Every organization is at risk for cyberattacks, and it’s unsettling that the attackers are so good at maximizing the damage to their victims. Their tactics are increasingly sophisticated and often involve some type of email attack, bot attack, or even just old-school social engineering. Attackers who bypass company defenses will hide inside the network as long as possible, even if they’re planning to launch a ransomware attack. They use this time to explore the network, steal data and user credentials, destroy backups, and do anything else they can do to set themselves up for future attacks.
The time an attacker spends inside a network is referred to as ‘dwell time,’ and it’s measured from the point of intrusion to the point of detection. Long dwell times increase the damage of an attack, often in ways that can’t be measured. The SolarWinds breach is the perfect example of this. The intruders entered the network in early 2019 and were not discovered until December 2020. The exact number of victims and costs associated with the attack remain unknown.
Network segmentation is one of the easiest and most effective ways to reduce dwell time. For those of you not familiar with this practice, it’s just like it sounds: You divide your network into different sections (segments) and you ‘lock the doors’ between them.
You’ve seen this concept at work in high-security buildings that restrict access to certain parts of the facility to people who have been granted permission to enter that restricted section. This keeps people from wandering around and exploring areas that are critical to operations or contain sensitive information. Segmentation does something similar for your network.
Benefits of network segmentation
There are immediate security benefits to separating your network into multiple contained segments:
- Segmentation creates a smaller attack surface within the network. An intruder will be limited to the segment that was breached. The attacker can go no further unless they successfully breach another segment. Isolating your mission-critical servers and data can prevent an intruder from gaining access to your resources through a neglected printer or rogue smart device.
- Segmentation makes it easier to detect and isolate security incidents. The division between the segments helps contain the spread of malware and viruses. It limits the areas where the intruder can hide, and it can improve the efficiency of security monitoring.
There are non-security benefits as well. For example, POS devices fall under strict compliance rules. Assigning POS devices their own segment helps companies by limiting the cardholder data environment (CDE) and reducing the scope of PCI DSS compliance.
Segmentation also improves network performance by separating traffic. A good example of improving both security and performance is the separation of a public network from private resources. A shopping center or school campus that offers free wireless access to guests would want that traffic separated from the line-of-business applications. This keeps the potential traffic congestion of public wireless access isolated to assigned segments.
Barracuda can help you secure your network while making it easier to manage. Visit our website for more information on Barracuda CloudGen Firewall, secure SD-WAN, and other network security solutions.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.