7 Network Segmentation Best Practices That Stop Malware’s Lateral Spread

In the first nine months of 2023, there were 2116 US data compromises. Sadly, 2023 received the dubious distinction of being the worst year for data compromises on record while it still had a full quarter to go, according to the Identity Theft Resource Center (ITRC). With constantly evolving zero-day exploits, supply chain security breaches, and phishing attacks, you should be prepared for an attack to slip past your defenses. In good news, implementing network segmentation best practices can cost-effectively limit the lateral spread of malware and minimize the damage from a breach.

What is Network Segmentation?

Network segmentation is the process of dividing your network into individual network segments (also known as zones) to limit the flow of data between segments. This is often done using Virtual Local Area Networks (VLANs). These VLANs enable geographically distant systems to communicate with each other as if they are connected to the same local network segment. VLANs also allow administrators to groups systems by function (i.e., file servers) or by “security zones” that can be divided by the type or sensitivity of the information these zones will contain (such as Protected Health Information (PHI) or credit card data).

Network Segmentation Best Practices

Unfortunately, many organizations still have poor network segmentation. When conducting penetration tests, we frequently find that the segmentation and filtering do not meet the necessary standards to prevent the lateral spread of malware or stop criminal movements between systems as they attempt to escalate their privileges in your environment. Let’s fix that! Here’s our list of the top seven network segmentation best practices that will help you reduce the lateral spread of malware:

1. Inventory your environment and assign classification labels to each asset. Unless you know what you have and where it is, you can’t properly segment and protect your organization. This means taking an inventory of everything from your database to your IoT-enabled printer, refrigerator, and HVAC sensors. Identify your connected assets and classify them both by importance/sensitivity and level of security. For example, your database and payment card processing systems are likely crucial and probably contain sensitive data, and the software programs or apps you are using probably have stronger security. While your IoT-enabled toaster likely has poor security, it is also probably relatively unimportant (…well, unless your organization really loves toast!). You need to both inventory and classify all of your connected devices so you can use this information to design a strong network segmentation plan.
2. Group like systems and those that regularly interact together in the same segments. Once you inventory your assets and have a list of both the asset importance and level of security, you need to use this data to begin grouping your assets into low and high security segments. As you design your network segmentation plan, you also need to consider which systems communicate with each other regularly and try to simplify your network segmentation by ensuring that these assets are in the same network segment. This will simplify filtering and monitoring (we’ll talk about this more in a minute). If you’re not sure which assets to group together, bring in a cybersecurity specialist to help you create a plan. Contact us if you’d like more information.
3. Deny, Deny, Deny. Once you segment your network, these segments should be configured to deny/block all traffic by default. Then you should set allow rules for only the protocols or services that are required to support necessary business functions. By limiting the flow of data between the network segments and closing a majority of the ports, you will be able to more effectively monitor network traffic and spot unusual activity.
4. Isolate legacy and insecure systems in their own segment. In an ideal world, all assets would be retired if they lack adequate security (such as old systems or inexpensive, insecure IoT devices) or when the software is no longer supported, and the supplier stops providing updates that protect against the latest vulnerabilities. Sadly, this is not the case, and many organizations struggle with securing legacy solutions. From expensive medical equipment or custom software solutions that an organization can’t afford to replace, to legacy monitoring equipment that has no onboard security, continuing to use vulnerable systems is a reality for many organizations. These systems make protecting your network harder. However, with proper network segmentation you can isolate or severely reduce access between these systems and the rest of the network. Not only is this a network segmentation best practice, it is one of your best bets for protecting legacy solutions. Combined with careful segmentation and monitoring, this can reduce your risk of lateral spread if these legacy systems are compromised.
5. Limit and isolate partner/supplier access. In today’s digitally connected world, you likely have partners and vendors that have access to your software, cloud, or SaaS environments. Criminals are increasingly targeting connected partners/suppliers and then moving laterally from one infected organization to another. Limit partner and supplier access to the absolute minimum necessary and isolate these systems from your critical data and assets whenever possible. For more information on supply chain risks, read our blog on supply chain security.
6. Ensure your network segmentation practices enable filtering and monitoring. Many organizations implement network segmentation, as we discussed above, and consider the job done, thinking that by implementing zones that they are protected. For network segmentation to provide realistic security benefits, the traffic should be filtered between segments. This means that from the conference room network port, no one should be able to reach the Microsoft SQL service running on TCP port 1433 of your production database server. As we discussed earlier in this network segmentation best practices list, your traffic filtering default should be to “deny all”—no traffic should be permitted unless a specific rule allows that type of traffic. These rules should be predicated by a business need. We understand that network segmentation and the use of filtering add additional complexity to network administration, so it’s important to keep accurate and up-to-date documentation and require all changes be subject to formal change management practices and tracking. Inadequate documentation (including gaps in change management procedures) will cause headaches down the road and will inevitably lead to certain levels of reverse-engineering, which administrators rarely have time for when troubleshooting network issues.
7. Regularly evaluate your security. Once you have implemented these network segmentation best practices, it’s time to put your security to the test. You should have an annual penetration test to check your overall cybersecurity posture, verify that your network segmentation is stopping lateral spread as intended, and uncover any security gaps in new systems or devices that have recently been added to your environment. If you would like more information, read our blog on why pentesting was selected as one of our top cybersecurity controls.

We hope you found this information helpful! If you need help designing a network segmentation plan, contact us and one of our expert consultants will be happy to help!