How segmented is my network?

TL;DR

This paper introduces a statistically principled scalar metric called segmentedness to quantify network segmentation, along with an estimator and confidence intervals, validated through simulations and real-world data.

Contribution

It defines segmentedness as a new metric for network segmentation, derives a normalized estimator, and evaluates its accuracy and confidence intervals using simulations and datasets.

Findings

A minimum of 97 node pairs sampled is sufficient for 95% confidence with ±0.1 margin of error.

The estimator accurately measures segmentedness in Erdős–Rényi, stochastic block models, and real enterprise networks.

The metric enables applications like baseline tracking, zero trust assessment, and merger integration.

Abstract

Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We define segmentedness as the fraction of potential node-pair communications disallowed by policy -- equivalently, the complement of graph edge density -- and show it to be the first statistically principled scalar metric for this purpose. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on Erd\H{o}s--R\'enyi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.