The journey from Flat to Bumpy: Network Segmentation while business applications live their normal life
In flat network architecture, any computer in the organization can communicate with any other node, regardless of their geographic location or business purpose. A flat network drastically increases the organization’s attack surface, because when an exposed endpoint such as a workstation is compromised, attackers can move laterally to other endpoints and business critical systems. One of the fundamental protection and containment strategies against such scenarios is network segmentation, which involves splitting network assets into security groups and isolate them from each other.
Proper network segmentation can be very difficult to implement correctly, especially with the presence of old or legacy business applications on networks that have evolved without segmentation for years. It requires an in-depth understanding of the expected network communication among all endpoints; otherwise segmentation may interrupt business critical servers and normal day-to-day work functions.
Merely splitting network resources into network segments will not achieve the goals of a network segmentation effort: appropriate detailed security rules are needed to restrict the traffic, including applications and ports, between zones and assets. In this talk, we explore how to develop an understanding of current traffic requirements in order to isolate security zones while business applications systems live their life and without interrupting business operations. We will discuss ways to analyze and bucketize traffic patterns.
The network segmentation may not be fully effective in containing compromise and preventing lateral movement without a tiered policy for privileged accounts. We will discuss challenges to implement proper network segmentation with such nuances.
Speakers Bio: Golnaz is an Information Security Officer at a financial firm in Vancouver. She was previously a cyber security consultant with a big 4 consulting firm in Vancouver. Her expertise is on web app ethical hacking, security posture assessment, security policy and governance, and security operations and architecture.