How segmented is my network?
Rohit Dube
TL;DR
This work introduces segmentedness as a scalar, policy-permissiveness metric for networks by modeling the network as a graph and using edge density $F(G)$ with segmentedness $S(G)=1-F(G)$. It develops a practical estimator $\,hat{F}\,$ based on randomized sampling of node pairs and a robust connectivity test suite, accompanied by Wald confidence intervals and a sample-size bound that is independent of network size. Through simulations on Erdős–Rényi and stochastic block models, the method is shown to be unbiased and to have well-behaved coverage across diverse topologies, enabling reliable tracking of segmentation over time. The proposed metric supports actionable applications in zero-trust programs, merger integration, baseline tracking, and benchmarking, providing practitioners with a lightweight, interpretable tool for quantitative segmentation assessment.
Abstract
Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We model a network as a graph and study segmentedness as a property captured by the global edge density that can be estimated from sampled node pairs. Then, we derive an estimator and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We validate the estimator through Monte Carlo simulations on Erdős--Rényi and stochastic block models, demonstrating accurate estimation and well-behaved coverage. Finally, we discuss applications of the estimator, such as, baseline tracking, zero trust assessment, and merger integration.