How microsegmentation can limit the damage that hackers do

Despite a string of improvements over the past several years, enterprises can no longer rely on perimeter defenses alone to keep out network attackers. Microsegmentation directly addresses the challenge of unauthorized lateral movements by dividing IT environments into controllable compartments, enabling adopters to securely isolate workloads from each other while making network protection more granular. As cyber-attackers continue to try new ways to dodge security measures and roam across IT environments, microsegmentation is moving into the mainstream.

How microsegmentation works

Don’t let the name mislead you. Microsegmentation represents more than an incremental step forward from performance- and management-focused network segmentation. Microsegmentation is specifically designed to address critical network protection issues, thereby reducing risk and adapting security to the demands of increasingly dynamic IT environments.

Information security experts have discussed implementing various types of zero-trust technologies for the better part of two decades. “Microsegmentation is the ‘easy button’ implementation,” complete with automation and orchestration tools, as well as sophisticated user interfaces offering detailed reports and graphs, says Trevor Pott, technical security lead at Juniper Networks. “There’s no longer any excuse to not do what we all should have been doing 20 years ago,” he adds.

Microsegmentation distributes security enforcement to each individual system with a single, central policy. “This advancement allows for granular policy enforcement throughout an organization’s network, not just at the perimeter,” explains Tom Cross, CTO of network security provider OPAQ. “This [approach] is necessary both because perimeter security sometimes fails, and because cloud adoption is causing network perimeters to become more porous.”

Microsegmentation still relies on traditional cybersecurity techniques, such as access control networks. “What sets microsegmentation apart is that these security approaches are applied to individual workloads within the network,” says Brad Willman, IT director and network security expert at IT services provider Entrust Solutions.

Many organizations are attracted to microsegmentation by its compartmentalized structure. (See related story: Why 3 enterprises chose microsegmentation) “Microsegmentation is a strategy that can not only prevent data breaches, but also significantly reduce the damage if a breach occurs by limiting it to a very small segment of the network,” says Andrew Tyler, a senior consulting engineer at IT consulting firm Kelser.

Different microsegmentation approaches

Sophisticated attackers follow a multi-step process when attempting to compromise an organization’s resources, so infrastructure defenders should think about instituting controls at each step, Cross advises. “Internal lateralization between systems has played a key role in recent incidents, with tools like Mimikatz and Bloodhound providing rich capabilities for attackers,” he says. “Microsegmentation can enable defenders to disrupt these techniques by blocking off unnecessary paths for attacks to spread within internal networks.”

It’s important to remember that microsegmentation is not just a data center-oriented technology. “Many security incidents start on end-user workstations, because employees click on phishing links or their systems become compromised by other means,” Cross says. From that initial point of infection, attackers can spread throughout an organization’s network. “A microsegmentation platform should be able to enforce policies in the data center, on cloud workloads, and on end-user workstations from a single console,” he explains. “It should also be able to stop attacks from spreading in any of these environments.”

As with many emerging technologies, vendors are approaching microsegmentation from various directions. Three traditional microsegmentation types are host-agent segmentation, hypervisor segmentation and network segmentation.

• Host-agent segmentation. This microsegmentation type relies on agents positioned in the endpoints. All data flows are visible and relayed to a central manager, an approach that can help reduce the pain of discovering challenging protocols or encrypted traffic. Host-agent technology is generally viewed as a highly effective microsegmentation approach. “As infected devices are hosts, a good host strategy can stop problems from even entering the network,” says David Johnson, CTO at Mulytic Labs, a software development and IT services startup. However, it requires all hosts to install the software, “opening up concerns of legacy OS and older systems.”
• Hypervisor segmentation. With this type of microsegmentation, all traffic flows through a hypervisor. “The ability to monitor the traffic at the hypervisor means that one can use preexisting firewalls, and also move policies to new hypervisors as the instances move during daily operations,” Johnson explains. A drawback is that hypervisor segmentation doesn’t generally work in cloud environments, or with containers or bare metal. “It’s useful in a few cases, and in those cases where it can work, it’s highly advantageous,” he advises.
• Network segmentation. This approach is basically an extension of the status quo, with segmentation based on access control lists (ACLs) and other time-tested methods. “This is by far the easiest [route], as most network professionals are familiar with this approach,” Johnson says. “However, large network segments can defeat the purpose of microsegmentation, and can be complex and expensive to administer in large data centers.”

When shopping for a microsegmentation tool, it’s important to remember that not all offerings fit neatly into any of the three basic categories. Many vendors are exploring new and modified methods of providing resilient network microsegmentation, such as machine learning and AI monitoring. Before committing to any particular microsegmentation offering, be sure to closely question the vendor on its particular approach to the technology and whether there are any unique compatibility or operational requirements that should be considered.

There’s a downside, too

For all of its benefits, microsegmentation also presents several adoption and operational challenges. Initial deployments can be particularly troublesome. “Implementing microsegmentation can break things,” Tyler warns. “Depending on the applications in use, you may run into key business functions that don’t or can’t support microsegmentation.”

Another potential stumbling block is defining polices that address the needs of each internal system. This can be a complicated and time-consuming process for some adopters, since internal battles may arise as policies and their implications are weighed and defined. “There’s constant pushback in most organizations for exceptions to any internal control,” Cross observes.

When both high and low sensitivity assets exist within the same security boundary, it’s important to understand which ports and protocols will be required for proper network communication to occur, and in which direction. Improper implementation can lead to inadvertent network outages. “Also, keep in mind that implementing the changes needed may require downtime, so careful planning is important,” suggests Damon Small, a technical director at NCC Group North America, where he consults on critical infrastructure defense issues.

Environments that run popular operating systems such as Linux, Windows and MacOS are broadly supported by microsegmentation technology. The same isn’t true, however, for organizations that use mainframes or other legacy technologies. “[They] may find that microsegmentation software is not available for these platforms,” Cross warns.

Getting started with microsegmentation

To successfully deploy microsegmentation, it’s necessary to have a detailed understanding of network architecture and supported systems and applications. “Specifically, the organization should know how the systems communicate with one another in order to function properly,” Small explains. “This level of detail may require working closely with vendors or performing detailed analysis to determine where the microsegments should be placed and how to do so in a manner that will not cause production outages.”

The best way to start a microsegmentation initiative is with a detailed asset management plan. “You can’t make rational decisions about how you would segment your network until you know what’s on it and have devised some means to classify and categorize those systems,” Pott says.

Once asset discovery, classification and management automation issues have been addressed and resolved, the IT environment will be ready to accommodate microsegmentation. “At this point, it’s time to go vendor shopping and [to] ask a lot of pointed questions about total cost of ownership, integration capabilities, extensibility and scaling,” Pott advises.

A microsegmentation platform is only as good as the policies it enforces, Cross observes. “It’s important for users to think about the process that attackers are likely to follow in compromising their environment, and to make sure their policies close off the most valuable avenues,” he says. “A few simple rules that narrow the availability of Windows Networking, RDP services and SSH on an internal network to the specific users who need them can protect against popular attack techniques without interfering with business processes.”