Industry News – Advancing Network Threat Intelligence

When FireMon re-positioned itself around the concept of Proactive Security Intelligence at the beginning of 2014, the effort was undertaken with the notion of highlighting the critical role that data produced by our solutions plays in managing enterprise security and IT risk.

Sure, if you want to start at the most foundational element of the processes we support, as many of our customers do, it can be stated as simply as firewall management – getting a clear understanding of what network security device infrastructure is doing, then improving the performance and efficiency of those defenses, continuously.

However, the truth is, “firewall management” is a far too narrow a manner of communicating the overall value of what the FireMon Security Manager Platform and its supporting modules offer in terms of strategic information, thus the new messaging.


With all the intelligence that we produce regarding policy workflow, compliance validation and risk management, along with enablement of related process automation, we felt it was far more appropriate, if not completely defensible, to adopt this broader PSI mantra.

Intelligence, of course, has evolved into a very broad and encompassing industry buzzword, popular among security vendors of all breeds who feel that they provide critical data to inform strategic decision making – which admittedly could be almost any company on the landscape today.

Of all the various uses of intelligence, clearly, the most widely recognized arena (perhaps beyond long-standing ties to the SIEM market) these days is that of “threat intelligence”, or the real-time aggregation and distribution of information regarding emerging attacks to help both products and practitioners respond more adeptly as threat-scape conditions evolve.

So, it’s with keen interest that we at FireMon saw the news this week that industry heavyweights Fortinet, McAfee and Palo Alto Networks, all of whom are close partners of ours, announced a new high-profile effort (along with endpoint experts Symantec) to drive threat intelligence even deeper into the domain of network protection.

Some may roll their eyeballs at the introduction of yet another pan-industry coalition, but this is a pretty influential group in our world, and as such the launch of the involved “Cyber Threat Alliance” is certainly intriguing.

The reason is simple. Of all the uses that a product maker or practitioner could find for the latest and most comprehensive information regarding emerging threats, using that intelligence to assure that network defenses are in place and assets are effectively segmented is certainly one of them – a case echoed in the accompanying research white paper launched by the new coalition.

As highlighted by McAfee EMEA and Canada President Gert-Jan Schenk in the related announcement, the unprecedented rate and severity of recent breach incidents has come at the hand of “complex and multidimensional attacks” that dictate attention far beyond installation of more effective anti-malware systems at the network gateway or on endpoint devices.

Given that we’ve long stumped for the need to use current, in-depth visibility into the real-world alignment of network defenses, in relation to underlying assets and known vulnerabilities, to address risk exposure and mitigate available attack paths, this effort on the part of our partners, industry leaders all, is definitely something FireMon would support, heartily.

As our self-appointed corner of the market – Network Security Intelligence – continues to evolve and we move to help organizations better align their defenses to account for emerging attacks it will be fascinating to see how threat intelligence continues to shape methodologies.

We’ll continue striving to be at the forefront, working with these types of thought leaders to enable more effective defense.

Black Hat 2014: RSA in the Desert?

So, I’ve been going to the Black Hat USA conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security solutions provider, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, even just a walk across this year’s show floor evidences the continued shift towards a more business-centric audience.


This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years, but it’s clear that with each passing summer this change becomes ever more the reality.

Even when I was working my first marketing gig for pen testing specialists Core Security six years ago, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience.

Certainly it has a lot to do with spending more of my time in the vendor exhibition space, but with each year I see more corporate names and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 lead gen candidates).

As I was discussing this topic with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the upsides and downsides of this phenomenon.

Firstly, neither of us would debate that there is still a treasure trove of extremely valuable research on the Black Hat schedule, and again, I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister Def Con and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers – focused solely on research, which has allowed Black Hat to grow more… corporate.

You also, of course, have the phenomenon of people who started out as Black Hat researchers who now focus more on the security solutions side of things, having built vital businesses around the “thought leadership” (yup, it’s a loathsome term but one that works here) they used to share as conference presenters (the guys from White Hat Security are a perfect and high-profile example).

As noted above one of the other significant changes in Black Hat attendance is the ever-increasing number of people coming to the show representing various elements of the government. In years past there may have been a lot of Red Team/Blue Team types, sure – and there likely still are – but today there’s an overwhelming number of state and federal security operations and management officials that attend – with their names and titles displayed openly on their badges, another notable shift.

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – likely disparage the show’s change in interests, thinking that the event is now too focused on the business side of things.

For companies like FireMon, however, this change had made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution, as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect, and no matter what changes come it’s always a pleasure to be there.

The First Step in Firewall Review: Automated, Intelligent Identification

How many firewall rules exist in your Enterprise? 1,000? 10,000? 100,000+? Odds are, there are many, sometimes too many to count. So, when organizations face requirements like PCI DSS 1.1.7 (requirement to review firewall and router rule sets at least every six months), many know the review is a good idea but they are overcome by the magnitude of the problem. So, they do a sampling of the access rules in good faith or get through as many rules as they can by hand, and hope the auditor doesn’t dig too deep.

Policy Optimizer solves this problem. Because it is intelligently firewall aware, routing rules in for review is as simple as a Google search. Identifying every rule with a source or destination in the PCI zone with a powerful query allows all PCI rules to be quickly and easily routed into a workflow for review.

But that example barely scratches the surface of the intelligent identification capabilities in Policy Optimizer. Every rule that has a non-encrypted protocol and hasn’t been used in the last 60 days? No problem. Every access that was requested by the web hosting team and uses a high port? Easy. Every application access that now has a brand-new zero-day? Done.

Using these powerful controls Policy Optimizer overcomes the first hurdle in reviewing access: finding a needle in a haystack. Once you can identify what needs reviewed, then the workflow takes over. I’ll talk about that in my next post.

For Security to Succeed We Need More Silo-Busting

In my role as editor-in-chief of I hear, read and write a lot about the need for all the various constituents of IT to work more closely together.

As such, I’m always happy to hear about a new efforts aimed at breaking down existing barriers to that end, or what I like to call “silo-busting”. So when I saw FireMon’s recent launch of its new Policy Optimizer module, and its ability to bust down silos, I’ll admit it brought a smile to my face.


Policy Optimizer specifically breaks down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even  security risks. Much of this silo-busting is accomplished via automation – which is added music to a DevOps advocate’s ears.

Why is all of this silo busting and automation so important? The short, real-world answer is that today’s speed of business will accept nothing less.

A more detailed answer is that in today’s world:

  • Changes – including changes to code – happen multiple times a day
  • “Web-scale IT” measures servers and instances in the tens of thousands
  • Security must keep up or be left behind, always playing catch-up
  • Automation and cooperation among Devs, Ops and QA is a necessity

And of course, breaking down silos is a key ingredient in successfully addressing these realities.

I’ve been hearing that we need security to be “built in, not bolted on” almost since I first got involved in the security industry over 15 years ago; that security needs a seat at the IT table.

Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.

Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications.

Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.

Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.

Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer solutions. They give Ops insight into security decisions and policies.  Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos; most importantly, this demonstrates how we can tangibly change our security posture for the better.

For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working.

We need new, more effective solutions and these solutions must take into account new ways of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.

For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team.  I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.

Now, what can we automate next?

As Editor-in-chief of, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.

Gartner Security & Risk Summit: No Farewell to Firewalls

Every so often someone suggests that network firewalls are no longer necessary – typically based on the emergence of shiny new, “gotta have it” technology or the notion that this 20+ year old first line of defense – introduced at DEC in 1992 by Marcus Ranum – no longer matters.

However, if you listen to the experts – in this case leading industry analyst firm Gartner and their 14,000-plus clients – such claims are clearly misguided.


At the firm’s annual Gartner Security & Risk Management Summit nearly every session reinforced that firewalls, and more effective management of these inherently complex devices, are just as critical, if not more so, than ever.

From the summit’s opening keynote, stressing the need for CSOs to tie their efforts directly to business initiatives (and bridge IT silos with offerings like FireMon’s recently launched Policy Optimizer) – to breakouts dedicated specifically to corralling firewall policy and rule bases, the importance of stout firewall defenses was emphasized… repeatedly.

Sure, there was the point-counterpoint “Farewell to Firewalls” presentation in which Gartner’s forward-looking thought leader Dr. Joseph Feiman focused on the need for new applications-centric mechanisms, specifically embedded runtime application self-protection [RASP] capabilities.

But, as artfully advanced by Gartner network security guru Greg Young during the debate, and ultimately conceded by Feiman himself, the continued development and adoption of such emerging technologies will require continued reliance on firewalls.

Longtime Gartner risk expert Neil MacDonald’s session on “Continuous Advanced Threat Protection” hammered home the need for more proactive and context-aware management of network security infrastructure; MacDonald’s “Adaptive Security Architecture” emphasized that strategy must shift from traditional “detection” and “response” methodologies to more “predictive” and “preventative” tactics.

These observations validate FireMon’s vision that adding network security intelligence to existing cyber defenses can significantly automate manual processes and free security teams for other critical projects.

For further evidence, one needed to look no further than network security analyst Adam Hils’ overview of inquiry calls made by Gartner clients during the first half of 2014.

His hard numbers: a whopping 51 percent of the over 1,500 calls taken related directly to firewalls, and were divided between “my rule base is a mess, how can I clean-up and better manage?” and “next gen firewalls – should I migrate and how?”

The second place topic – IPS issues – only accounted for 22 percent of all calls.

So, there’s hard evidence that any predictions that firewalls are either yesterday’s news or increasingly less strategic are… highly overstated; the Gartner numbers simply don’t lie.

We update Gartner analysts regularly on our customer wins, real world ROI data and technology roadmap – and listen closely to the “pain points” they hear about from clients. These analysts understand precisely how valuable FireMon solutions can be in advancing your organization’s own network security posture.

So why take our word for it? Give them a call and find out for yourself.

More Than Just Change Management

If you are like most organizations, network security has one process that is the cornerstone of its business execution: the change management process. And the change process is necessary. It ensures that we can adapt our network security posture to the needs of an evolving business, and if we can’t do that, our businesses go out of business.

If you are like a lot of people, you have a love / hate relationship with the change management process. It is good at tracking things and ensuring tasks get completed, but it adds overhead and feels restrictive at times.

However, if you are a security-minded professional, you probably have another major concern with the change management process. Because it is driven by users, 99% of the time it is used to open up access. And if gone unchecked, with no other process to counterbalance it, the change management process causes access to grow indefinitely and complexity to skyrocket.

So, what is the yin to the change management yang? Conceptually, it is most certainly tied to the review and ongoing vigilance that security experts recommend. Access that is deemed appropriate today may be risky tomorrow based on an ever-changing threat landscape. Access that has gone dormant needs to be detected and removed. Compliance regulations mandate review activities, but manual review is difficult and time-consuming, and is often just given a cursory effort.

That is where Policy Optimizer fits in. Organizations need an intelligent way to identify what access needs review and to automate the process of reviewing it. Over the coming weeks, I’ll talk a little more here about our new module and how it can help organizations with large networks better accomplish their network security goals.

Newsworthy: Spotlight on FireMon

It’s always nice when industry watchers not only notice, but dedicate some digital ink, to your company’s latest public announcements.

That was just the case this week when Network World contributor Alan Shimel wrote up a piece on FireMon’s latest news – both the launch of our Policy Optimizer product module, as well as our recent equity investment by Insight Venture Partners.


As noted in his post, Alan does some consulting work with FireMon from time-to-time, listening to our ideas as we get close to bringing new features or solutions to market, and offering sage advice on matters of positioning, messaging and other related matters.

At the same time, we notice a distinct and even more discerning tone to Alan’s voice whenever he’s wearing his columnist/blogger hat, as kindly (though pointedly strategic) observations morph into objective, outsider’s view questioning.

So, while Alan is a trusted advisor, it’s gratifying that he felt both news items were matters of significant note. I’d encourage you to click through and read his entire piece, but to summarize:

On Policy Optimizer: “Policy Optimizer is really an automation tool for the rat’s nest that is firewall compliance rules… This is part of a broader theme I have advocated for some time. In order for security to be more successful, we need to get more people involved in security. Security – and yes, even compliance – is part of everyone’s job responsibility.”

On the Insight investment: “Terms of the sale were not announced. But with Firemon consistently posting strong quarter-over-quarter revenue growth, you have to assume the sale was at a healthy multiple of revenues… Congrats.”

So there you have it, kudos from a trusted industry expert who already knows our company well – yet who was still moved to write about it on the record.

For all the details on our recent announcements, click here to read the official releases.

FireMon Policy Optimizer: It’s All in a Name

Whenever you set out to develop a new product, one of the trickiest aspects is selecting its name, as typically any solution offers numerous benefits; the newly introduced FireMon Policy Optimizer module is no different.

So what does Policy Optimizer do exactly? For starters, Policy Optimizer is designed for use alongside the base FireMon Security Manager solution, and greatly complements, though operates independently of, its sister modules – Policy Planner and Risk Analyzer.


While FireMon Security Manager addresses security device rules and policy management, and the existing Policy Planner and Risk Analyzer modules address intelligent policy workflow and change, and the combination of vulnerability data with network access intelligence, respectively, Policy Optimizer was born of the need to rapidly adapt firewall settings in response to changing conditions.

For example, whenever network security must respond to an emerging threat, changes in a business partner’s risk posture, or discovery of a troublesome firewall setting, Policy Optimizer allows those teams to research the impact on any affected device policies then connect with other officials to understand how to adapt enforcement.

Like all the best solutions, the genesis of Policy Optimizer lies directly in customer need, born of countless requests from large enterprises with a wide variety of related use cases.

The value of Policy Optimizer is clearly outlined by its moniker – to allow organizations to optimize (definition: to enhance or improve) alignment of firewall and network security device infrastructure. However, as anyone who has attempted to carry out or manage this process can attest, it’s a massive task with a huge range of related factors.

However, back to the notion of multiple benefits and use cases, Policy Optimizer was also created in response to enterprises that must review firewall policy compliance frequently to remain in scope with industry standards, notably PCI DSS.

Another key motivator was the continued growth of FireMon’s managed services provider (MSP) business. These providers are constantly seeking to transfer intelligence across accounts, and Policy Optimizer allows MSPs to query against established best practices to identify policies for improvement.

This may sound like a straightforward set of drivers, but the process encompassed is complex, remaining highly manual and fragmented at many enterprises today. Traditionally, operational security management, compliance teams and MSPs have been asked to improve device policies without any direct line of communication with key stakeholders – most importantly those officials that initially requested network access.

This lack of efficient workflow results in one of the most significant gaps in enterprise security management. Access requests are typically granted to support business needs then left in place for years, without ongoing review, based on the reluctance to affect changes that may interrupt critical services.

For their part, compliance/audit teams are asked to review policies every six months under PCI, and this process is so laborious that one FireMon customer had accounted 15 staffers to the process, full-time. That’s a massive investment to address a single compliance mandate, pulling resources away from other efforts.

Throughout Policy Optimizer’s development, FireMon management considered a number of potential names, including those related to policy assessment, rules review and rules recertification, among others.

The decision to adopt “Policy Optimizer” came from conclusion that this product serves so many customer needs and has such a huge range of inherent benefits that this bold, encompassing name was appropriate.

Anyone who manages network security, compliance audit prep, or related IT risk management would agree that optimization of firewall policies has a tremendous impact on improvement of network defenses.

Click here to read all about FireMon Policy Optimizer module – if you’re just such an individual or any element of network security is your job, you’ll be happy that you did.

We’d stake our name on it.