, relatively clean backups of these systems are readily available in the event of a ransomware incident. 

This makes restoration and recovery simpler for organizations vs. rebuilding from scratch.

  • Maintain recent valid backups: Schedule regular backups of critical systems and data within isolated zones. Test restoration periodically.
  • Physically isolate backups: Store backup media for isolated zones offline in physically secure locations to prevent corruption.
  • Focus protection efforts: More security resources can be dedicated to thoroughly protecting fewer critical systems and backups.
  • Reduce reliance on offline backups: With critical data access restricted via microsegmentation, less data may need to be archived offline.
  • Streamline restoration: Clearly documented segmentation architecture and data flows simplify restoring business functionality after outages.

Learn More: How To Implement Microsegmentation

Improve Cyber Resilience

By leveraging microsegmentation to protect crown jewel assets and data within hardened zones, organizations are far less likely to pay ransoms to attackers.

They can simply restore from intact backups of critical systems maintained in isolation.

  • Avoid paying ransoms: Isolated backups reduce the temptation to pay ransoms even if the main production environment is compromised.
  • Maintain business continuity: With critical functions isolated, aspects of business operations may continue even when certain segments are disrupted.
  • Meet compliance requirements: Standards like PCI DSS require segmentation controls for cardholder data environments. This provides inherent protection against ransomware threats.
  • Protect customer data: Microsegmentation makes customer data breaches resulting from ransomware less likely, helping preserve customer trust.
  • Reduce costs: Time and expenditure associated with widespread infrastructure rebuilds, data restoration, legal liabilities, and reputational damage are reduced through resilient segmentation strategies.

Reduce Blast Radius

By limiting lateral pathways, microsegmentation ensures ransomware compromises are far more contained.

Instead of infecting entire flat networks, ransomware will be restricted to the scopes of individual microsegments where it breaks in.

  • Limit the number of assets affected: If ransomware breaches a perimeter, fewer total endpoints, servers, services and data repositories will ultimately be impacted.
  • Reduce outage durations: Since fewer systems are disrupted, restoration and recovery timeframes are compressed.
  • Lower costs: Containment makes ransomware cheaper to remediate by reducing the number of assets and data that must be repaired or rebuilt.
  • Minimize business impact: With a smaller blast radius, fewer business functions will be impaired during outages. Revenue loss and customer impact will be minimized.
  • Constrain encryption: Encryption of files and data will be limited just to the compromised segment’s scope.

Conclusion

By taking a strategic approach to designing microsegmentation architectures aligned to critical assets, systems and workflows, organizations can effectively minimize the business impact of ransomware attacks.

Network segmentation dramatically reduces ransomware’s ability to propagate and exploit large portions of corporate environments.

It frustrates and contains such threats by erecting internal barriers to lateral movement.

Microsegmentation is a powerful capability for improving ransomware resilience.

Posted by Rich Selvidge

Rich Selvidge is the President, CEO, & Co founder of SecureTrust, providing singular accountability for all information security controls in the company.