Network Segmentation: How Can You Find Vulnerabilities Before They’re Exploited?

Find Vulnerabilities

Today’s enterprises recognize that perimeter security is not enough. With its surface constantly under attack, some part of the network will very likely be compromised. But most commonly the first point of entry is not at the most sensitive data and services. So, attackers try to move laterally within the corporate infrastructure, accessing increasingly valuable data and leading to a breach.

Network segmentation defends against this pattern of attack by dividing the network into zones – like clusters or departments or machines handling financial data – with limited or no possible communication between specific zones. A fine-grained version of this idea, micro-segmentation, takes segmentation down to VMs or individual applications.

Segmentation is a key way that the network can help provide protection even if parts of the network are compromised. As one expert hacker has said: “If you really want to make my life hard, you segment.” That’s Rob Joyce – chief of Tailored Access Operations at the National Security Agency – speaking from the perspective of an attacker. (Check out his talk at the USENIX Enigma conference earlier this year.)

But achieving that segmentation in a bulletproof manner is difficult, because it requires understanding the network-wide reality of how multi-vendor devices like firewalls, switches, and routers are interconnected, how data can and should flow between them, and in many cases how hybrid cloud architectures and mobile computing change the attack surface. A segment might need to span multiple teams at multiple sites worldwide with controls implemented at multiple layers of the OSI model. And that’s just a single segment. Now, imagine undertaking this process across a global enterprise that is continuously undergoing hundreds or thousands of configuration changes every month, and the possibility of introducing a vulnerability in network segmentation becomes even more likely.

What makes segmentation vulnerabilities particularly worrisome is that they can be invisible – even if there is a significant vulnerability, the network keeps running. An enterprise might not find out about the vulnerability until well after it’s been exploited.

Finding segmentation vulnerabilities before they’re exploited

What if there were a way to know about a vulnerability when it first appears, instead of after it leads to a breach?

Finding design problems before they trigger an incident in the field is the goal of formal verification. In an earlier post, we wrote about how Veriflow is applying this concept to enterprise networks.

What that means for network segmentation is that an enterprise’s segmentation or micro-segmentation policy can be mathematically verified against the live network-wide reality. If an error or misunderstanding has led to the opportunity for communication between segments that there shouldn’t be, mathematical network verification can identify these vulnerabilities. It does this predictively, so there is no need to wait for traffic (whether accidental or malicious) to exploit the vulnerability before identifying and addressing the problem. It also works continuously, constantly checking the network against policies. So if there is a change that violates a policy, the problem is identified in real time instead of after it’s too late.

The benefits of network segmentation verification are immediate and exciting. On the security side, there is a significant reduction in risk. And on the operational side, enterprise networks can now adapt on the fly, supporting the constantly changing business demands without the fear of changes that compromise security policy.

For more information: read our white paper.