How decision support tools improve both speed and accuracy for your security operations teams.
It has been said that cybersecurity is an asymmetric game where the attackers have the advantage. An attacker must only be right once; while the defender must be right all the time. One simple mistake can lead to devastating consequences including data breaches, business disruptions, service outages, and ransomware infections.
But getting security “right” is hard. In a very small environment of a single system or network, such as your home network, it may seem simple to get it right. Block all inbound access and patch a few systems? Done.
Unfortunately, security challenges grow exponentially as the complexity of the network expands. Every new device, user, and service requiring connectivity to other resources increases complexity of the environment proportional to n-squared.
If you are a large enterprise managing 100,000 or more resources, the complexity will be obvious. However, did you realize that you are responsible for managing over 10 billion possible connections? And it is even more complex than that when you recognize that each system exposes more than one service (check out Metcalfe’s Law if you want to read more.) As my good friend Rich Mogull says, “simple doesn’t scale”.
Let’s put this idea of complexity into the context of network security policy management. Consider a company managing 300 firewalls with 300 rules on each firewall. For this exercise we’ll assume that each rule represents a few class C networks in the source and destination with a few services between them (i.e. HTTPS, SQL, SSH).
In this environment, the security team is responsible for managing:
- 300 firewalls
- 90,000 firewall rules
- 810,000 logical firewall rules (source object, destination object, service)
- 1,433,272,320,000 (1.4billion) connections (IP address, IP address, service)
This “simple” environment with 300 firewalls with 300 rules on each firewall requires a security operations team to manage over 1.4 billion connections. Getting this right is impossible without some form of automated analysis.
Complexity isn’t the only challenge. Security is required to support the business and the business changes fast. New applications are being brought online, new partners are being connected, old services are deprecated, and it all needs to be supported now. An acceptable response time is different for each company and can range from minutes to months, but rarely is it ever fast enough. Getting it right and doing it fast are often at odds, but it is the mandate of security professionals.
And if all that isn’t bad enough, you can’t just throw more people at the problem. There’s always pressure to keep the cap on hiring new folks. Even if you were given the green light to staff up, you’d be hard pressed to find qualified resources without paying a fortune in today’s job market.
So how do you meet these challenges that are growing exponentially with resources that at best are only growing linearly?
The answer is to empower your team with decision support tools. Using our earlier example of firewalls, let’s look at some specific challenges and how better tools improve security outcomes of reduced risk, continuous compliance, and reduced time to accurately deploy policy changes.
Every rule in a firewall policy that allows traffic to pass introduces risk to the organization. Much of this is an acceptable and necessary risk to enable the business to function. For example, an email server that isn’t allowed to send or receive SMTP traffic isn’t very useful. However, a shocking number of rules in production firewalls are not necessary and many allow unnecessary or unnecessarily high-risk access.
With our example of 1.4 billion connections to manage, how do we distinguish between those that are useful and necessary, from those that are useless and unnecessary? A network security policy management solution can provide the decision support necessary to assess all 1.4 billion connections and identify those that need to be removed.
- Find redundant rules: Redundant rules add unnecessary complexity to a policy. They serve no purpose as they duplicate an existing rule, but they add complexity that can easily lead to mistakes. These are low hanging fruit that can be removed with no risk.
- Find shadowed rules: A less obvious case than a fully redundant rule is one that is “shadowed” by another rule. This rule adds no value and simply adds complexity to the policy. Remove these rules.
- Find unused rules: With proper monitoring of log traffic, it is possible to detect rules that exist in a policy that are not being used(no traffic matches the rule). These rules not only add complexity to the policy, they add risk. These must be reviewed first before a decision is made to remove them as a critical process, such as a disaster recovery system, may rely on them but don’t generate any traffic unless being tested.
- Find unused objects in a rule: In our example rule with 3 source networks, 3 destination networks, and 3 services, it is very common for some of these to be unnecessary. Using similar techniques to identifying unused rules, it’s possible to identify unused objects in a rule. Each unused object represents unnecessary risk and should be removed.
- Find risky services: Some access just shouldn’t be allowed. For example, system management performed over unencrypted protocols can expose sensitive data and credentials. For this reason, services like telnet should not be permitted in most cases. Find all rules that permit the use of high-risk services and remove the access. If necessary, work with the systems teams to modify how these systems are accessed prior to modifying the policy to avoid system interruptions.
- Find rules that violate zone policies: In all cases, firewalls are configured to separate network segments. In most cases, security policies can be defined to describe what is considered acceptable traffic between different zones. Examples can include what access is allowed between HR and Finance, or environments hosting PII data and a user network. Evaluating firewall rules against these zone policies identifies rules violating these policies that need to be reviewed and remediated.
Most organizations are required to adhere to one or more internal or external compliance frameworks. Even if there isn’t a requirement, it’s still useful to validate the effectiveness of an organization’s security policies and processes against these frameworks. The complexity of these environments makes these evaluations challenging and in some cases not even possible using manual review processes. Not only does automation make it possible, it makes it achievable to enforce continuous compliance by identifying failures in near-real time. It also prevents mistakes from being made when integrated into a comprehensive firewall policy change management process.
Even if everything is perfect in our example network with all 1.4B connections working exactly as the business needs, a single change can introduce risks that can lead to devastating results. Change is inevitable and the security teams must be able to respond quickly and accurately. Whether that is a change due to business requirements or an external threat that must be mitigated, it can easily introduce new risks or even service outages. Knowing how to best implement the change without introducing unnecessary risk is a daunting task that is best suited to automated decision support tools. Examples of use cases include:
- Evaluate risk and compliance of a change request: Some change requests just shouldn’t be implemented. How do you evaluate the potential impact of these changes? Does it expose access to a system that is known to have a vulnerability? Does it violate a zone access policy? The manual processes to review these requests can take weeks and in some cases even months. With every hour that goes by, the business gets more and more frustrated leading to “emergency requests” that bypass the processes and security controls designed to prevent high-risk changes. Automated pre-change assessment tools identify high-risk rules in real time and offer the option to kick them back to the requestors, or pass them to an exception handling process.
- Evaluate how to implement the change: Firewall vendors have done a great job in making it very easy to implement changes to existing rules. However, determining what changes to make and which firewall to change can be extremely difficult in an enterprise environment. In our existing 1.4 billion connections, there may already be all the access necessary for a new rule request, but we may not know it. There also may be an existing rule that only needs a simple modification instead of creating a new rule that might be redundant. Identifying which policies and devices need to be modified and where in the policy to make the change can take hours to determine. This entire process can be automated with the right decision support tool to empower security operations teams to make the right change faster.
Security is hard and the stakes are high. Give your teams the tools they need to do their job.
To learn more about how FireMon can provide the decision support your team needs please visit our Security Policy Solution page.