The NSA does enterprises a disservice by positioning micro-segmentation as “Advanced”
In the realm of cybersecurity, guidance from authoritative bodies like the National Security Agency (NSA) often carries significant weight. However, recent articulations around zero-trust principles have sparked a crucial conversation. Specifically, the portrayal of micro-segmentation as an advanced and complex endeavor may inadvertently mislead organizations seeking to bolster their security posture.
Micro-segmentation, the practice of dividing a network into smaller, isolated zones to limit lateral movement by cyber adversaries, is undeniably a potent strategy in today's threat landscape. Yet, the perception that it is reserved for only the most mature organizations can discourage others from pursuing this vital security measure.
The reality is far different. With advancements in technology and innovative solutions available today, micro-segmentation has become more attainable than ever before. New entrants to this market are revolutionizing the approach, making micro-segmentation radically simple and accessible to organizations of all sizes, network complexities and security maturity levels.
It's crucial for organizations to recognize the importance of micro-segmentation in their security strategy. Rather than viewing it as a distant goal, they should understand that it's an achievable milestone that can significantly enhance their defenses against cyber threats. By segmenting their network with precision, organizations can effectively thwart unauthorized lateral movement, block ransomware, and mitigate the impact of advanced attacks.
There are other steps, as well, that any organization can take today to make their network more resilient – that we don’t see the NSA articulating.
Start With Clients
At first, this seems counter-intuitive. Shouldn’t one protect their most sensitive assets first? Yes, you should protect your most sensitive assets, but you should probably do it second. The reason being that attacks often start from clients who are vulnerable to phishing attacks, compromised attachments, or otherwise find themselves surfing the web in dodgy locations. Once inside, attackers normally need to move laterally to compromise privileged accounts, which they later use to propagate to the entire network.
Mitigating these initial stages of lateral movement could be done by simply using Group Policy Objects (GPOs) and the Windows built-in firewall. There are very few reasons client hosts should have any inbound traffic from ANY device in the network. Simply blocking inbound traffic using Microsoft GPO and a default inbound block as a firewall rule, already reduces your attack surface significantly. Normally client hosts are conveniently grouped into Organizational Units (Ous) in active directory, which means writing and deploying such a rule is not a hard task.
Protect DCs and Other Sensitive Assets - the Smart Way
Numerous security “gurus” will claim that it is most important to protect your most sensitive data. This is obviously true. The question is, can you truly protect your most sensitive data if you can’t protect your privileged identities? If an attacker compromises a domain account, for example, they will have access to any resource in the network, including your most sensitive data.
Unfortunately, some of the most sensitive assets – domain controllers (DCs) for example – must be exposed to the entire network. Coupled with the complexity of managing identities and access, attackers often don’t struggle to compromise, for example a service account that was configured as a domain admin.
Fortunately, there are several open-source tools which will help you dramatically reduce the attack surface on DCs and other privileged hosts and manage your privileged accounts at scale.
MFA All the Things
Finally, after making sure attackers cannot move in your network, or compromise privileged accounts, it’s time to strictly control access to your sensitive data. This may prove to be a more complicated task, but after taking care of the other network and identity issues, the remaining task should be much smaller.
Not every access can be subject to Multi-Factor Authentication (MFA), but those that can should be enforced. These are typically your PaaS and SaaS solutions. Also, if you are not such a big organization, think about limiting the access to your cloud resources from specific IP ranges that match where your employees are located.
In conclusion, there are steps today – not well articulated (if at all) by the NSA – that are quick/easy ways to move closer to their espoused zero-trust goal. Additionally, the misconceptions propagated by portraying micro-segmentation as a complex endeavor may lead organizations to delay crucial security investments. This delay leaves them vulnerable to evolving threats, jeopardizing their data, operations, and reputation. It's imperative for organizations to reassess their security priorities and recognize that micro-segmentation is not only feasible but essential in today's threat landscape.
Ultimately, the goal of cybersecurity should be to empower organizations to protect their digital assets efficiently and effectively. By dispelling myths surrounding micro-segmentation and emphasizing its accessibility and importance, we can ensure that organizations prioritize the security investments that align with their zero-trust frameworks and safeguard against emerging threats. Additionally, providing specific, real-world steps that any organization can take immediately, is imminently more helpful in this effort.
Sagie Dulce is Vice President of Research at Zero Networks. He is an experienced leader of cybersecurity research teams and insider threat programs.