T-Systems-Claim-Logo
Search
Golden safety lock

What is micro-segmentation and how does it slow down attackers?

Through the story of Maersk, learn how a ransomware attack could have been prevented and understand how micro-segmentation works

08 June 2023Dheeraj Rawal

Traditional castle-and-moat network security

In centuries past, building walls around a castle was one of the commonest ways to defend it. These walls had other elements, like towers, moats and drawbridges. A conventional cyber security approach is very similar to this defence model, called the castle-and-moat model or perimeter-based security. 


But nowadays, businesses must put equal effort into building both external and internal defences. They can achieve this through micro-segmentation.

The danger within

IM-Graphic-1

A conventional security model has some fundamental flaws; it automatically trusts everything inside the perimeter and assumes that attackers will not emerge from inside. Moreover, if the walls are breached, there’s nothing inside the castle to defend or contain attacks. 

Malware and advanced persistent threats (APTs) linger to strike organisations. A traditional perimeter-focused security setup, therefore, is ineffective nowadays. Despite different security systems like firewalls, antivirus software and intrusion prevention systems, some cyber criminals may still be able to breach your perimeter. These threats can remain inside a company’s network in a sleep state for months before becoming active. Nowadays, coordinated cyber attacks are notorious for lying undetected for weeks and months before full-fledged attacks are started.  

These threats then leap in a lateral movement from server to server, enabling cyber criminals to exploit sensitive data as there are few security controls to contain the attack.

How does micro-segmentation work?

IM-Graphic-2

The main objective of micro-segmentation is to restrict an attackers’ movements inside a company’s systems, in order to contain the damage to a large extent. 

Network segmentation allows organisations to divide servers, systems, workloads and applications into smaller isolated segments. Different segments can have unique security controls.

IM-Graphic-3

The concept is often compared to a submarine design, where the segments or compartments are built so that if there’s a breakage or puncture in one of the compartments, the flooding is contained to that section only. The other areas remain watertight.  

Reducing the attack surface

The organisation can contain the attack if a hacker gains access to one of the segments. This restricts the malicious actor’s ability to move from one segment to another and allows organisations to minimise the attack surface. As the hacker remains locked inside one area, their ability to see into others is also limited, reducing the risk of unauthorised access. 

Enterprises can deploy different security control levels to reflect each segment’s criticality. Simply put, you can give your segments containing critical systems or sensitive data an extra layer of protection. Furthermore, these controls can trigger alarms in case of a breach related to that segment. Such features improve threat detection at early stages. 

What are the benefits of micro-segmentation?

As more enterprises adopt cloud platforms, perimeter-based security becomes less relevant, and concepts like micro-segmentation and zero-trust security are gaining ground. Micro-segmentation fits the bill for those with critical assets and infrastructures that need an extra layer of protection from ransomware and other cyber attacks. The benefits include: 

  • Enhanced security: isolating different segments improves an organisation’s security posture by making it difficult for attackers to cause further damage. 
  • Improved access control: granular access control allows an organisation to apply zero trust based policies, ensuring that only authorised people can access resources.  
  • Increased visibility and detection: monitoring traffic inside a segment makes it possible to detect anomalies and breaches in the early stages of an attack, enabling faster mitigation. 
  • Faster incident response: with speedier threat detection, an organisation can deploy the right triggers and remediation techniques to minimise the damage and downtime and bring experts in early.  
  • Meeting compliance requirements: better protection and security controls can help organisations meet some of their compliance requirements. For instance, the NIS2 directive requires companies with critical infrastructures in the European Region to have enhanced security. Micro-segmentation is one of the best solutions here. 
  • Flexibility and scalability: organisations can implement micro-segmentation in different network environments like on-premises, cloud or hybrid environments. They can modify security controls to meet their requirements for even more flexibility.   

Ransomware that attacked 49,000 computers in 7 minutes 

Maersk was one of the many companies severely impacted by the NotPetya ransomware attack.

The logistics giant was unknowingly using compromised accounting software, M.E.Doc. In June 2017, companies using the software received an update in a phishing email containing malware. The attack spread across networks like wildfire in under seven minutes, exploiting vulnerabilities. It also encrypted all the devices connected to those networks, rendering them unusable.

The attack struck Maersk like a bolt from the blue. As the world’s largest shipping company handling almost 1/5th of shipments, imagine the impact on world trade and logistics. The company was compelled to resort to manual operations during this time.

Interestingly, the company lost all domain controllers except one in Ghana. Due to a power cut, Ghana’s domain controller was off the network during the attack. This was a blessing in disguise; Maersk used that domain controller to restore its operations and recover data. 

It was reported that the attack cost Maersk about US$ 300 million. Cumulatively, the NotPetya attack cost affected companies around US$ 1.2 billion

Could Maersk have limited the attack? 

Could Maersk have contained and mitigated the attack? It’s very likely. 

  • It could have detected anomalous traffic with automation detection and response.   
  • Maersk’s data centres, backups and devices were attached to the network – could it have been possible to isolate them to prevent the attack from spreading? 
  • Had it applied privileged access management, zero trust-based policies and segmentation, Maersk could have contained the attack. It began when an administrator logged into the physical server – their access could have been denied. 

Of course, it seems easy with hindsight. Nevertheless, we must learn from others, especially in the cyber security domain. So, how should you approach micro-segmentation? 

Five tips before implementing a micro-segmentation solution

Before implementation, we recommend considering the following:  

  1. Assess your network: understand your current security and network architecture, and determine what assets and data are sensitive and need different layers of protection. 
  2. Define segments and security policies: segment your network based on departments, data sensitivity, business units, etc. Apply security policies that allow users access based on needs for zero-trust micro-segmentation.    
  3. Identify the right micro-segmentation solution: choose which micro-segmentation solution fits your organisation’s needs and current security architecture and maturity.  
  4. Plan and test implementation: create an implementation roadmap and define the scope for each phase. Run tests in a controlled environment to ensure business activities continue without interruption. Segmentation should not hamper business communications either.    
  5. Evaluate and update: review and maintain your micro-segmentation strategy as your business needs or the external environment changes, such as regulatory and compliance requirements. 

We can protect you with micro-segmentation 

T-Systems enables businesses to enforce process-level rules and policies to enhance their security posture. As a trusted partner of Akamai, T-Systems uses its Guardicore solution.  

Whether your cloud environment is private, public or hybrid, T-Systems can assist you in deploying micro-segmentation. We can help you identify business-critical applications and create granular policies that control the micro-segments’ traffic flow.  

You can even begin with our pre-defined templates and customise them to your needs.

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles
Do you visit t-systems.com outside of Singapore? Visit the local website for more information and offers for your country.