Network access control (NAC) has been foundational to cybersecurity efforts since networks were first deployed, and it has largely remained the same for 20 years. Organisations found a binary system that worked by either allowing or denying devices access to the network. Corporate-level and guest access were the only two options and the demand for innovation didn’t exist.
This, however, all changed when the internet of things (IoT) revolution began. The mass expansion and increase in the volume of IoT devices meant that it quickly posed new questions to network security that hadn’t before been considered. Many of the new IoT and operational technology (OT) devices weren’t confined by the same guidelines that traditional devices connected to the network followed, rendering existing NAC redundant. The result of this was companies losing visibility and control over what was connected to the network.
The trouble with enterprise IoT and its identity management problem
As IT and OT devices moved away from the traditional Windows and Linux management structure, NAC had to adapt to become to maintain the high level of security. By becoming agentless, security protocol was able to be applied to all devices across any environment. With this, NAC reached the next level of network security.
Since this change, networks have continued to grow in complexity, revealing the limitations of current NAC models. The increased interconnectivity across the campus, data centre, cloud and OT environments has meant that the networks have outgrown the effectiveness of agentless protection and has therefore reached the threshold for innovation.
Threat actors are targeting large corporations and enterprises with complex networks, such as manufacturers, with increasing frequency – from 45% of businesses in 2018 to 61% in 2019 having experienced an attack according to Hiscox. The ease at which offenders pivot laterally across the network results in greater disruption of and damage to both property and reputation. During the Wannacry ransomware attack shipping company Maersk had to resort to halting its entire operations and reinstall 4,000 servers, 45,000 PCs and 2,500 applications to ensure the network was clear of the ransomware. This caused severe disruption across the business and could have been prevented had its network architecture limited movement once access was gained.
How ransomware continues to target businesses – and what to do about it
Ransomware is hitting firms of all sizes. How can it be avoided? Read here
Despite network segmentation not being a new concept, adoption across the enterprise has been slow and, when undertaken, often tedious. This is, in part, the result of the limitations of technologies being used in businesses such as difficulty to implement in environments outside of the data centre or blind spots such as IoT and IIoT connected devices.
To effectively combat this growing combination of threats and enable zero-trust policies – network segmentation must go through an evolution to become a truly impactful approach for CISOs and IT directors in 2020 and beyond.
The first stage of this is having the full context of connected devices and applications that can be segmented across the entire enterprise from campus to data centre to cloud and OT environments. Visibility is the basic fundamental requirement to be able to begin segmentation. Quite simply, if you can’t see what is there, you can’t protect or control it and the more granular the level of visibility is achieved, the more control you will be afforded.
CISOs currently face the challenge of segmenting the network with only partial context and visibility. A limited number of organisations have the ability to structure their network from scratch and are instead more likely to layer network segmentation on top of an existing network. The result of which is being unable to apply network segmentation effectively and across the entire enterprise.
CTO vs. CISO: Who should have ultimate responsibility for cyber security?
As well as device context, advanced network segmentation also requires traffic context. Having insight into what device are communicating between each other in the existing network and what counts as legitimate traffic is paramount for CISOs today. Without the knowledge of what should be talking to what, full segmentation is not possible, and you cannot have the assurance that sections of the network won’t break.
Make no mistake, without both levels of contextual information the policies are redundant. For network segmentation to be effective in today’s enterprise the enforcement of policies must be adaptable and automated, with considerations of device and traffic context that stay up-to-date with the ever-changing network. Forescout is transforming enterprise-wide network segmentation with eyeSegment. This will help organisations accelerate network segmentation projects, matching the demand from businesses to secure critical applications, mitigate increased exposure due to IoT devices and limit the lateral movement and blast radius of threads across flat networks.
CISOs do not have it easy when attempting to implement new security features across the entire network. They are faced with the challenges of a growing number of threats while meeting more and more compliance directives. The new era of network segmentation has been designed to allow businesses to automate the identification and isolation of threats, without impacting operations. For many, data breaches are thought of as a case of ‘It won’t happen to me’…until it inevitably does. By limiting risk, maximising control and enabling full visibility across a network, enterprises can more effectively prepare and manage the next wave of cyber threats.
