CyberROI

 Cybersecurity Investment Calculator

Network Segmentation: Limiting Blast Radius Cost-Effectively

CyberROI Team · Network Security · 12 Mar 2025

Network segmentation — dividing a network into isolated zones with controlled access between them — is one of the most effective controls for limiting the damage of a successful cyber attack. In a flat, unsegmented network, an attacker who compromises any single device can potentially reach every other device. Segmentation ensures that compromising one zone does not automatically grant access to the rest of the environment.

Why Segmentation Matters

The majority of significant cyber incidents involve lateral movement — an attacker gaining initial access through a phishing email or vulnerable endpoint, then moving through the network to reach high-value targets like database servers, domain controllers, or financial systems. Segmentation directly interrupts this attack pattern.

IBM's breach cost data consistently shows that organisations with effective network segmentation experience lower breach costs. Contained breaches — where the attacker is limited to a single segment — cost significantly less than breaches where the attacker achieves broad access across the environment. The cost reduction from effective segmentation can exceed 30% of total breach costs.

Segmentation Approaches

VLAN-based segmentation: The traditional approach, using VLANs and access control lists (ACLs) to create network zones. Effective but operationally complex to manage at scale and limited in granularity.

Firewall-based segmentation: Internal firewalls between network zones provide deeper traffic inspection and more granular policy control than VLANs alone. This adds cost but enables application-level segmentation policies.

Software-defined segmentation: Modern approaches use software-defined networking (SDN) or microsegmentation platforms to create dynamic, workload-level boundaries. These scale more effectively in cloud and hybrid environments and can enforce policies based on identity and context rather than network location alone.

Zero Trust segmentation: The most granular approach, treating every workload as its own segment and requiring authentication and authorisation for every connection. This provides the strongest containment but requires significant implementation effort.

Practical Implementation

  1. Identify crown jewels: Start by segmenting your most critical assets — databases containing sensitive data, domain controllers, financial systems, and industrial control systems.
  2. Map traffic flows: Before implementing segmentation, understand how applications and users communicate. Blocking a legitimate traffic flow can cause outages.
  3. Start with macro-segmentation: Create broad zones (user workstations, servers, OT systems, guest networks) before pursuing microsegmentation. This delivers the majority of the risk reduction with lower complexity.
  4. Monitor inter-zone traffic: Log and alert on unexpected traffic between segments. This provides detection capability on top of the containment benefit.
  5. Test and validate: Regularly test that segmentation policies are enforced as intended. Configuration drift and exceptions can gradually weaken segmentation over time.

ROI Considerations

Network segmentation costs vary widely based on approach — from $50,000 for VLAN-based segmentation using existing infrastructure to $200,000 or more for microsegmentation platforms. The ROI is strongest for organisations with high-value assets that would cause significant damage if compromised, and for environments where lateral movement is the primary risk amplifier.

Model segmentation ROI in CyberROI →