Where Insider Threats Hide Out in a Segmented Network
When it comes to insider threats and cybersecurity in general, experts often discuss how to practice policies of containment, and use these to mitigate threats. One fundamental way to do this is through the process of network segmentation.
What is network segmentation?
Network segmentation means that you essentially create smaller subnetworks linked to each other, so that you structure your network better, for a few key benefits. First, it’s easier to see network activity and monitor it within these smaller systems. Second, it can enhance performance across the network. Third, it promotes the use of a zero trust strategy.
Why Network Segmentation Helps
With segmented networks, engineers basically have smaller areas to police and maintain.
Think of an enormous nation-state that spans an entire continent. How hard is it to manage all of the people and resources in this gigantic landmass? Then think about much smaller countries with only a few hundred square miles. Smaller populations, smaller cities, and more of an ability for public planners to micromanage the development of populations and regional growth. These smaller nations, then, often constitute themselves into a federation that’s run at a more central level.
This is an inexact analogy to cybersecurity, because the goals and objectives are different. However, it does illustrate how network segmentation can make things easier for planners and managers, including cybersecurity professionals.
Here, we’ll talk about some of the major ways to isolate and contain threats with network segmentation and how to eliminate them from sensitive areas of the network where they may reside.
Insider Threats Contained Away from Enforceable Policies
Simply speaking, enforceable policies are a way to batten down or manage parts of the network.
Experts often talk about an access control policy that’s set up through specific types of hardware and software designs. We’ll go over several components of this kind of planning, starting with the idea of an access control list.
Access Control List
An access control list is fundamentally a list of permissions for a given resource. Using access control lists, network administrators can fine-tune their approach to isolating and spotting insider threats.
But at its core, access control is based on having an existing system of identity and access management.
In past pieces, we talked quite a bit about identity and access management or IAM. It’s a practice of creating specific user accounts according to job role and status, and giving these accounts individualized permissions based on their identities.
In other words, if you have an access control list, it’s only applicable through an IAM system where everyone is identified and their needs are specified.
The virtual local area network or VLAN is another key tool in network segmentation.
You might say that insider threats get ‘stopped at the edge’ of a VLAN subnet.
Then they’re isolated where they can’t do damage to sensitive data sets. That’s the basic idea.
The key principle here is hardware virtualization. In earlier and primitive designs, people used firewalls with physical hardware for a perimeter-based approach. VLANs offer the ability to partition hardware into virtual subnets. That means traffic going over specific machines can be isolated and analyzed routinely, according to much more granular plans.
Software Defined Networks
Software defined networks also add to this promise of virtualization with centralized controllers that can address virtualized traffic.
Here we can add a note about vendor services. For example, Microsoft Azure promotes an available virtual network service that can act like a VLAN or SDN system in managing subnets.
Again, threats are isolated outside of sensitive areas. They can still be identified and eliminated, but they’ve gotten a lot of the teeth taken out of them, because they can’t access internal network areas.
Insider Threats in Stasis
Again, the basic idea is that you isolate these insider threats in certain parts of a network. They have to remain, to a greater extent, at rest – rather than running around in the system doing malicious things to different workflows and data sets.
This is one of the reasons why network segmentation is so important to cybersecurity professionals.
Other Related Ideas
Here are some other security principles that help people to harden networks and keep hackers from compromising systems.
Zero Trust Strategy
The idea of zero trust is somewhat simple – instead of implicitly allowing outside traffic to do certain things, zero trust starts from the premise that people will be denied access to resources. Then building on that, zero trust creates the specific access that someone might legitimately need.
This principle on its own is enough to really improve things like endpoint security, edge computing, data warehouse protection and more. Zero trust is often about sealing out hacking potential through concrete policy changes, which can be a powerful component of designing safer systems.
New firewall technologies are also very helpful in sealing up networks, including those with segmentation strategies, to protect sensitive data sets. To some who have not paid attention to the most modern advances, a “firewall” can sound outdated, but in reality, new types of firewall protection have new feature sets that do a lot more for business systems.
In the past, we talked quite a bit about the ‘stateful’ firewall – the idea that instead of a firewall that just fires up on each user session and does the same thing, the firewall will be learning and holding information for future sessions.
Looking at advances like Palo Alto’s lineup of next-gen firewalls, for example, and contemplating their presence in managed services, you can see how they also go beyond the traditional perimeter for more robust cybersecurity protection.
Identity and Access Management
This is also one type of network protection that comes up very often in the context of cybersecurity and insider threat management.
The idea with identity and access management is that each person gets a dedicated account. Then cybersecurity engineers (and others) use that account to direct the person’s access in granular ways. There is a profile of each user that people can use to monitor systems and scrutinize activity.
User Entity Behavior Analytics
UEBA or user entity behavior analytics is powerful in creating safer networks – and it works in tandem with IAM, too.
When each person has an account, UEBA will tag events and activity to that account, and then AI engines and other tools will work to identify what might be suspicious network behavior.
All of this is instrumental in hardening systems and improving the cybersecurity posture of a business architecture.
The Overall Context
In the era of massive data breaches and other scary black hat operations, cybersecurity is front and center for nearly any business.
Companies are facing a high bar when it comes to keeping malicious actors from doing negative things to their systems and their data.
That in turn has led government agencies like CISA and NIST to deliver guidelines and guidance for executives and others, including the recommendation that businesses set up task forces or point people to deal with cybersecurity issues.
The robust nature of new UEBA tools is one of the prime movers of cybersecurity improvement and advances.
Insiders or others can’t do their nefarious plans if they are increasingly tracked and watched across the network architecture. Cybersecurity professionals can do more with automation and other solutions. For example, companies might explore the use of cloud native security tools, to help optimize the pipeline for these types of analysis. They may think about unified controls and a central dashboard or command center in order to organize their efforts. Smart remote access can also be part of the equation. This, together with a “full stack” strategy for cybersecurity, can aid executives in getting peace of mind about the safety of business data.