Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Breach security and lateral movement: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Attackers can move laterally in as little as 27 minutes after initial compromise, while average breach identification and containment still takes 258 days, according to ReliaQuest and IBM. In healthcare, pharmaceutical, and manufacturing environments, identity-based microsegmentation becomes the practical control that shrinks blast radius when perimeter defenses and flat networks fail.

NHIMG editorial — based on content published by Elisity: Breach Security: The CISO's Guide to Prevention and Containment in Healthcare, Pharmaceutical, and Manufacturing Organizations

By the numbers:

  • Attackers can achieve lateral movement across networks in as little as 27 minutes after initial compromise.
  • The average time to identify and contain a breach still hovers around 258 days.
  • Healthcare organizations experienced ransomware attacks at a rate of 67% in 2024.

Questions worth separating out

Q: How should security teams reduce breach spread after an initial compromise?

A: They should design containment around internal trust boundaries, not just perimeter detection.

Q: Why do flat networks make breaches harder to contain?

A: Flat networks let an attacker reuse one foothold to reach many systems with little resistance.

Q: What breaks when organizations rely on detection without containment?

A: Detection alone does not stop a compromised identity from moving to higher-value systems.

Practitioner guidance

  • Map internal east-west trust paths Inventory which users, workloads, medical devices, and OT assets can reach critical systems today, then remove paths that are not operationally required.
  • Tie segmentation to business-critical zones Define containment zones around claims systems, research repositories, production controllers, and other high-impact assets.
  • Validate MFA and credential strength on external entry points Review portals, remote access paths, and help-desk reset processes that can become the first step in breach chains.

What's in the full article

Elisity's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step identity-based microsegmentation deployment patterns for healthcare, pharma, and manufacturing networks
  • Operational examples of how segmentation reduced lateral movement across mixed IT and OT environments
  • Detailed breach cost and disruption figures from the incidents discussed in the source article
  • Implementation commentary on enforcing least-privilege traffic paths without introducing new hardware

👉 Read Elisity's breach security guide for healthcare, pharma, and manufacturing →

Breach security and lateral movement: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Identity blast radius is the real breach metric: Once an attacker lands, the controlling question is not whether an endpoint was compromised but how much of the environment that identity can still reach. Flat trust models turn one credential or device into a pathway across clinical, research, or production domains. Practitioners should treat blast radius as the primary containment metric, not an after-the-fact reporting metric.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how limited many teams' control over machine identities remains.

A question worth separating out:

Q: Which frameworks are most relevant to breach containment in hybrid environments?

A: NIST Cybersecurity Framework, NIST SP 800-53, and MITRE ATT&CK are all relevant when the goal is to reduce lateral movement and improve containment. They help teams map access control, monitoring, and attack tactics to the internal paths an adversary can use after entry.

👉 Read our full editorial: Breach security in critical industries needs identity-based containment



   
ReplyQuote
Share: