How segmented is my network?
This provides a statistically principled metric for network security practitioners to measure segmentation, addressing a lack of existing tools.
The paper tackles the problem of quantifying network segmentation by defining segmentedness as the fraction of potential node-pair communications disallowed by policy, and shows that a minimum of 97 sampled node pairs is sufficient for a 95% confidence interval with a margin-of-error of ±0.1, independent of network size.
Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We define segmentedness as the fraction of potential node-pair communications disallowed by policy -- equivalently, the complement of graph edge density -- and show it to be the first statistically principled scalar metric for this purpose. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on ErdÅs--Rényi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.