Ask the Expert: A Field CTO’s Guide to Cyber Resilience, Zero Trust Segmentation, and Business Continuity

According to Gartner, half of CISOs will formally rebrand their “cybersecurity” programs as “cyber resilience” programs by 2028 amid rising pressure to provably safeguard business continuity. But when downtime can cost enterprises as much as $5 million per hour, granular network security controls that could break critical connections are almost as risky as disruptive attacks. How can security leaders close the gap between resilience aspiration and reality – without introducing operational friction?   

Chris Boehm, Field CTO at Zero Networks, answered some of the most common questions organizations face as they aim to strengthen resilience without impacting legitimate traffic – get his perspective on blocking lateral movement (without breaking anything), isolating threats while maintaining operations, and making the Zero Trust journey practical. 

How can enterprises block lateral movement inside their network without disrupting operations?  

Chris Boehm: Lateral movement containment is done in multiple vectors and that's usually the problem for every business – when they start enabling protection, they start creating friction. So, the challenge you start running into is: how do you make that not cause disruption? And there are great ways to do it. Zero Networks is doing that today. We block primary ports – and when I say block, we disallow someone that's unauthorized to communicate. But if I, as a domain admin, log in and try to gain access to this machine, and I verify I am who I say I am, then I gain access.  

So, allowing a frictionless approach while friction's in place is how you continue business operations. The other part is understanding your full business operations. That’s another reason why Zero Networks is doing very well – they’re mapping out everything, they’re learning over a period of time. That’s why we’re not an instant click button and run; we have to learn your business, we harden it, and we provide visibility.  

[Blocking lateral movement] could totally hurt your business, and that’s why microsegmentation and lateral movement containment has been a challenge. Usually, it’s just block it all preventatively or react and respond (with EDR, for example). If you haven’t isolated to prevent breach spread, it’s an operational nightmare. That’s why companies like Zero Networks are popping up to solve that problem.

How can security teams quickly isolate infected systems without shutting down the whole network?  

Chris Boehm: When it comes to impacted machines or infected machines, the typical approach is: when [a breach is] detected, quarantine and isolate so it doesn't spread across your environment. The question is, what happens if it has already spread? CrowdStrike just released a data analysis that said the quickest spread they saw last year was 27 seconds – to jump on your machine, access what's going on, and then move laterally to a different machine. That’s pretty quick. Could an EDR respond in real time? I would hope so – that’s what it’s designed for, and that’s what it’s supposed to be doing, but assume it looks like me, smells like me, acts like me. EDR is going to say it should communicate and it’s not going to block that. That’s the real challenge here.  

So, how do you determine what is infected? It may be hard to know because most attacks nowadays are through a login; it looks like me and acts like me. It's not going to download a malicious payload right away. That’s where you get flagged. So, you act like a real user, then you cause the destruction after you’ve disabled everything. It’s not a simple approach, even though there are multiple tools out there on the market that help to [isolate infected systems].  

The main goal is learning, assessing what is going on in your environment, and then containing based on what is really necessary. That’s where microsegmentation comes in – let’s say I, as a domain admin, am communicating to this database server, and I never do that. If I verify I am who I say I am, it opens up privileged access just-in-time for me, and then it allows that communication, which could prevent a hacker from going in and bypassing my security measures. So, [microsegmentation] isolates, it prevents the spread.

What strategies help avoid user friction when introducing stricter access controls?  

Chris Boehm: The most common way to avoid friction in a business is understanding the flow of your operations. Typically, I’ll say, as an admin, you’re developing this code or working on this operation; what does it need to communicate to? Hopefully they have an answer – they’re the ones writing the code. Now, AI might be changing that conversation slightly; it might be an AI prompt saying ‘here’s what we need to do.’ Ideally, you open up the flow of communication and it just starts working based on what you told me.  

The problem you run into is over-privileged access or too much control. You could say, ‘I want to communicate to everything in this network,’ and now everything can connect, and that's where you have spread, unfortunately. Attackers can gain access to everything in that network. 

How you avoid that friction is by learning and assessing everything that's happening in your environment, knowing what is actually communicating from port, from application layer – the whole stack from endpoint to identity level, and then narrowing that down to the focus of what really matters. When it’s necessary to communicate to a device or application you don’t normally talk to, you should up it up and allow just-in-time access. That can be done through your identity provider, through conditional access, and then it gives me privilege to do what I need to do during that moment while isolating what’s in my environment.  

How can zero trust reduce the blast radius of a successful endpoint compromise?  

Chris Boehm: When I see an endpoint compromise, most of the time I assume there's ransomware, a malicious payload, a Trojan, something has happened on that device, and I'm already assuming the EDR or antivirus in place, unfortunately, didn't catch it – or it's been compromised itself, so now it’s been exposed. In the ideal scenario, it would have been isolated and fixed right away, but again, we’re saying it has been compromised.  

The most useful thing to utilize in this space is the Zero Trust mindset. That means when someone’s on this machine, you never trust, but always verify. That’s where microsegmentation comes in, network isolation, containment – there needs to be a layer put in place to harden the exposure from spreading in your environment. If not, that compromise allows the communication to other devices.  

So, we’re assuming that they're in, they're on that machine, and it's bypassed everything. How do they move along? That’s why red teaming is so important. Give someone your domain credentials and a domain admin on that local machine connected to your network and see how far they can go. If they can keep spreading across your environment, you failed already. That means an attacker could do the exact same thing. If they have friction right off the bat and can't do anything, you’re winning. Especially if you can prove that if someone did compromise and bypass all those millions of dollars of spending on security, this is how I can successfully prevent a spread in my environment from taking down my business. 

What are best practices for segmenting high-value business applications from the rest of the network?  

Chris Boehm: High value applications or services are usually, in my opinion, what my customers are consuming and utilizing, or my backend engine that I'm writing my whole company off of. Then of course, authentication and elevated privileges, so your domain controllers, for example. So, how do you define and isolate that? Typically, you harden it; you might put in a DMZ if that’s necessary, but if customers are utilizing it then I can’t – I can’t have it too hard if I need to have external access.  

Now we’re running into the common problem everyone has: everything is exposed. And it’s not just in an interconnected web, it’s all hosted on cloud platforms, intercommunicated; we’re assuming I put the right security postures in place, but I have the unfortunate possibility that something can access my environment that I’m unaware of. So, I want to prevent the spread of that information being abused.  

If I had a web application or I had consumer databases, and it's communicating and doing everything in the framework itself, what if something – or someone – did have access to this? How am I preventing it from going across my whole network? I have to learn, assess it, understand its patterns, harden it, and then allow access to it whenever I need to have access to it by opening it up temporarily with just-in-time access. That’s the best practice, and that’s where microsegmentation and the Zero Trust mindset come in for everyone looking at this kind of solution.

What’s the best way to roll out zero trust without disrupting business continuity? 

Chris Boehm: Zero Trust is a journey. It’s not a single solution or platform at all. When you walk through that journey, there are multiple frameworks – NIST has one, CISA has its own variation, there are open source frameworks – but that main thing is that it always starts with assessing what you have, how you're doing business, and then where are you creating friction along the way to never trust, but always verify.  

You can start small; you can start with just the improvement of your identity posture, a slight hardening of your endpoint security – you can start doing what you need to do [incrementally], or you can look at solutions like Zero Networks. We’re assessing everything for you automatically; we’re hardening based on your business, and this is all done with a frictionless, agentless approach. So, you don't actually have to redesign and buy new hardware, or work on a completely new infrastructure. You add a segment server (which is what we do); we do line of sight, gain access into the information for each asset – application, identity, user – and build out a whole map for you, for your whole company. It takes 30 days, and then boom, you’re segmented. You can be 100% segmented, pushing toward that Zero Trust journey all within 30 days, and that’s pretty powerful.  

Strengthen Network Resilience to Protect Business Continuity with Zero Networks 

Zero enables security teams to build self-defending networks designed to protect operational continuity, automatically contain breaches, and strengthen cyber resilience – no multi-year implementation, no added complexity, and no disruptive rollout.  

By automatically discovering assets, learning traffic behavior, and enforcing granular, least-privilege policies across every network asset and identity, Zero Networks delivers comprehensive, identity-based microsegmentation that proactively limits blast radius with controls tied to explicit business need.  

Just-in-time MFA governs privileged access at the network layer, eliminating always-on pathways, and enforcement adapts based on real-time network visibility, so protection scales as the environment evolves. As a result, unauthorized lateral movement is blocked proactively, breaches are automatically contained, and Zero Trust initiatives make meaningful progress – all while operations continue to run normally.  

Learn how Zero Networks can help your organization build a cyber resilient architecture – request a demo.