Information security regulations are often vague and open to some interpretation, but one common theme across most is that you need to separate the systems with critical data from the rest of your network. The vast majority of employees in your organization should never have access to systems that:

  • process or store payment card data -- PCI DSS
  • qualify as Critical Cyber Assets (i.e. have a role in the operation of bulk power systems) -- NERC CIP
  • provide services not needed for internal business use -- FISMA
  • process or store protected health information (PHI) -- HIPAA

To summarize: whatever data you consider valuable to attackers should be kept in segments of your network that only a small, qualified group of individuals can access. This makes sense, but is it that easy?

The challenge of monitoring network zones

If network segmentation were simple, the past twelve months wouldn't have seen numerous breaches where a third-party vendor's credentials were used to access the network and begin moving from system to system until the valuable data was reached and the exfiltration process begun. Unless your organization has gone through the significant effort to

build an air-gapped network that is physically separated from the less secure portion of your network, restricted zones are connected to unrestricted zones with controls used to prevent unauthorized access, be they firewalls, access control, or a number of other options. This means that you don't have the benefit of an impenetrable wall between the critical servers and the computers on which your summer interns are watching John Oliver clips on Youtube.

Getting exactly what you need from an array of controls is very challenging because of the many exceptions that are made over the course of a year. More rules are created for firewalls between zones, more users are added to the privileged groups, and more software solutions in the protected network zones need access to the outside Internet for updates. Quickly, the benefits of segmenting your network begin to fade because it becomes a challenge to know exactly who can access it and how. This often means that the perfect-world impenetrable wall more closely resembles a beaver dam: it greatly reduces the flow to your protected zone, but it would be a challenge to predict exactly what will and will not get through.

UserInsight can help you detect network zone violations

Some of our customers explained this challenge to us and asked to simply be alerted when zone policies are violated. So, as is our way, we built a simple solution for this: just tell us the simple IP address ranges that makes up your zones to monitor and tell us which user groups can or cannot access it.

If one of your developers is accessing the production zone, we will immediately alert you.

If someone steals credentials belonging to a user outside the small group permitted to access the protected zone and tries them there, UserInsight will trigger one of our infrequent alerts like you see above.

Alternatively, if you want us to profile access to the critical assets in this zone and detect a change in behavior for the individuals that should be accessing them, you can tag these asset as critical. The first time your permitted users access the critical assets, you tell UserInsight that they are allowed to do so. We will continue to list any access made to the critical asset, but won't alert you again until they come from a different place.

In this alert, we are letting you know that, while Sara Hughes has legitimately used this administrator account before to access the critical asset, she has never done it from this shared asset or her user endpoint. Either access could represent an insider or intruder stealing her credentials and using them to authenticate to this asset used to process or store valuable data.

If you would like to hear more about detecting unwanted access to the protected areas of your network, you can register for a free, guided demo of UserInsight.