Author Archive

As those of you who have followed this blog over the past couple of months know, we have been slowly revealing bits and pieces about our new Risk Analyzer product here at Firemon. Over the next week and  in the coming months, you will see and hear a huge push around Risk from all areas of Firemon. The official release of Risk Analyzer is imminent, as our CEO noted in his twitter feed this morning. We have also highlighted our partnership with Juniper Networks around Risk Analyzer and JunOS Space. You can get even more insight into what we are doing together on Juniper’s YouTube channel.

Why are we suddenly so focused on Risk, and why is it something you should care about? At the end of the day, all of the security controls organizations have put in place, the firewalls, IDS/IPS’s, proxys, ACL’s, desktop firewalls, etc., are there to help reduce and eliminate the risk to your IT infrastructure. Risk is what we are trying to control and limit. However, as we have previously highlighted, analyzing risk in today’s networks is a huge challenge. We tend to rely on a single tool to determine risk, and in the complex network environments we live in today, these tools can present 1000′s of items that an organization needs to address. Attempting to manually review that list and prioritize the remediation results in organizations spending to little or too much time attempting to reduce their risk. Furthermore,  those tools lack the full contextual awareness of your entire network topology and how data flows through the environment, which is a real key to accurately identifying the areas of your infrastructure that are most at risk.

Risk Analyzer provides that full context of network topology awareness that is so critical to accurate risk analysis. It automatically shows you what actions to take to reduce the greatest amount of risk with the least amount of effort, ensuring your valuable resources are spending the exact amount of time needed to effectively reduce risk to your infrastructure. It’s patented analysis engine that has been proven for the past 4 years in the largest DOD and Intelligence networks produces results in seconds as opposed to hours or even days that other solutions require.  It graphically shows you where you are at risk from any part of your infrastructure. Risk Analyzer will help you automate the reduction of risk to your IT infrastructure.

This is why we are excited about Risk Analyzer and so focused on Risk. Risk, after all, is the key.

The amount of news generated around attacks in 2011 has been overwhelming. In just the last week, the reports around SCADA based attacks have reached almost histrionic levels. Attacks on NASA, AT&T & VCU have all been highlighted this month as well. Despite the fact that companies will spend over $8 billion dollars on network security this year, hackers continue to successfully breach networks with an alarming regularity.

In an article on APT’s  posted on Dark Reading  yesterday, Sean Brady from RSA had an interesting quote. He said “Identifying the entry point — where an attacker got into a company’s network — is a key aspect of identifying and responding to an advanced attack”. At Firemon, we couldn’t agree more. However, we would also ask why wait until you’ve been attacked to discover the entry point? Why not proactively find the entry point yourself? As clearly indicated by the attack coverage we’ve seen in the press this year, the attackers are actively looking to find the entry point into your network even as you read this post.

Firemon’s new Risk Analyzer technology is designed to proactively find the entry point into your network that can be exploited. Risk Analyzer will also identify where an attacker can pivot off that access point, and what other resources within your network can be compromised. Risk Analyzer will also prioritize what patched vulnerabilities can reduce the greatest amount of risk with the least amount of effort, helping to focus your organization’s remediation efforts. Don’t be the last to discover the entry points that are exposed in your network; he who finds the entry point first wins.

I read a quick blog post this morning from Rick Holland at Forrester. In fact, part of my title is borrowed from a line in his post. As security professionals, I think it is important to recognize that despite our best efforts, many of the network security controls that have been deployed have still failed to prevent breeches and attacks from occurring. Holland along with John Kindervag have published a new report called “Planning for Failure”. They note that this years headlines have not been encouraging for the security world, as evidenced yet again yesterday by the Steam website hack and the take down of Estonian hackers in Operation Ghost Click.

The deluge of news around breeches and incidents that have occurred this year should not cause us to throw our arms up and head for the exits. It should ultimately galvanize those of us in the security world to be more proactive about assessing the risk posture of our organizations, identifying the areas of weakness we have, and fixing them before an incident occurs. As Holland notes in his post “An ounce of preparation is worth a pound of remediation”. The full Planning for Failure report also stresses the importance of testing. We at Firemon could not agree more. Our new Risk Analyzer technology enables organizations to test their entire network topology, factoring in the network security controls that are in-place, and identify exactly where attackers could breach your network. Risk Analyzer will even highlight systems that are susceptible to client-side vulnerabilities that attackers could gain access to despite effective network security controls, and identifies where the attackers could further penetrate into the network by pivoting off these assets. Risk Analyzer’s patented analysis engine provides real-time analysis, and graphically shows you where in your topology you are vulnerable. Risk Analyzer also helps you to laser focus on what remediation steps will reduce the greatest amount of risk with the least amount of effort by providing a prioritized list of remediation actions, and allowing a user to virtually apply said patches, graphically showing the impact that remediation effort has on the networks risk posture.

We are excited to release Risk Analyzer this month, and believe it is the key part of a proactive testing process that all security organizations should implement as part of their overall Incident Management plan. Risk Analyzer will allow you to substantially reduce your risk posture, prioritize your remediation efforts, and to measure the effectiveness of the security controls you have put in place.

Lately, there has been a lot of discussion and interest on the blog around Firemon’s new Risk Analyzer product. While we are excited about bringing the fastest patented risk analysis and reduction engine to the market, we haven’t stopped developing new features in our flagship Security Manager product. The latest 5.3 release added support for both Palo Alto Networks Next Generation Firewall appliances and Fortinet firewall appliances, including support for Fortnet’s Virtual Domain (VDOM) technology. Firemon continues to be a customer focused organization, and we are excited to add support for these great products as requested by our customers.

We are also very excited about the future direction of Security Manager. Stay tuned for more updates around the integration of Risk Analyzer into Security Manager, and the awesome functionality that will provide organizations in proactively knowing what risks they could introduce when adding or changing firewall or network access rules. In a recent survey conducted by Ernst & Young, only 49% of respondents stated that their information security function is meeting the needs of the organization. The combination of Security Manager and Risk Analyzer enable any security group to quickly and easily know the status of their security posture, and to validate that their information security investment is in fact meeting the needs of the organization.

I was able to attend this years JavaOne conference, and had the privilege of hearing the keynote from David Ward of Juniper Networks. If you missed his presentation, you can see it here. One of the key points in his presentation was that the network and applications need to work together. As Lauren Cooney points out in her blog, “The divide between IT and Developer is getting smaller and smaller – you can now access the network through a series of APIs and an orchestration layer that make it easier to build and scale applications specific to your network. The two need to work together to be successful.”

At Firemon, we believe the opening of the network API’s  is highly beneficial to those of us developing security applications for the enterprise network. We have ported our new Risk Analyzer product to run on Space, and leverage the Space SDK to provide the application real-time awareness of all the network devices and how data traverses the entire network topology. This enables Risk Analyzer to have the most complete, up to date and real-time picture of an enterprise’s network topology, enabling Risk Analyzer to create the most accurate graphical representation of your entire network. Risk Analyzer then combines the network information from Space with the results of enterprise vulnerability scanning and clearly highlights all of the paths attackers can take to penetrate your network, including client-side vulnerabilities, in a matter of seconds.

Space enables Risk Analyzer to factor in the full context of the network topology and network security controls to provide the most accurate risk analysis and remediation. Space enables Firemon to focus our development efforts on further enhancing Risk Analyzer’s patented analysis engines, knowing the Space SDK will always provide the necessary network information. Firemon is excited to be one of the first companies to partner with Juniper and leverage the Space SDK. We look forward to continued enhancement of the joint technology and many exciting developments to come in the next few months.

Image by Highways Agency via Flickr

The second key element in enterprise network risk analysis is speed. I mentioned in my last post the presentation I gave at the United Security Summit. In that presentation, I compared network risk analysis to automobile traffic engineering and the challenge of reducing or eliminating congestion on a given highway. I highlighted the Active Traffic Management (ATM) system that was originally deployed in 2005 in the United Kingdom on a 17km stretch of M42. There are a number of parallels between the ATM and what constitutes an effective enterprise risk analysis and reduction tool.

The UK has had an 80% increase in traffic since 1980, with only a 10% increase in their road capacity. They needed a solution that provided the full context of all factors that lead to congestion on a given stretch of highway, much like in network risk analysis we need the full context of the network topology and the network security controls in place to truly determine the given risk posture of any enterprise. The ATM on this 17km stretch of M42 has over 500km of cabling and sensors deployed, along with 300 CCTV cameras and 50 gantries with computer controlled signage. All of this information is fed back to a central control center, where traffic engineers leverage software algorithms to process all incoming data. The system then provides a prioritized list of actions the traffic engineers can take to reduce congestion and in the first 6 months of deployment increased capacity on this stretch of M42 by 10% and reduced transit times by 34%. With the amount of data generated by all of the wiring and sensors, no human could simply look at a raw listing of data and decide what are the 2 or 3 best steps to take to reduce congestion. The ATM automates the process of processing this data, and provides the recommendations in real-time. If an accident occurs at kilometer 14, the ATM can recommend that the traffic engineers change the speed on the gantries at kilometer 2 by 40 km/hour in order to ensure traffic doesn’t come to a complete standstill and increase the possibility of additional accidents and further congestion. This recommendation is made as soon as the problem is detected. It would not be effective if the ATM algorithms took hours to decide that the speed needed be reduced to alleviate congestion; the entire 17km of highway would be stopped by then.

Similarly in Enterprise Network Risk Analysis and Remediation, you need a tool that scales to process all of the data related to the network topology and the associated vulnerabilities, and provides the prioritized steps that reduce the greatest amount of risk with the least amount of effort in the fastest possible time. Tools that take hours or even days to process the data and produce a recommendation are like an Active Traffic Management system that takes hours to provide a recommendation. By that point, with the ever-growing and persistent threats that we face in enterprise security today, an attacker could have already exploited a resource in your environment and subsequently pivoted from that resource to exploit other parts of your network. Firemon’s new Risk Analyzer is able to scale to support the largest enterprise environments in the world, having been deployed for the past 4 years in the largest United States DOD and Intelligence networks. Risk Analyzer’s patented analysis engine processes all data in seconds, producing a prioritized list of remediation actions that allow organizations to know the exact steps that reduce the greatest amount of risk with the least amount of effort. Risk Analyzer has the full network context and real-time speed to enable any enterprise to significantly reduce their risk posture and ensure their security investment in both technology and people is being utilized as effectively as possible.

Last week I had the privilege of speaking at the United Security Summit. I spoke about Risk Analysis, and compared the world of automobile traffic engineering and network security risk analysis. In my discussions with the attendees after the session, it was clear that two key elements are required to have effective and relevant risk analysis in the enterprise environments most of us work in today. For this post, I want to focus on the first key: context.

Having the full awareness and context of your network topology and the security controls that have been put in place are required to have a full understanding of your organizations true risk posture. Many times, when automobile traffic engineers are attempting to solve a congestion problem, they will lay data cables on a section of highway to get an idea of the number of cars, frequency and distance between units. However, they are only getting the raw data of the section of road that they happened to deploy the data cable to. They don’t see the entire 30 miles of the given highway, the on-ramps, or feeder roads leading to the ramps. The data cable does not account for weather, day of week, time, holidays, etc. There are many elements that go into understanding the full context of why traffic is congesting on a given multi-lane highway. Unfortunately, many decesions about resolving congestion are made based off the raw data captured from the deployed data cable, and don’t account for the full context of what is causing the congestion in the first place. This why the default response of adding more capacity many times doesn’t solve the problem.

Much like the traffic engineer, in network security, we tend to rely on our own data cable solution. Most enterprises today when assessing risk simply run a vulnerability scanner. In the large enterprise environments we now work in, this can result in a list of 1000′s of vulnerabilities that need to be addressed. Many times, the engineer looking at this result will simply choose what they think are the important patches to fix, and assume they have reduced risk to the organization. Without providing the full context of the entire network topology and the security controls put in place to control data flow, the vulnerability results have no frame of reference. If the results list a sql vulnerability on a high value web server as severe, one might assume this needs to be addressed immediately. However, the scan results aren’t aware that the firewall cluster fronting the web services prevent sql from coming to the web server from any internal or external source. So, is this truly a severe risk that needs to be addressed immediately? Without the full network context,vulnerability scanners by themselves are unable to truly give you an accurate picture of the risk to your network environment.

In our next post, we’ll discuss the importance of speed in network risk analysis.

In addition to Risk Analyzer, FireMon has introduced Back Box, a centralized, enterprise backup solution for the critical security and network devices that provides a scalable, reliable and verifiable backup solution for your network. In my past roles as both a security consultant and a named accounts senior security engineer, I have had the privilege of working with some of the largest Network and IT Security organizations in the world. One element that was surprisingly all to common amongst these different organizations was that many of them had back-up solutions that were built in-house by their best engineer. While these customized solutions worked, inevitably said engineer left the organization at some point. Subsequently, another engineer or even a team of engineers had to figure out how the solution worked, and often ended up writing their own solution when they were unable to figure out how to update or add additional features to the previous custom tool. Most troublesome, many of these solutions had no mechanism to validate that a backup was completed and verifiable, and resulted in not being able to utilize a backup when a down situation occurred. Back Box provides a single, central location for all your network device backups and verifies that all of the components necessary for restoration are captured and usable with real-time status and reporting capabilities.

The combination of Risk Analyzer and BackBox along with Security Manager and Policy Planner give FireMon the most complete product suite to enable organizations of all sizes to optimize their network security posture. What is exciting to me is that organizations are starting to realize the importance of having a tool that enables them to have a complete picture of the state of their network security, and are no longer considering this just a nice to have. Consider one of our large customers in the financial vertical. They have 700 firewalls deployed globally, with an average of 300 rules per device. With over 200,000 rules to manage on a daily basis, they have come to rely on Security Manager to enable them to plan and report on any changes to the firewall policy, increasing their visibility as a security team. The Rule and Object Usage report has become a weekly process within their organization, allowing them to see which rules and objects are unused over a defined period of time and safely removing them. Security Manager automates the change process for them, capturing justification of access with Policy Planner and making compliance a repeatable and automatic process. Surveys consistently show that perimeter security is still considered one of the most important security tools to protect an organization. Security Manager and Policy Planner help enterprises manage these most important devices better so you can provide better service to your users at a lower cost to you.

This is why I am so excited to be at FireMon now. The company that invented the space continues to innovate and enable our customers to manage their risk in real time and ensure their enterprise has the optimum network security posture. This innovation is just the tip of the iceberg, and over the next year I look forward to sharing with you more of the many exciting developments and innovations we will bring in our products and with our partners to help you ensure your enterprise is optimized and secure. That is why you need FireMon, Now.

I was incredibly excited to join FireMon as the new Vice President of Business Development. After my first 30 days with the company, I can share that my excitement has only grown.  For my first posts on the blog, I wanted to share why I joined FireMon, and why I am so excited about the future.

FireMon was the first company to ever create a firewall change management tool. We invented the network security change management space. We were the first to introduce a graphical change report, rule usage information, policy test, traffic flow analysis, and many more features that are now the staple of the industry. In my career, I’ve always been drawn to companies that were innovators, and FireMon maintains that spirit of innovation at its core. FireMon continues to be the innovator with the acquisition of Saperix Technologies, which has become our Risk Analyzer product. Over the next few months, you will continue to hear about the dramatic innovations Risk Analyzer brings to the security optimization FireMon provides with its real-time risk analysis capabilities. In the zero day world we live in, enterprises can ill forward to use tools that take hours or days to tell them where their risks are. Risk Analyzer will provide real-time vulnerability analysis, and I am excited to debut the technology and some of the exciting technology partnerships we are building into the tool at the United Security Summit next month in San Francisco.

Risk Analyzer is a reflection of FireMon’s continued innovation. In part 2 of my post, I will share additional innovation being developed by FireMon, reflecting why FireMon provides the most complete suite of tools to optimize your enterprise security posture now.