All Exclusives Tech Note Tech Talk

Preventing Attack Escalation with Network Segmentation – A Conversation with Tim Bertino

Modern networks can provide huge competitive advantage for business organizations by simply enabling more connections. They can make infinite numbers of APs, endpoints, and devices pair and share information on autopilot.

Unfortunately, this has also opened companies up to a gamut of risks. At the Networking Field Day event, Tom Hollingsworth talked to Systems Architect and Field Day delegate, Tim Bertino about how companies can create a safe online space for data and users.

A Fast-Changing Online Environment

The pandemic has accelerated sweeping digital transformations, and overnight connections have exploded. Users have started flocking online for work, recreation, shopping and socializing like never before.

For cybercriminals, this is a use-or-lose opportunity, and they are going for it. According to data, cybercrime went up by a shocking 400% the following year, and has been trending upwards steadily to this day.

Conventional wisdom says that if there are assets in the network that are at risk of getting compromised, keeping them under lock and key is a smart way to avert crisis. But as savvy attackers are increasingly deploying advanced and covert tactics to breach perimeters and steal from company data, enterprises are forced to revisit their security efforts.

One of the things that has become increasingly popular and widely adopted over the past few years is microsegmentation, a technique that keeps networks and tools separate. Network segmentation does two key things – first, it shrinks the attack surface, and second, prevents unauthorized lateral movement in the network.

“Network segmentation has been very prevalent lately with things like ransomware attacks. If someone gets into the network and compromises the system, if all they’re able to do is to talk to one specific thing and not the entire network, that can be seen as a win,” says Bertino.

Microsegmention, a Step Towards Zero Trust

But before digging in further, it must be noted that microsegmentation is an important component of the zero-trust scheme. The practice of sectioning off networks into subnets or other logical groups to control access and insulate devices has been going on for years. When attackers try to make malicious access, segmentation ensures that certain assets and components are out of bounds.

Microsegmentation happens at the more granular level – think VMs, containers and workloads.

Bertino sees it as policy-based segmentation. “We talk about the network being an enforcement point. It needs to be taken a step further because it’s all well and good if the network can apply policy. But you also need to understand what that policy should be.”

In plain-speak, microsegmentation hardens the network equipment by installing a checkpoint on each of them, enabling granular implementation of ZTNA. The goal is to inspect and validate all movements and accesses within the network, enforcing zero-trust principle at every point. Any machine or user that requests access to a component is scrutinized before granting access.

This fundamentally changes the way users access systems, but also the way systems exchange information between themselves. With more security enforcement points, every communication takes place with prior authorization.

“It is dynamic profiling of devices and users on the network, and then using the network to push things like dynamic ACLs and scalable group tags,” elaborates Bertino.

This means that when accessing from verified locations, members of a certain group will have access to select resources at certain times of the day. It is a continuous authentication mechanism that performs continual verification and monitoring of accesses.

There are multiple benefits to this. “Policies can be created on the fly whether by engineers or by suggestion of a heuristic. It enables networking admins to create better outcomes for their users, for example, preventing the spread of ransomware and malware throughout the network, or to just make lives easier,” says Bertino.

Viewed from another angle, it’s not just stronger security, but it even creates a synergy between the security and the networking teams who have historically been at odds. Microsegmentation allows the security team to put in place the necessary controls without obstructing the networking team.

“Device onboarding can be very difficult in zero trust or in closed authentication. You need a way to be able to profile devices and make sure that they are what you think they are and then get the proper policy,” he says.

In the Future

Bertino predicts that in the future, AI will penetrate network segmentation eliminating its potential for human error. “The network sees all that data. If you have some sort of technology that can analyze it and be able to create benchmarks and policies, I think that’s where the industry is going to have to go.”

With an AI-powered technology that can sift through data and draw out intelligence, it will make implementation really low-effort. “At the end of the day it’s about minimizing and mitigating risks. You’re never going to take it to zero, but doing things like adopting zero trust network architectures and network segmentation will get a lot closer,” he says.

Be sure to watch the Tech Talk with Tim Bertino from the Networking Field Day event. For more such interesting conversations, check out the Gestalt IT Tech Talks that each focus on a different topic of interest from the enterprise IT world.

About the author

Sulagna Saha

Sulagna Saha is a writer at Gestalt IT where she covers all the latest in enterprise IT. She has written widely on miscellaneous topics. On gestaltit.com she writes about the hottest technologies in Cloud, AI, Security and sundry.

A writer by day and reader by night, Sulagna can be found busy with a book or browsing through a bookstore in her free time. She also likes cooking fancy things on leisurely weekends. Traveling and movies are other things high on her list of passions. Sulagna works out of the Gestalt IT office in Hudson, Ohio.

Leave a Comment