Maximizing the Potential of Network Macrosegmentation

Organizations with connected devices are under constant attack. Cybercriminals can access sensitive data and disrupt critical operations when security fails, jeopardizing business continuity and, in some cases, safety.

Network segmentation is one of the most effective strategies for mitigating cyber threats. Macrosegmentation is an approach to network security that works by segmenting and isolating connected devices—including Internet of Things (IoT), operational technology (OT), and Internet of Medical Things (IoMT) devices—on an organization’s network. However, traditional segmentation approaches often fail because they rely on static configurations that can’t keep pace with the dynamic nature of modern networks, where new devices, updated applications, and evolving communication patterns are constant.

The Role of Macrosegmentation 

Macrosegmentation, also called network segmentation, describes breaking a network into distinct segments. Traffic between segments gets guarded by a next-generation firewall, Access Control Lists (ACLs), and VLAN configurations, which act as a digital barrier. This approach limits access to the network itself, reducing the likelihood of a cyberattack.

Macrosegmentation also isolates connected devices in each segment. Devices can only communicate with other devices within the same segment, and no device can talk directly to all others. The isolation dramatically reduces the chances of a successful attack and, should an attack occur, limits potential damage.

While macrosegmentation provides essential protection, its effectiveness depends on understanding how connected devices actually communicate. Without continuous visibility into device behavior, communication patterns, and dependencies, segmentation policies can inadvertently block critical business workflows—such as OT devices communicating with enterprise systems or IoMT devices accessing electronic records—or leave dangerous gaps that attackers can exploit.

Because macrosegmentation involves creating broad policies that can create operational challenges when device nuance isn’t provided, microsegmentation can be used to break down segments so that each device or application has its own zone. Microsegmentation offers greater control and security, but it can also be significantly more expensive and robust to set up. The challenge with both macro and microsegmentation is that manually configuring and maintaining these policies becomes operationally complex, especially as organizational environments continuously evolve.

Macrosegmentation in Action 

Organizations across industries, large and small, have implemented macrosegmentation to protect their networks. Below are a few healthcare examples of this security practice in action.

Martin Luther King Jr. Community Hospital in Los Angeles uses segmentation and communication pathway monitoring for its medical IoT devices, which are contained on a dedicated network.

The team at Riverside Health in Chicago uses segmentation and strict access control. Critical patient devices such as insulin pumps get shielded by microsegmentation.

Larger organizations use more robust measures based on the same principles. Thien Lam, Vice President and CISO at the 14-hospital BayCare Health System in Florida, has explained that: “In terms of network segmentation, we’ve created a separate network for the medical devices so that the medical devices don’t talk directly to the production network.”

Manufacturing facilities segment OT systems—such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems—from IT networks to prevent cyber threats from disrupting production lines. Energy and utility companies isolate critical infrastructure devices to maintain operational resilience and protect against attacks that could compromise power generation or distribution systems.

Segmentation is the first-line defense against cyber threats. When an incident does occur, the criminal’s impact lessens because it’s confined. However, a review by security firm Forescout found that nearly half of all connected devices studied showed signs of “immature segmentation implementation.” This immaturity often stems from the operational complexity of maintaining segmentation policies manually. Research shows that 80% of segmentation projects fail to operationalize, not because segmentation isn’t important, but because traditional approaches can’t adapt to dynamic enterprise environments.

Network Segmentation Best Practices 

Segmentation is a big undertaking and requires resources and commitment. But it can play a big part in reducing risk exposure and potential attacks. Before you get started, assess your current network and IT infrastructure. Segmentation methods should be customized to suit your unique ecosystem while still ensuring that IoT, OT, and IoMT devices on your network are grouped in a way that they are separated from all other groups that are directly connected to the internet – especially those deemed untrustworthy. Modern segmentation requires continuous intelligence about device identity, vulnerabilities, actual communication patterns, and risk levels—not just a one-time assessment.

Once you’ve determined a strategy, here are network segmentation best practices to guarantee your devices are properly grouped and isolated:

Follow the Principle of Least Privilege 

Limit who has access across systems. Focus on your users’ needs; don’t give them access to superfluous data.

This practice follows the principle of least privilege. Effective least-privilege policies must be based on how your network actually operates—which devices communicate with which systems, what traffic patterns are legitimate, and where the real risks lie. Intelligence-driven segmentation uses continuous monitoring to generate policies aligned with real behavior rather than assumptions.

Isolate Critical Data and Assets

Data critical to the organization’s functioning should be isolated from less sensitive data. This includes sensitive business information, financial and confidential data, devices connected to critical operations, and other essential assets—whether in healthcare, manufacturing, energy, or other sectors. Risk-based prioritization helps identify which devices and connections meaningfully contribute to your exposure, allowing you to focus segmentation efforts on protecting what matters most.

Limit third-party access 

Third parties should have minimal access to your leading network unless you need their services and agree with their security controls. If you do grant access, the principle of least privilege becomes relevant again.

Regularly Monitor Network Activity 

Regular monitoring ensures that you can detect suspicious activity in real-time, and audit logs will reveal any anomalies or potential security breaches.

Monitoring also ensures that you’re keeping the system up-to-date, as inefficiencies and vulnerabilities will be easily identifiable. Your network segments may need to shift as threats evolve. Segmentation should be a living security control, not a static configuration. Continuous monitoring enables segmentation policies to adapt automatically as new connected devices are added, applications are updated, and communication patterns change—ensuring policies remain effective without constant manual intervention.

Use Asimily as the Intelligence Layer in Segmentation

Asimily’s features enable organizations to monitor their environments for threats and identify macro-level connected device risks. Asimily functions as an intelligence and orchestration layer for segmentation, continuously building a living model of your organizational environment by analyzing device behavior, communication patterns, vulnerabilities, and risk levels. This enables Asimily to automatically generate least-privilege segmentation policies aligned with how your IT, IoT, OT, and IoMT devices actually operate, then orchestrate enforcement through your existing network security tools—transforming segmentation from a manual, fragile process into an automated, adaptive security capability.

How Network Segmentation Compares to Other Risk Mitigation Activities 

Network segmentation is an essential security measure, but it’s not the only one that should be used in protecting connected devices. It should join other measures such as firewalls, patching, antivirus software, encryption, and authentication.

Firewalls, for example, are used in conjunction with segmentation. Firewalls block users from accessing restricted networks. Anti-virus software looks to detect malware, while patching and encryption help keep data up-to-date and secure. Authentication ensures that only authorized users can access networks.

These measures are complementary and should be used together to create an effective security strategy. Network segmentation is the foundation of any good security plan and should be one of the first measures implemented. When segmentation is driven by continuous intelligence about device risk, vulnerabilities, and actual communication dependencies, it becomes significantly more effective—allowing organizations to target their security efforts where they’ll have the greatest impact on reducing exploitable attack paths.

A Holistic Approach to Connected Device Security 

To ensure the ultimate security of your network, consider taking a holistic approach to your connected device security. Network segmentation is just one part of ensuring a secure enterprise ecosystem.

Organizations must look at all measures that minimize the risk of a data breach. There are eight main steps to strong connected device security management. You may only need to adopt some of these measures, so start with the first step and see if you need additional security before moving on.

Step #1: Patching, as mentioned, helps keep data secure by addressing vulnerabilities in the device. 

Step #2: Macrosegmentation refers to splitting the network into smaller segments.

Step #3: Use Microsegmentation to restrict access further

Step #4: Targeted Segmentation creates segments based on device and application vulnerabilities. This risk-driven approach prioritizes segmentation efforts on the devices and connections that contribute most to your attack surface, using attack path analysis to determine where segmentation will have the greatest security impact.

Step #4: Configuration changes (device hardening) require you to reconfigure the device physically.

Step #5: Upgrade or replace assets that cannot be segmented, patched, or mitigated.

Step #6: Build a holistic connected device security program for your organization. A truly holistic program integrates continuous intelligence across all risk mitigation activities, ensuring that patching decisions, segmentation strategies, and risk acceptance are all based on a unified, real-time understanding of your connected device environment.

Mitigate Connected Device Cyber Risk with Asimily 

Asimily provides a holistic connected device risk remediation platform that helps organizations across industries—including healthcare, manufacturing, energy, and utilities—secure devices and defend against cyber threats. Our platform is designed to help organizations identify, mitigate, and prevent threats.

Advanced inventory management allows for real-time visibility into your connected device fleet across IT, IoT, OT, and IoMT environments. Features like anomaly identification help detect suspicious activity, while granular classification allows you to apply more specific controls to limit potential exposure and reduce risk, such as segregating all devices of a certain type into their own segment. By continuously analyzing device behavior, communication patterns, vulnerabilities, and risk levels, Asimily automatically generates least-privilege segmentation policies that reflect how your connected devices actually operate—then orchestrates enforcement through your existing network security tools via APIs. This transforms segmentation from a static, manual project into a dynamic, intelligence-driven security control that adapts as your organizational environment evolves.

With Asimily, the entire security process is streamlined and automated. Organizations can confidently protect their data and devices. Segmentation becomes an operational security capability rather than a one-time implementation project – continuously protecting critical systems without disrupting essential workflows.

To learn more about Asimily’s Segmentation capabilities, schedule a demo with one of our product experts.