Posts Tagged ‘Risk Analysis’

In our first post on accurately measuring & scoring risk, we examined the holistic network approach many enterprises take around managing risk. This approach is to run vulnerability scanners against parts of their network or the network in its entirety at some predetermined interval. In both cases, scans are run, vulnerabilities are identified and possibly prioritized based on asset value, patching activities are scheduled over the next month or quarter, and the event repeats itself. As we noted, this approach over-simplifies the complex task of risk, as different threats and different assets define different risks.

The answer to this dynamic risk challenge is clear. Organizations need to operationalize risk into their daily security activities, and not make risk management simply a set event that occurs at predetermined intervals. As changes occur to the organizations risk posture based off of the business activities noted in our last post, or larger corporate events such as M&A or moving to the cloud, security organizations need to be able to dynamically and easily analyze this change to their risk posture in real time. To effectively do so, a tool that provides the ability to create different risk scenarios is required. Scenarios enable an organization to address each different threat to their assets as changes occur.

In the previous post, we provided the example of a business unit requesting VPN access to a new business partner after the predetermined scan had already been run. Leveraging a tool that provides the ability to create different risk scenarios, the security team would be able to create a new scenario to identify the new connectivity from the business partner into their network. To truly be effective, the tool would not only need to be able to identify this new connection, but have the contextual awareness of the firewall policy, network topology and any other network security devices that might be traversed between the front and back end systems involved in this new connectivity to accurately identify any potential vulnerabilities that are introduced from this new partnership.

FireMon Risk Analyzer is just that tool. Risk Analyzer enables administrators to create different scenarios: VPN connectivity to new business partners, connectivity to a cloud provider, a new data center coming online. Combined with Risk Analyzer’s full network topology and security policy awareness (which can be continually updated in real time via FireMon Security Manager), end users are able to identify new risk scenarios, proactively identify the new risk introduced from the scenario, and virtually apply remediation to ensure that the most effective remediation is completed with the least amount of effort. Multiple scenarios can be created as different threats or business events are identified, and as changes occur to the configuration or connectivity within the scenarios, end users can easily and immediately re-run the scenario within Risk Analyzer to asses how these changes affect the true risk posture of the organization. Risk Scenarios enable organizations to achieve the goal of operationalizing risk into their everyday activity.

The most recent post on our blog noted that understanding your organization’s exposure to risk is no small task. I have seen enterprises attempt to manage risk through feel or intuition, or simply reacting when executive leadership has read about the latest breach of the week and wants assurance that they aren’t at risk for the same calamity.  Fortunately, enterprises today are attempting to analyze and measure risk under a more formal process. Many attempt to do so by running vulnerability scanners against parts of their network or the network in its entirety at some predetermined interval. In both cases, scans are run, vulnerabilities are identified and possibly prioritized based on asset value, patching activities are scheduled over the next month or quarter, and the event repeats itself. Some organizations might even take the results of these efforts and assign a score, value or state to their risk posture.

Image via Wikipedia

The holistic measurement of risk described above simplifies risk within today’s networks. Truly understanding your actual risk posture is much more complex. Different threats and different assets define different risks. Risk is also constantly changing, constantly in flux in the enterprise environments we work in today. With M&A activity, strategic partnerships being formed or abandoned, new data centers being brought up, data centers being consolidated or IT functions being moved into the cloud, risk is a never ending moving target in most enterprise environments. Considering the standard process where an organization runs a vulnerability scanner at set intervals and scores their risk posture based off the actions completed from this event, it’s easy to see how this score is not truly reflective of the true state of the organizations risk.

Consider the example where a security group may run an enterprise scan at the beginning of each month and then schedule remediation actions for the next three weeks. In the second week of the month, a business group requests a new VPN connection to a newly formed business partner. This access requires connectivity from the new partner network to a DMZ web server farm that is protected by a firewall cluster. The web farm is a front end to an internal financial database that is protected by another cluster of firewalls. The monthly process that the organization follows does not allow them to react to the new variable that has been created within their risk posture. Furthermore, even if the organization were to scan against this newly created connection, the scanner would simply be blocked by the firewall clusters. The scanner does not have awareness of the firewall configuration policy and the context of how data flows through the networking devices, firewall and any other subsequent network security controls related to the web server front end and the back end database servers. This speaks to the importance of factoring the full context of network security controls and data connectivity when analyzing risk, as we have previously covered in this blog.

Analyzing and scoring risk based solely off the enterprise wide scanning or patching efforts doesn’t provide an organization the most accurate measurement of what their true risk posture is. In the second part of our post, we will discuss a better approach to gain a more accurate and real-time awareness into what an organizations risk state truly is.

In our series on risk here at the Firemon blog, we have clearly stated that network security is all about risk. So if risk truly is the yardstick we should use to measure the state of our organizations security, why are so many of us not measuring risk correctly? There are many factors that contribute to this issue, but ultimately there tends to be one overriding issue that affects organizations perspective around security and risk.

Too many organizations view security and risk reduction as a project rather than an ongoing process. There are a number of security arenas where this myopic perspective of security as a project is displayed. Compliance initiatives around PCI DSS, HIPPA, GLBA, etc. tend to get slotted as a project to complete, and after said completion, security has been achieved. While compliance initiatives are an important and depending on the industry, required part of an organizations security efforts, they are not a project to complete that results in a state of security and therefore reduced risk. Time and time again, we have seen too many organizations assume that their PCI DSS compliance equals a secure network, only to be shocked when they are subsequently attacked.

Similarly, implementing a vulnerability analysis and remediation project has become most organizations default way to identify and reduce risk within their networks. Typically an organization will run an enterprise vulnerability scanner at set times, compile a list of the vulnerabilities identified, possibly prioritize actions based on asset value, and then schedule patch work for the next 2-3 months to fix the 100′s or 1000′s of vulnerabilities listed by the scanner. As we saw with compliance initiatives, too many organizations treat vulnerability scanning as simply another project to tick off the list, and once complete, assume they are secure. The vulnerability scanner also has no knowledge of the network security controls that are in place, and therefore is unable to truly identify exactly what is the most severe risk to the network security based off what is truly reachable or exploitable as we have previously highlighted on our blog. Vulnerability Scanners are a vital tool within any organizations remediation strategy, and one that hopefully most organizations are utilizing. They are not the end-all solution answer to risk by themselves though.

In both security arenas we discussed above, there is no real time, ongoing, effective measurement of the organizations true exposure to risk.  Project based approaches do not allow an organization to truly see how the efforts of the organization to reduce risk ultimately affect the overall risk posture. In both cases, they are gaining a false sense of security simply by completing projects related to security. To truly manage and reduce risk, organizations need to make the management of risk a daily part of their operational security. In order to operationalize risk, practitioners need to leverage a tool that fully measures all of the elements that affect the risk to the network, prioritize the actions that need to be taken, highlight the impact those actions will have on the security posture, and allow the organization to see how their risk posture has changed over time or as new changes have been required within their network connectivity. The key element to said tool must be a truly effective measurement of risk to enable risk management to become a daily operational function of security. In our next post, we will discuss what elements are required to fully and accurately measure risk to a network.

Lately, there has been a lot of discussion and interest on the blog around Firemon’s new Risk Analyzer product. While we are excited about bringing the fastest patented risk analysis and reduction engine to the market, we haven’t stopped developing new features in our flagship Security Manager product. The latest 5.3 release added support for both Palo Alto Networks Next Generation Firewall appliances and Fortinet firewall appliances, including support for Fortnet’s Virtual Domain (VDOM) technology. Firemon continues to be a customer focused organization, and we are excited to add support for these great products as requested by our customers.

We are also very excited about the future direction of Security Manager. Stay tuned for more updates around the integration of Risk Analyzer into Security Manager, and the awesome functionality that will provide organizations in proactively knowing what risks they could introduce when adding or changing firewall or network access rules. In a recent survey conducted by Ernst & Young, only 49% of respondents stated that their information security function is meeting the needs of the organization. The combination of Security Manager and Risk Analyzer enable any security group to quickly and easily know the status of their security posture, and to validate that their information security investment is in fact meeting the needs of the organization.

Last week I had the privilege of speaking at the United Security Summit. I spoke about Risk Analysis, and compared the world of automobile traffic engineering and network security risk analysis. In my discussions with the attendees after the session, it was clear that two key elements are required to have effective and relevant risk analysis in the enterprise environments most of us work in today. For this post, I want to focus on the first key: context.

Having the full awareness and context of your network topology and the security controls that have been put in place are required to have a full understanding of your organizations true risk posture. Many times, when automobile traffic engineers are attempting to solve a congestion problem, they will lay data cables on a section of highway to get an idea of the number of cars, frequency and distance between units. However, they are only getting the raw data of the section of road that they happened to deploy the data cable to. They don’t see the entire 30 miles of the given highway, the on-ramps, or feeder roads leading to the ramps. The data cable does not account for weather, day of week, time, holidays, etc. There are many elements that go into understanding the full context of why traffic is congesting on a given multi-lane highway. Unfortunately, many decesions about resolving congestion are made based off the raw data captured from the deployed data cable, and don’t account for the full context of what is causing the congestion in the first place. This why the default response of adding more capacity many times doesn’t solve the problem.

Much like the traffic engineer, in network security, we tend to rely on our own data cable solution. Most enterprises today when assessing risk simply run a vulnerability scanner. In the large enterprise environments we now work in, this can result in a list of 1000′s of vulnerabilities that need to be addressed. Many times, the engineer looking at this result will simply choose what they think are the important patches to fix, and assume they have reduced risk to the organization. Without providing the full context of the entire network topology and the security controls put in place to control data flow, the vulnerability results have no frame of reference. If the results list a sql vulnerability on a high value web server as severe, one might assume this needs to be addressed immediately. However, the scan results aren’t aware that the firewall cluster fronting the web services prevent sql from coming to the web server from any internal or external source. So, is this truly a severe risk that needs to be addressed immediately? Without the full network context,vulnerability scanners by themselves are unable to truly give you an accurate picture of the risk to your network environment.

In our next post, we’ll discuss the importance of speed in network risk analysis.

I was incredibly excited to join FireMon as the new Vice President of Business Development. After my first 30 days with the company, I can share that my excitement has only grown.  For my first posts on the blog, I wanted to share why I joined FireMon, and why I am so excited about the future.

FireMon was the first company to ever create a firewall change management tool. We invented the network security change management space. We were the first to introduce a graphical change report, rule usage information, policy test, traffic flow analysis, and many more features that are now the staple of the industry. In my career, I’ve always been drawn to companies that were innovators, and FireMon maintains that spirit of innovation at its core. FireMon continues to be the innovator with the acquisition of Saperix Technologies, which has become our Risk Analyzer product. Over the next few months, you will continue to hear about the dramatic innovations Risk Analyzer brings to the security optimization FireMon provides with its real-time risk analysis capabilities. In the zero day world we live in, enterprises can ill forward to use tools that take hours or days to tell them where their risks are. Risk Analyzer will provide real-time vulnerability analysis, and I am excited to debut the technology and some of the exciting technology partnerships we are building into the tool at the United Security Summit next month in San Francisco.

Risk Analyzer is a reflection of FireMon’s continued innovation. In part 2 of my post, I will share additional innovation being developed by FireMon, reflecting why FireMon provides the most complete suite of tools to optimize your enterprise security posture now.