When Network Segmentation is Too Slow to Mitigate Risk

Network segmentation can be a lengthy effort that can take a few weeks to months, depending on the project scope. Many organizations, especially those with a large fleet of connected devices, need more immediate solutions to risk mitigation. For example, industries that provide critical services, such as healthcare, manufacturing, energy, and utilities, have a low threshold for downtime, making it challenging to implement network segmentation.
The good news is organizations don’t have to choose between a lengthy outage and leaving their connected devices at risk. When organizations address risk at the device level, they can limit their attack surface, reduce their risk, and improve their security posture—without a lengthy time commitment.

Why is Network Segmentation Sometimes Too Slow to Mitigate IoT Risk?

Network segmentation is a go-to but often misunderstood cybersecurity tool. Segmentation is part of a risk mitigation strategy, not a panacea to address all cyber risks, especially fast-moving risks like vulnerabilities.

Network segmentation divides the network, restricting the organization’s attack surface and lowering the risk of attacks such as lateral movement. For organizations with a large attack surface of mixed IT and Internet of Things (IoT) devices, network segmentation is a large, slow-moving project that can lead to errors.

A hospital implementing network segmentation must balance security and efficiency to ensure critical medical devices remain functional. The hospital may isolate patient-monitoring IoT devices (i.e., infusion pumps, sensors, heart rate monitors) from general IT infrastructure such as administrative workstations and internet-facing systems. While this approach limits the risk of cyber threats, overly restrictive segmentation could inadvertently block essential communication between IoT devices and the network, such as electronic medical records (EMR) systems, causing disruptions in patient care.

Organizations need a deep understanding of all devices and the network to successfully implement network segmentation. According to data from Forrester, the network security team receives 5,000 network access change requests each year. A successful, balanced network segmentation rollout would need to be prioritized against the network security team’s existing workload, adding time to the project and allowing risks to go unchecked.

The results can be mixed even for organizations that roll out network segmentation. A study of 1,000 IT security decision-makers across seven countries found that even though 96% of organizations claimed to implement network segmentation, only 2% were segmenting mission-critical assets.

How Can Organizations Quickly Mitigate Device Risk      

Network segmentation takes time and only partially responds to overall IoT security challenges. One of the biggest roadblocks to a successful network segmentation rollout is having deep context into the network and all the devices connected to it. An IoT security platform can help organizations address risk at the device level, reducing the burden on resource-thin internal teams.

Addressing risk at the device level includes applying security patches in a timely manner. Yet, many companies find it hard to apply patches to all their IoT devices when they have broad network segments. For example,  if an organization has thousands of connected devices, only a small number may be at risk. For example, an organization with 3,500 IoT devices may only need to defend against 45 attack vectors, often related to unpatched vulnerabilities. 

Lack of Insight Into New Patches

Organizations may not be aware of available updates or lack the resources to deploy them.  Research shows that IoT vendors often update firmware without changing the version number, with 44.3% of patches being implemented. As a result, teams cannot identify which IoT devices have a security update available and cannot rely on the software version number, as IoT vendors often apply security patches without upgrading versions when addressing vulnerabilities.

Potential Service Disruptions from Applying Patches

Many organizations delay applying patches and firmware updates to IoT devices because the process typically means taking IoT devices offline, leaving them nonfunctional. To add more complexity to the process, some devices may have special requirements to maintain cluster failover or other special states. 

Difficulty Managing Patches Across Multiple Teams

An additional complication comes from the lack of clarity surrounding which team is responsible for patching and updating. Data from Gartner shows that 52% of respondents cited conflicting priorities between IT and infosec as a major challenge for patching. This creates an inconsistent patch handoff process and directly impacts teams’ willingness to apply patches. Between not knowing if a patch or update is available and not knowing who should apply it, securing IoT devices is an ongoing struggle for many organizations— but it doesn’t have to be.

Automating Patch Management To Rapidly Mitigate Risks

IoT devices are integrated into nearly every facet of modern business. Organizations need complete visibility into their entire device fleet, including which devices have patches and updates available. An IoT security platform can simplify patching and firmware installations, allowing organizations to reduce their exposure and minimize their exploitable attack surface. 

Unified Patch Management Process

Every IoT vendor’s method for deploying patches and firmware updates is different, and an IoT security platform can continuously monitor manufacturer websites and other relevant sources for the latest firmware releases applicable to the supported IoT devices within your environment.

Scheduled Patching

Typically, patches and updates require planned downtime. An IoT security platform can automate the deployment process, supporting on-demand updates for individual devices or scheduling bulk updates to minimize disruptions in devices that are part of critical workflows or processes.

Bulk and Automated Patching

With an IoT security platform like Asimily, organizations can patch devices in bulk or use firmware updates to trigger automated updates. A dedicated IoT security platform allows organizations to treat these difficult-to-manage devices the same way they treat traditional endpoints. 

The result? Fewer tickets for the network security team, a better overall security posture for the organization, and a decreased risk of IoT-related security breaches.

Asimily: Complete Risk Management for Your Entire Network

For many organizations, downtime is simply not an option. However, the complexity of patching IoT devices doesn’t have to be a barrier to risk reduction and mitigation. Organizations with a large, diverse fleet of IT and IoT devices can leverage an IoT security platform to manage risk end-to-end, leveraging one-click patching and updates for IoT to address risk at the device level.

The Asimily platform has long been purpose-built for connected device security. With Asimily, organizations are no longer in the dark about the state of their IoT device fleet. Asimily builds and maintains a complex inventory of devices, monitoring device behavior for anomalies, and simplifies the process of applying patches and updates, all within one unified platform.

With over 40,000 vulnerabilities discovered last year, your team deserves every advantage over fast-moving cyber threats. Let Asmily give your team the information they need to make proactive risk mitigation and management decisions that ensure uptime and create a stronger security posture. 

To learn more about Asimily and the IoT patch management functionality, reach out now to book a demo.