Essential building blocks

From Network Access Control (NAC) to Network Segmentation, addressing the need for a more secure network architecture is vital, states Myles Bray, VP EMEA at Forescout

Over the last 20 years, Network Access Control (NAC) has become a fundamental component for enterprises looking to ensure a resilient cyber strategy. The technique, which applies policy-based rules to grant or deny devices access to a network, allows for a general and somewhat basic level of network security: in simple terms, it's basically a 'you're in or you're out' approach. Recently, however, the volume and diversity of internet of things (IoT) and operational technology (OT) devices has increased so much that NAC now must provide a deeper level of insight into the posture of each device to correctly provide or deny access at varying levels. As diversification of devices continues, full visibility, classification and enforcing policies become more difficult.

In brief, this increased diversity emerging technologies, such as IoT and OT devices, has exposed the limitations of the previous NAC models. Therefore, a threshold for innovation has been reached and many devices are now connected to networks ill-equipped to deal with the related risks.

Segmentation is the necessary barrier to connection For organisations with flat networks, the ease at which intruders can pivot laterally results in greater disruption of, and damage to, both property and reputation. For example, the WannaCry ransomware attack hit shipping company Maersk, resulting in it halting its entire operations to ensure the network was clear of the ransomware. This caused critical disruption across the business and could have been averted, had its network architecture limited mobility, once access was gained.

Flat networks are unable to provide the same level of granularity that segmented networks achieve. When IoT and OT devices gain access to a flat network, they have the freedom to move laterally, if not properly segmented, limiting full visibility and creating blind spots that can later be exposed. Network segmentation, however, can be dynamic. For example, by providing a Zero Trust approach across all environments and to all devices, with different policies for the computer at the front desk and the CEOs laptop, the risk that is posed by attacks is automatically limited.

CISOs are having a difficult time in providing this security. Maintaining close control of their networks and device ecosystem continues to become more difficult as IoT and OT devices increase. In order to achieve effective security, the full context of connected devices must be available to regain both visibility and control. From the data centre to cloud and OT environments, devices can be given appropriate access, rather than access to the entire network.

eyeSegment product, Forescout's answer to the enterprise-wide network segmentation riddle, enables exactly these measures. By tying together siloed segmentation policies by fragmented enforcement technologies with a unified policy approach and enabling a Zero-Trust approach, granular security controls can be achieved.

Attempting to implement new security controls across the extended enterprise is no easy task. Grappling with the growing number of attack vectors, while meeting more and more compliance directives, CISOs have their hands full. The advancements in network segmentation have been designed to allow businesses to automate threat detection and isolation without impacting operations. Through limiting risks, maximising control and assuring controls are effectively implemented across a network, enterprises can more effectively prepare and manage the inevitable next wave of cyber threats.