Posts Tagged ‘Network Security Risk Analysis’

In our first post on accurately measuring & scoring risk, we examined the holistic network approach many enterprises take around managing risk. This approach is to run vulnerability scanners against parts of their network or the network in its entirety at some predetermined interval. In both cases, scans are run, vulnerabilities are identified and possibly prioritized based on asset value, patching activities are scheduled over the next month or quarter, and the event repeats itself. As we noted, this approach over-simplifies the complex task of risk, as different threats and different assets define different risks.

The answer to this dynamic risk challenge is clear. Organizations need to operationalize risk into their daily security activities, and not make risk management simply a set event that occurs at predetermined intervals. As changes occur to the organizations risk posture based off of the business activities noted in our last post, or larger corporate events such as M&A or moving to the cloud, security organizations need to be able to dynamically and easily analyze this change to their risk posture in real time. To effectively do so, a tool that provides the ability to create different risk scenarios is required. Scenarios enable an organization to address each different threat to their assets as changes occur.

In the previous post, we provided the example of a business unit requesting VPN access to a new business partner after the predetermined scan had already been run. Leveraging a tool that provides the ability to create different risk scenarios, the security team would be able to create a new scenario to identify the new connectivity from the business partner into their network. To truly be effective, the tool would not only need to be able to identify this new connection, but have the contextual awareness of the firewall policy, network topology and any other network security devices that might be traversed between the front and back end systems involved in this new connectivity to accurately identify any potential vulnerabilities that are introduced from this new partnership.

FireMon Risk Analyzer is just that tool. Risk Analyzer enables administrators to create different scenarios: VPN connectivity to new business partners, connectivity to a cloud provider, a new data center coming online. Combined with Risk Analyzer’s full network topology and security policy awareness (which can be continually updated in real time via FireMon Security Manager), end users are able to identify new risk scenarios, proactively identify the new risk introduced from the scenario, and virtually apply remediation to ensure that the most effective remediation is completed with the least amount of effort. Multiple scenarios can be created as different threats or business events are identified, and as changes occur to the configuration or connectivity within the scenarios, end users can easily and immediately re-run the scenario within Risk Analyzer to asses how these changes affect the true risk posture of the organization. Risk Scenarios enable organizations to achieve the goal of operationalizing risk into their everyday activity.

The most recent post on our blog noted that understanding your organization’s exposure to risk is no small task. I have seen enterprises attempt to manage risk through feel or intuition, or simply reacting when executive leadership has read about the latest breach of the week and wants assurance that they aren’t at risk for the same calamity.  Fortunately, enterprises today are attempting to analyze and measure risk under a more formal process. Many attempt to do so by running vulnerability scanners against parts of their network or the network in its entirety at some predetermined interval. In both cases, scans are run, vulnerabilities are identified and possibly prioritized based on asset value, patching activities are scheduled over the next month or quarter, and the event repeats itself. Some organizations might even take the results of these efforts and assign a score, value or state to their risk posture.

Image via Wikipedia

The holistic measurement of risk described above simplifies risk within today’s networks. Truly understanding your actual risk posture is much more complex. Different threats and different assets define different risks. Risk is also constantly changing, constantly in flux in the enterprise environments we work in today. With M&A activity, strategic partnerships being formed or abandoned, new data centers being brought up, data centers being consolidated or IT functions being moved into the cloud, risk is a never ending moving target in most enterprise environments. Considering the standard process where an organization runs a vulnerability scanner at set intervals and scores their risk posture based off the actions completed from this event, it’s easy to see how this score is not truly reflective of the true state of the organizations risk.

Consider the example where a security group may run an enterprise scan at the beginning of each month and then schedule remediation actions for the next three weeks. In the second week of the month, a business group requests a new VPN connection to a newly formed business partner. This access requires connectivity from the new partner network to a DMZ web server farm that is protected by a firewall cluster. The web farm is a front end to an internal financial database that is protected by another cluster of firewalls. The monthly process that the organization follows does not allow them to react to the new variable that has been created within their risk posture. Furthermore, even if the organization were to scan against this newly created connection, the scanner would simply be blocked by the firewall clusters. The scanner does not have awareness of the firewall configuration policy and the context of how data flows through the networking devices, firewall and any other subsequent network security controls related to the web server front end and the back end database servers. This speaks to the importance of factoring the full context of network security controls and data connectivity when analyzing risk, as we have previously covered in this blog.

Analyzing and scoring risk based solely off the enterprise wide scanning or patching efforts doesn’t provide an organization the most accurate measurement of what their true risk posture is. In the second part of our post, we will discuss a better approach to gain a more accurate and real-time awareness into what an organizations risk state truly is.

In our series on risk here at the Firemon blog, we have clearly stated that network security is all about risk. So if risk truly is the yardstick we should use to measure the state of our organizations security, why are so many of us not measuring risk correctly? There are many factors that contribute to this issue, but ultimately there tends to be one overriding issue that affects organizations perspective around security and risk.

Too many organizations view security and risk reduction as a project rather than an ongoing process. There are a number of security arenas where this myopic perspective of security as a project is displayed. Compliance initiatives around PCI DSS, HIPPA, GLBA, etc. tend to get slotted as a project to complete, and after said completion, security has been achieved. While compliance initiatives are an important and depending on the industry, required part of an organizations security efforts, they are not a project to complete that results in a state of security and therefore reduced risk. Time and time again, we have seen too many organizations assume that their PCI DSS compliance equals a secure network, only to be shocked when they are subsequently attacked.

Similarly, implementing a vulnerability analysis and remediation project has become most organizations default way to identify and reduce risk within their networks. Typically an organization will run an enterprise vulnerability scanner at set times, compile a list of the vulnerabilities identified, possibly prioritize actions based on asset value, and then schedule patch work for the next 2-3 months to fix the 100′s or 1000′s of vulnerabilities listed by the scanner. As we saw with compliance initiatives, too many organizations treat vulnerability scanning as simply another project to tick off the list, and once complete, assume they are secure. The vulnerability scanner also has no knowledge of the network security controls that are in place, and therefore is unable to truly identify exactly what is the most severe risk to the network security based off what is truly reachable or exploitable as we have previously highlighted on our blog. Vulnerability Scanners are a vital tool within any organizations remediation strategy, and one that hopefully most organizations are utilizing. They are not the end-all solution answer to risk by themselves though.

In both security arenas we discussed above, there is no real time, ongoing, effective measurement of the organizations true exposure to risk.  Project based approaches do not allow an organization to truly see how the efforts of the organization to reduce risk ultimately affect the overall risk posture. In both cases, they are gaining a false sense of security simply by completing projects related to security. To truly manage and reduce risk, organizations need to make the management of risk a daily part of their operational security. In order to operationalize risk, practitioners need to leverage a tool that fully measures all of the elements that affect the risk to the network, prioritize the actions that need to be taken, highlight the impact those actions will have on the security posture, and allow the organization to see how their risk posture has changed over time or as new changes have been required within their network connectivity. The key element to said tool must be a truly effective measurement of risk to enable risk management to become a daily operational function of security. In our next post, we will discuss what elements are required to fully and accurately measure risk to a network.

I was able to attend this years JavaOne conference, and had the privilege of hearing the keynote from David Ward of Juniper Networks. If you missed his presentation, you can see it here. One of the key points in his presentation was that the network and applications need to work together. As Lauren Cooney points out in her blog, “The divide between IT and Developer is getting smaller and smaller – you can now access the network through a series of APIs and an orchestration layer that make it easier to build and scale applications specific to your network. The two need to work together to be successful.”

At Firemon, we believe the opening of the network API’s  is highly beneficial to those of us developing security applications for the enterprise network. We have ported our new Risk Analyzer product to run on Space, and leverage the Space SDK to provide the application real-time awareness of all the network devices and how data traverses the entire network topology. This enables Risk Analyzer to have the most complete, up to date and real-time picture of an enterprise’s network topology, enabling Risk Analyzer to create the most accurate graphical representation of your entire network. Risk Analyzer then combines the network information from Space with the results of enterprise vulnerability scanning and clearly highlights all of the paths attackers can take to penetrate your network, including client-side vulnerabilities, in a matter of seconds.

Space enables Risk Analyzer to factor in the full context of the network topology and network security controls to provide the most accurate risk analysis and remediation. Space enables Firemon to focus our development efforts on further enhancing Risk Analyzer’s patented analysis engines, knowing the Space SDK will always provide the necessary network information. Firemon is excited to be one of the first companies to partner with Juniper and leverage the Space SDK. We look forward to continued enhancement of the joint technology and many exciting developments to come in the next few months.

Image by Highways Agency via Flickr

The second key element in enterprise network risk analysis is speed. I mentioned in my last post the presentation I gave at the United Security Summit. In that presentation, I compared network risk analysis to automobile traffic engineering and the challenge of reducing or eliminating congestion on a given highway. I highlighted the Active Traffic Management (ATM) system that was originally deployed in 2005 in the United Kingdom on a 17km stretch of M42. There are a number of parallels between the ATM and what constitutes an effective enterprise risk analysis and reduction tool.

The UK has had an 80% increase in traffic since 1980, with only a 10% increase in their road capacity. They needed a solution that provided the full context of all factors that lead to congestion on a given stretch of highway, much like in network risk analysis we need the full context of the network topology and the network security controls in place to truly determine the given risk posture of any enterprise. The ATM on this 17km stretch of M42 has over 500km of cabling and sensors deployed, along with 300 CCTV cameras and 50 gantries with computer controlled signage. All of this information is fed back to a central control center, where traffic engineers leverage software algorithms to process all incoming data. The system then provides a prioritized list of actions the traffic engineers can take to reduce congestion and in the first 6 months of deployment increased capacity on this stretch of M42 by 10% and reduced transit times by 34%. With the amount of data generated by all of the wiring and sensors, no human could simply look at a raw listing of data and decide what are the 2 or 3 best steps to take to reduce congestion. The ATM automates the process of processing this data, and provides the recommendations in real-time. If an accident occurs at kilometer 14, the ATM can recommend that the traffic engineers change the speed on the gantries at kilometer 2 by 40 km/hour in order to ensure traffic doesn’t come to a complete standstill and increase the possibility of additional accidents and further congestion. This recommendation is made as soon as the problem is detected. It would not be effective if the ATM algorithms took hours to decide that the speed needed be reduced to alleviate congestion; the entire 17km of highway would be stopped by then.

Similarly in Enterprise Network Risk Analysis and Remediation, you need a tool that scales to process all of the data related to the network topology and the associated vulnerabilities, and provides the prioritized steps that reduce the greatest amount of risk with the least amount of effort in the fastest possible time. Tools that take hours or even days to process the data and produce a recommendation are like an Active Traffic Management system that takes hours to provide a recommendation. By that point, with the ever-growing and persistent threats that we face in enterprise security today, an attacker could have already exploited a resource in your environment and subsequently pivoted from that resource to exploit other parts of your network. Firemon’s new Risk Analyzer is able to scale to support the largest enterprise environments in the world, having been deployed for the past 4 years in the largest United States DOD and Intelligence networks. Risk Analyzer’s patented analysis engine processes all data in seconds, producing a prioritized list of remediation actions that allow organizations to know the exact steps that reduce the greatest amount of risk with the least amount of effort. Risk Analyzer has the full network context and real-time speed to enable any enterprise to significantly reduce their risk posture and ensure their security investment in both technology and people is being utilized as effectively as possible.