There are a lot of theories about which network security challenge is the most important at any given time. The issue is highly subjective, particularly in this world of advocates, specialists, and vendors, who are each fixated on their particular piece of the puzzle.
But in the end, what matters is that organizations properly align and continuously adjust their activities so they can mitigate or even prevent the most prevalent threats to network security. Because while the threats haven’t changed much – viruses, botnets, access control, and visibility are evergreen challenges – the way malicious actors try to leverage vulnerabilities and the way we fight them changes all the time.
Right now and for the foreseeable future, the choice of weapon is automation. Hackers use automation to find the most valuable data inside a network, conduct brute force attacks, deliver loaders and cryptors, operate keyloggers, execute banking injects, operate bulletproof hosting services, and more. We have to fight fire with fire, and automation is the only way to protect a complex, dynamic network from modern network security threats.
5 Key Challenges in Network Security
This list presents five specific challenges to network security, but they are all children of one overarching network security condition: IT infrastructure complexity. That’s the real issue, and there’s no way around it. The average enterprise has around 500 products in its technology stack and uses more than 1100 APIs. Add in the current COVID-19 pressures that are driving a movement to remote work to the tune of more than 16 million new remote users, and we find ourselves managing more connections, users, and devices than ever before. We need the ability to understand network security challenges and scale our responses at top speed if we want to secure our organizations from threats.
But talking about complexity doesn’t provide any actionable information. So dig into the list below to see which aspects of complexity you can actually manage and how to do it.
1. Misconfiguration proliferation
Perhaps the least glamorous of all security threats, misconfiguration continues to hold a top spot as a serious network security threat. According to Gartner, between now and 2023, 99% of firewall breaches will be caused by misconfigurations rather than firewall flaws. How frustrating that something so fundamental continues to put businesses at risk year after year.
Firewalls are hard to manage because networks are complicated and getting more complicated by the month. In our State of the Firewall report, almost one-third of respondents said their organizations use more than 100 firewalls, and 12 percent use more than 500. At this scale, managing the products, optimizing their rules, and exposing gaps in firewall enforcement is a task that can’t be handled manually. Automation is essential.
But that doesn’t mean full automation – the best solutions provide adaptive control and visibility over networks and firewalls. The goal should be to minimize human error rather than replace humans, because analysis activities during triage and escalation require an understanding of nuance that no machine possesses.
2. Lax control of privileged access
Privileged access abuse is a favored method of hackers because it’s easier for them to exploit existing credentials than to hack into a network. That’s why 74 percent of breaches start with privileged access abuse.
Many organizations focus their firewall management activities on permitting access. That often leads to too many users being granted levels of permissions that are too high. This is a dangerous mistake. In order to make the firewall a more effective security device in the network, risk must be evaluated with the same weight as access.
Credentials alone do not give enough information about whether the user requesting access is legitimate. Credentials need to be authenticated in context with other factors, such as geolocation, IP address, time zones, etc. Privileged access needs to reviewed regularly – for instance, during COVID-19 work-from-home restrictions, IP addresses and geolocations are going to be out of the norm. These will have to be shifted back to the status quo for users who return to the office in upcoming months.
Automation plays a critical role in reducing privileged access abuse by reducing the accidental errors that lead to misconﬁgurations and increasing security agility—an essential attribute at any time, but especially during exceptional conditions like those engendered by COVID-19. By eliminating human error that can compromise a network increasingly accessed by remote workers, the operational efficiency of security teams can be maximized and instances of security misconfigurations reduced.
3. Tool interoperability shortcomings
The problem isn’t too many tools. The problem is too many tools that that don’t share data seamlessly.
A network is not a single zone. It’s a system of software-defined networks, micro-segmentation, and network rules and assets that create exponential complexity. To try to understand what’s happening in the network, security teams must shift from console to console, struggling to make sense of what one metric means in context with the others. The result is an environment that fosters human error and leaves gaps that adversaries can exploit.
Some organizations think they’ll be safe even if their tools don’t integrate with each other because they do integrate with the SIEM. But SIEMs focus solely on system-generated signals, which means they can miss manually-executed attacks and user-specific anomalies, such as a user in the marketing department logging into a system used by the financial department. According to IT decision-makers, traditional SIEMs are not intuitive, do not provide accessible insights, and produce more data than staff has the capacity to analyze.
Security analytics platforms make data more accessible to more people so it can be consumed and analyzed efficiently. Natural-language search and analytics removes the need to learn a query language. Data collection doesn’t require parsing, which eliminates the prerequisite knowledge normally required to bring different data sources together. A security analytics platform automatically enriches and correlates collected data to speed up the time it takes to discover unusual activity on the network.
4. Lack of visibility
Visibility changes from moment to moment as new devices and endpoints join and leave the network. Typically, there is no way to tell if the network is secure or compliant at any given point in time – at best, security professionals can look back over historical data to tell if the network had been secure at some point in the past. That isn’t actionable information.
Organizations need to understand how and why firewall rules are configured, the consequences of any changes, and how the changes impact security and compliance postures. Few can achieve this, due to common obstacles such as a lack of IT staff availability, poor network management tools, a lack of visibility into app delivery paths, and a lack of IT at remote offices, to name just a few.
Automation can provide the means to see, map, and manage changes to an infrastructure at any given point in time. This is true visibility, and it makes an impact that resonates beyond the SOC. Visibility supports the business as a whole by enabling changes to be made faster and more securely without breaking compliance. The gap between managing network security risk and delivering business opportunities that drive competitive advantages is filled in.
5. Controls that are out of step with infrastructure changes
Security teams are not able to keep up with ever-increasing volumes of vulnerabilities that need to be patched, new applications that need to be tested and deployed, emerging threats that need to be mitigated and, of course, access requests that must be granted, returned for further authentication, or denied. The solution to handling this volume and variety of work is orchestration.
Orchestration is often thought of as synonymous with automation, but that’s not accurate. Automation focuses on executing a particular task, while orchestration arranges tasks to function optimally within a workflow – for instance, by bringing together the entire body of security controls and automating change.
An orchestration solution should be comprehensive, automating network security in every aspect from policy design to implementation. It should support real-time monitoring from a live stream of data to enable instant snapshots of a network’s security posture from moment to moment. And it should scale in all directions, collecting security details and normalizing device rules for storage in a unified database. The solution should provide a single console that provides total network visibility and the ability to command security controls.
Automate your network security with intention
Automation is not without risk. When planned poorly, it will increase operational costs and potentially subject organizations to financial fallout from network security breaches and regulatory fines.
But when done well, automation makes enormous business sense and will deliver on its promises of consistency, cost optimization, ongoing visibility and assessment, and effective management of the organization’s network security profile, as well as supporting proactive risk mitigation. And considering the complex, dynamic networks that organizations must govern across firewalls, applications, databases, data centers, cloud, and containers, automation isn’t optional any more. It’s the only way to stay operational.
Our advice is to automate mindfully. The FireMon approach to network security automation is built on providing a context around access requests to help system administrators and network engineers implement change that enables the business without introducing the new risks that come with handling thousands of change requests daily. Using our intelligent, automated workflow, security administrators can implement the right changes with absolute precision.