Securing Smart (and Not So Smart) Devices With Microsegmentation

There is a reason that a compromise of one smartphone doesn’t lead to a breach of every smartphone’s security: microsegmentation. Telecom companies use this ‘network of one’ strategy to isolate devices and protect against threats spreading them and it was the inspiration that led to me confounding Airgap in 2019.

Securing critical infrastructure, as well as the wider public and private sectors, is crucial for countries looking to protect themselves from hostile threat actors. Today I am convinced that zero trust segmentation of the smallest connected sensor to large, complex devices, can help businesses cut costs and significantly enhance security.

CISOs everywhere are familiar with these challenges. In my conversations, they tend to want to know three things:

How does microsegmentation make my organization more secure?

Minor breaches become major incursions when an attacker is able to move around in a network and gain access to other devices on a network, i.e. “lateral movement.” Hackers use this technique to discover high-value resources or otherwise maximize their leverage over their targets. Eliminating that possibility means minimizing the likelihood of a damaging breach, including ransomware.

Microsegmentation is especially useful for devices that were not designed with security in mind, such as IoT/OT devices, which increasingly supply critical infrastructure with essential services like control, monitoring and measurement, predictive maintenance notices, and safety alerts. These devices are often misconfigured out of the box, and rarely or never support security updates.

Oftentimes, devices run on operating systems that are no longer supported by the vendor or lack the necessary CPU to upgrade to newer versions of software. One of our healthcare customers purchased a $3 million MRI machine running Windows 2008; the device was out of compliance with industry regulations the day it was delivered. Further, administrators in manufacturing often tell me Windows XP remains the most common OS running on their equipment.

Zero trust architecture and segmentation reduce the risk of these devices being compromised and stop any compromises from spreading. It’s like a killswitch for ransomware.

How does microsegmentation cut costs?

First, microsegmentation makes a number of other network hardware redundant. East/west firewalls that inspect traffic within a network are no longer required because each device resides on its own subnet. Network access control appliances for applying policies are also rendered unnecessary because devices are authenticated through the client. Simplification of switching infrastructure is an especially critical source of savings due to the number of complex L2/L3 switches needed, and the fact that their cost tends to rise with complexity. For cash-strapped IT teams, eliminating expensive network switches can help balance budgets and free up staff to focus on more strategic initiatives.

It’s not just the cost of the hardware, it’s the maintenance and the inherent risk of compromise. Less network complexity means lower management overhead, which frees up staffing resources.

Microsegmentation also demonstrates risk reduction to insurers. The previously-mentioned health care company was unable to land a cyber insurance policy because of the risk presented by the MRI scanner with unsupported Windows OS; only after adopting our solution were they able to secure a policy by proving that the risk was managed.

How does microsegmentation work?

Microsegmentation solutions work by isolating each device from the rest of the network by placing it on its dedicated /32 subnet. Many IoT/OT devices are deliberately designed not to allow for the installation of software agents, due to the potential for interference with the machinery’s core functionality. An agentless approach simplifies deployment, saving time and money.

Where should I start with microsegmentation?

Most CISOs harbor memories of segmentation projects gone wrong, that seemed to drag on without end, or lacked clear success metrics. With legacy architectures, these initiatives were complex, often involving a swelling lineup of firewalls with increasingly complex rulesets. Today, AI is an indispensable tool in launching and managing segmentation projects.