2019 State of the Firewall

On-Demand

Video Transcription

Elisa Lippincott:
Good afternoon. Good evening, everyone. My name is Elisa Lippincott and I’m the Director of Product Marketing at FireMon. Thank you so much for joining us. I’m joined by Tim Woods, our Vice President of Technology Alliances. And today we’ll be discussing some of the key findings from our recently released 2019 State of the Firewall Report. If you have any questions, please submit them in the Q&A section on your screen and we’ll address them at the end. A recording of the webinar will be available shortly after the conclusion of our session, and we will send it out so that you can share it with other members of your team. So let’s go ahead and get started.

Elisa Lippincott:
We will be covering the survey demographics and taking a look at the major themes that came out of this year’s report. And then we’re going to quickly conclude with some key takeaways and then end with Q&A. So this year’s report, now in its sixth year is really special because we had our biggest survey pool to date with 573 respondents that hold a variety of network and security titles. Since we almost had a fifth of respondent from the C level ranks, we decided to dig into the data a little more to see how their responses compared to the rest of the pot. So you’ll see some insight there. Company size was closely split between those with a thousand or more employees and a thousand or less. And 35, excuse me, 34% of respondents represented companies with 5,000 or more employees.

Elisa Lippincott:
Respondents represented practically every industry, but IT services led the pack with almost 32% and an overwhelming majority of 80% of respondents were from North America with the rest of the 20% coming in from the rest of the world. There are three major things that came out of this year’s responses. The lack of automation was the biggest theme throughout, but you will see that all three themes relate to each other in one way or another. We’re seeing that with the lack of automation theme that manual processes are still ruling the day and contributing to misconfiguration errors that are making the headlines, the capital one breach, for example.

Elisa Lippincott:
With network complexity and visibility, we’re seeing that there isn’t much confidence in the real time visibility and the networks, especially across hybrid environments. And at the end of the day, firewalls are still important, despite the headlines proclaiming their demise. So all three themes ultimately tied to digital transformation and what enterprises are going through as they take it on. I’m going to let Tim talk to this slide to give some perspective here. Tim.

Tim Woods:
Elisa, thank you very much. And thanks to the listening audience today. We know you have a lot of things on your plate, appreciate you spending time with us and I hope you find this information useful. This is an exciting time for us given that this is the sixth time that we’ve done this. So it’s always interesting to look at the data and compare it from past reports. But this one, there were some very significant things that have kind of surfaced here. As you look at these, and I know there’s a lot of information on this screen, so I’m not going to ask you to read everything here, but look over here to the left. We’ve kind of pulled out the top five things that kind of surfaced in this particular. But what’s more interesting here as you look at specifically looking at the orange and the blue colored lines, the percentages there, you kind of combine those, the orange being very challenging and the blue being somewhat challenging regardless, there’s challenge that exists there.

Tim Woods:
So consider the kind of combined percentages between those two. So the hindrance, the dependency on legacy technology, keeping the environment secure during transformation, as we see a lot of companies embarking on their digital transformation journeys and cloud first strategies, lack of integration across the security tools. We’ve seen a lot of companies that are just kind of hitting those road bumps along the way to say, “Hey, the tools that I’ve traditionally used on premise don’t necessarily translate when I go to the cloud. Now I’m having to look at acquiring other tools I’d really consolidate. I don’t want to add even more things into my tool belt.” And of course the cybersecurity skill shortage is continuing to pop its head out. It’s a real thing. And we’re seeing that manifest itself in some of these responses as well.

Tim Woods:
Internal politics, is interesting, but take… Here’s the other thing, if you take some of these and combine them together, many of these that you see here compound. So what do I mean by that? For example, let’s say that we look at reduced visibility within the environment within the hybrid environment, but then we also look at the inability to maintain compliance, right? These things can directly kind of stack with each other. Lack of integration of security tools and lack of the right people with the right skill sets. Again, these things can combine. And so, the problem becomes even larger. The challenge becomes more challenging as the things kind of stack on top of each other and combine as well. So, Elisa.

Elisa Lippincott:
So Tim, one thing I want to note on this slide, as I mentioned, we did a little digging and made sure to see what the C-level ranks were, how they compared, right? So strictly from the C-level perspective, the first forward, exactly the same, but number five was different. For the C-level, it was reduced visibility into the hybrid environment. But I almost find it a little funny that internal politics is up here because it’s not in the C-level ranks and I’m wondering if that’s because sometimes the C-level ranks and maybe the ones that are starting up the internal politics. I just found that a little interesting.

Tim Woods:
Plausible deniability. So let’s dig a little deeper. We’re going to transition to one of the findings, one of the themes, lack of automation. You don’t have to look very far to see the number of mis-configurations happening all too frequently. Today, one quick Google search will turn up a lot of these things, but if you relate this back to the digital transformation challenges that we just reviewed, we see people that are challenged. They’re short-staffed, resources that are overstretched. It’s debatable, who’s taking responsibility for some of the security controls that are being implemented. Just really no alignment.

Tim Woods:
Business has accelerated past the ability to secure it in a consistent manner. No alignment to a centralized security policy or a centralized kind of best practice or doctrine. And so there’s no doubt that we see human error creeping into the equation here. And it’s no doubt that we see these mis-configurations taking place, way too frequently, especially when we talk about, when we see some of the fragmentation that’s going along or taking place as it relates to the security controls. We’ll talk more about that, but some significant findings here. So human error is a big issue. 30% of the respondents said that inaccuracy misconfigurations or issues on the network accounted for 10 to 24% of changes that required rework. So what does that mean? These are changes. That means that we had to change and there was an impact or something had to be backed out or something had to be reworked. Something had to be addressed.

Tim Woods:
It was interesting to note too here, just below that you’ll see, of those 36% that responded there, you’ll see that 32% of them processed anywhere between 10 and 24 changes per week, and then 27% of those respondents, in that 36% group processed upwards, to a maximum of 99 changes per week. We’ll look at that more, in total as well. But, 10% is a big number. Number one, even… 24% is just. So again, here is an area you have to ask yourself, why are there so many mistakes being made during something that was an approved change in stage for implementation? Were we not able to sandbox to change in advance to see what the potential impact inability to sandbox that change in the context of a policy that is getting deployed to, it’s really hard to kind of try to determine what the problem might be.

Tim Woods:
One of the biggest findings and one of the biggest things that surfaced out of this report was the fact that 65% of the respondents cited that they were not using automation to manage their environment. So we go back again and we look at some of the digital transformation challenges that we saw in the first slide that at least I introduced, and then we look at some of the configuration, misconfigurations that are taking place. And then when we see that we are completely reliant, on the human factor here, which can be short-staffed, can be too stretched and we can have turnover. The fact that we’re not using automation to bridge that gap, I mean, if you’re not able to add people, if you’re not able to add resources, then how are you going to make the people that you have more efficient? So, this was pretty eliminating. And then you see also there at the 68% of the C-level. So, pretty much in unison here, when you look at this particular statistics.

Tim Woods:
Here again, 45% of the respondents processed between 10 to 99 changes. And of those 57% indicated that manual processes were used as part of the firewall change. So again, we’re allowing for that human error to creep into the equation. So that means that maybe the request was honored, using ITFM tool or using some type of a tool that can track the requests. We still see changes being tracked with spreadsheets and emails and word documents and things of that nature. But 57% indicated that manual process was used as part of the firewall change process. So, even though we have an approved change and then we… But yet a human has to get on the keyboard and basically input that change and you’re making sure they’re implementing it, staging it for implementation.

Tim Woods:
Again, there’s an opportunity there to… Somebody has to translate what’s in the system to get put into practice and you hope that a mistake isn’t made, but then when we go back and we look at the previous statistics that we cited about the number of misconfigurations that take place, during the change process, then you have to ask yourself there, isn’t that an area that automation might be able to benefit? 72% of the respondents had two or more teams involved in processing or approving a typical chain. So here again, the more people involved in approving the change, reviewing the change, accepting the change, it’s just going to follow the process down. And where we find ourselves today, of course, when we look at the acceleration of a business, we see an inconsistency to not be able to honor those requests at the same speed that the business demands. And so, of course, if you say no long enough, or you tell somebody to wait long enough, then of course, they’re going to try to go around you. That’s what we see today.

Elisa Lippincott:
And Tim, can I add one thing on that previous slide?

Tim Woods:
You can.

Elisa Lippincott:
I did a little digging and actually, earlier this year in February, we released our in our inaugural State of Hybrid Cloud Security Survey. And one stat that struck me in that survey was that only 28% of the respondents used tools that were able to work across multiple environments to manage their network security. So I’m wondering again, that, that is also talking to that lack of automation theme.

Tim Woods:
Very possibly. If you look at the chart here also now the most, the highest percentage was zero to nine, and then 27%, 10 to 24 changes. Imagine the folks go down, when you look at the purple and the red, I know it’s a lower percentage, but still that’s a lot of changes to process in a week. Consider 500 changes in a week or greater than 500 changes to process in a week. Not leveraging automation in that process has to be manually intensive and of course it’s going to be error-prone. So I guess that’s not real surprising given the lack of automation that’s been leveraged.

Tim Woods:
Network complexity and visibility. Again, just as we covered the misconfigurations, you don’t have to go very far with your Google search to find instances of the impact of the lack of visibility. It’s incredibly hard from the byline or from the line that you see up there, it’s incredibly hard to protect what you can’t see, and it’s even harder to secure what you don’t know about. I picked this up from Mr. John Kindervag. He used the analogy of trying to guard the president, our secret service trying to guard the president and not knowing where the president was at. It would be very hard to even set up a perimeter as you see, security and depth and the fact that any time that the president travels there’s multiple layers, of security. But imagine trying to protect an asset, a resource, an application or a service when you don’t even know that it’s deployed within your infrastructure yet that’s taking place today.

Tim Woods:
So visibility is a big challenge. Companies are adding firewalls. The amount of firewalls that are being added specifically to the cloud. So I saw this number and when I first saw it I said, “That can’t be right.” 60% of the respondents said they have firewalls deployed in the cloud. So that number surprised me a little bit, but then when you look, and we’ll see here from… It may even be the next slide here, let’s just go forward real quick. You can see the level of adoption that has increased in the cloud as well. So we go back and we look at 2018, the 2018 report. We saw that there was a… 53% respondents said they had partial or full adoption of hybrid cloud. And this year we saw a 72% response. 72% of the respondents said they had some level of adoption of public or neural hybrid cloud.

Tim Woods:
So going back to looking at the number of firewalls that are being deployed, this particular stat really kind of begs a couple of questions. It’s why are we deploying this many firewalls in the cloud? Is it that we don’t completely trust the level of security controls that the public cloud providers give us? Do we truly understand the lines of delineation between what I have to protect and what the public cloud provider is protecting? Regardless that it’s an interesting number. I’m still trying to consume some of this to understand what this number completely means. But it’s an interesting stat on the list.

Elisa Lippincott:
And one thing I’ll add here-

Tim Woods:
I was going to say, any thoughts on that?

Elisa Lippincott:
Yeah. I was going to say, on the second bullet where we had 34 or 30.4% with 100 and more firewalls, the stat’s not on the slide, but in our 2018 State of the Firewall Report. Only 26% of the respondents had 100 or more. So it seems like just the sheer number of devices being added, whether it’s on-premise or cloud is just adding to that complexity overall.

Tim Woods:
Yeah. When we look at the firewall management challenges, complexity still ranks right up at the top, optimizing the firewall rules, managing multiple vendor types of firewalls. We can understand that. And of course, there’s very few environments that aren’t heterogeneous, right? That don’t have a large degree of heterogeneity involved in those. And so, of course, anytime you have multiple firewalls, that means multiple management stations. It means you have to have multiple people trained on the respect of platforms, gaps in firewall enforcement, and then of course, lack of automation. So this was the first year that automation actually made the list. Elisa is that correct? Do I have that right. I don’t think on previous year-

Elisa Lippincott:
Yeah. That is correct.

Tim Woods:
Yeah. Automation didn’t really pop up as a concern or a challenge. And so I think it’s significant that there’s greater awareness. The fact that it popped up on our survey as a response this year gives me… I think that’s good news. The fact that there’s growing awareness around the benefits and the need for automation, within the environment to curb some of these misconfigurations that are taking place and to gain better efficiency for our people. So, that’s a good thing. Complexity, I think we all know, I mean, complexity left unchallenged doesn’t go away and if anything, it continues to rise and if complexity goes up, the probability of human error creeping into the equation also goes up. And of course we see that manifest itself in many ways, too.

Tim Woods:
So this is the same question. Only we extracted the C-level responses. While it pretty much aligns, one of the lack of automation actually went up a notch, firewall device performance creeped into the equation. Elisa and I were talking about this. When you think about firewall device performance, that can be a number of things, but, you know, it could be related just to the management of the firewall too. Lack of hygiene sometimes in a firewall gives way to what we like to call policy bloat. And of course the more bloat that exists in a policy when those unused rules and duplicate rules and redundant rules and overly permissive rules and overlapping rules, and all of those things creep into the equation over time, all of a sudden the performance, the degradation of your firewall performance can happen. And so, they may be thinking about maybe thinking about that.

Tim Woods:
But again, complexity here, even at the C-level, there was good awareness there that complexity was a major challenge. I think I’d be remiss if we go back and we look here, at the… So if we look at the firewall challenges here, we don’t see visibility, but visibility is clear in this slide, in number three. So lack of visibility across the network gaps in firewall enforcement tide.

Tim Woods:
So, visibility as a challenge, we hear this from our customers and from our clients and even potential clients, almost weekly about the concern that they have around the lack of visibility into their network infrastructure. Sometimes that’s a barrier to cloud adoption. Sometimes that’s a barrier to further application deployments. 34% of respondents said they have less than or equal to 50% real time visibility into the network security risk and compliance. Really hard to maintain a compliance posture when you’re only getting half, when you’re only seeing half the picture or this kind of like reading half a book. 28% of the respondents have at least 80% of real time visibility into the network and security response. Definitely better than 50%, but still there’s a gap in visibility.

Tim Woods:
If you look at the chart on the right and kind of look at the middle of the chart, as it relates to the responses there and you kind of see how it kind of goes out and so confidence, kind of tells kind of tails down there or maintained. We did the same thing when we were looking at the C-level responses. So the C-level responses said that 23% of the respondents said they have at least 80% of real-time visibility into their network, which again, 80% is definitely better than 50%, but look at how the chart tapers itself down, as far as complete visibility. So if you start at the top and you look at no visibility, you look at the bottom, it has complete visibility. It’s interesting, the way the chart builds itself out. So confidence kind of wanes as you kind of go down the chart there.

Elisa Lippincott:
Tim, do you think that’s because maybe the overall respondents that may be reporting into the C-level, since they’re more close, they’re closer to the data, so their visibility may be higher than C-level? Trying to get a-

Tim Woods:
Yeah. Very possibly could be. Right. There’s just a greater realization of what’s actually taking place, as opposed to kind of looking down on it. But for those that actually have their hand on the steering wheel or their finger on the pulse, so to speak, there just may be a greater realization of what is actually, what they’re actually able to achieve today. Okay. You may have to forward. I’m not getting a response, all of a sudden. There we go.

Tim Woods:
Thank you. Importance of firewalls. So we hear this almost every year, right? The firewall, the demise of the firewall, the firewall is dead. The firewall is now a zombie. But the reality is, and we hear about identity being the new perimeter and I’m not arguing that there’s extreme value in identity access management. But I’m also not seeing that the firewall is going to die anytime soon and our respondents for our survey this year feels the same way. When you look at it, 95% of the respondents said that the firewalls are as critical as always or even more critical, in their environment. Again, I think as you look at cloud adoption and the number of firewalls that are still going into the cloud and the overall security controls that are being used, I think that, that’s one of the reasons that it rings true.

Tim Woods:
Firewall as a service is an interesting area to explore. 11% of the respondents have already deployed some type of firewall as a service, or other alternative infrastructure as code solutions within the environment. This would also support the fact that spending related to firewall acquisition is up also. 65% of the respondents spend between 10%, almost, up to 50% of their security budget on their firewall technology. Compared to last year’s report, that’s up almost 10%. So that’s good news for the firewall vendors. But I think also this speaks to, I think it also speaks to the consolidation of functionality that’s taking place, in the next generation firewall platforms as well. We’re seeing at the C-levels, the desire to consolidate aggregate many of their solutions. They’re wanting solutions that will work for them, both in the on-premise and solutions that will work for them in the cloud, in the hyper-converged data center.

Tim Woods:
They’re also wanting to combine solutions rather than buy a specific solution just for the cloud. They’re wanting to, if I’m going to invest in another solution, is it going to replace something, hopefully replace maybe more than one thing that I already have? And of course we’ve seen the growth in functionality, on the next generation firewall platforms as well of what they provide, well into application. Content ID application, content and user content as well. Securing that way more than just source destination and services. So additional information that we’re allowed to manage now, which can supplant some of the other platforms that we’re using.

Elisa Lippincott:
What’s interesting here too, is, I’ve seen the headlines where people proclaim that next gen firewall is dead and it’s because of the cloud, but I don’t seem to be… This data doesn’t seem to support that claim.

Tim Woods:
Exactly. You’re exactly right. It doesn’t. I think again, firewalls are as important as ever, obviously securing access all the way up to the cloud, is important as well, securing that edge. The edge security related to the cloud is important. Seeing the adoption of SD-WAN and the popularity of SD-WAN growing as well and CASBY type offerings. So definitely that’s going up. I also think that the cloud vendors are getting better, with the security functionality that they’re adding. No doubt that the cloud that the traditional native firewall vendors are taking note of that as well. I know just speaking from attending the AWS reinvent show last year and year before last, and then also going to the security centric AWS show this year that was held in Boston, which was a security-only type event related to AWS.

Tim Woods:
The amount of functionality that they’re adding, just to security, the things that they’re adding to try to prevent those misconfigurations that we see taking place and trying to give better reference architectures and blueprint designs and better deployment options for the consumers of the technology they’re adding, they’re just continuing to add a lot of functionality specific to security, in their cloud offerings. So no doubt that the cloud providers are continuing to get better at security. I think part of the problem, however, again, it goes back to the fact that it’s not necessarily well-grounded IT security individuals that are taking responsibility for configuring the security controls of the application assets, resources, and services that they’re deploying.

Tim Woods:
It’s not that they’re not really smart people because at least you and I both know we get to talk to some of the brightest minds on the planet. It’s just that they’re not well-grounded with a security background for what they’re taking ownership for.

Elisa Lippincott:
Right.

Tim Woods:
And so we see these problems, we see these problems happening. So let’s wrap it up here. We’ll look at some of the survey takeaways misconfigurations or code for human error. There will almost always be an issue during the change process. So as long as we continue to kind of embrace the processes today that we’re using, these manual processes that we have in place, I think we’re going to continue to say misconfigurations top the list. We see that automation deployment is still not at a level of maturation that you might think that it is. Complexity is still not being challenged enough to keep it from growing within the environment. And so we see complexity ranked consistently as kind of the number one top challenge within the infrastructure. We see the impact of the lack of cybersecurity skills in resources.

Tim Woods:
We also see as that complexity goes up, let’s just take one example of a challenge, where we see the sheer volume. We see that the firewalls, that the deployment of firewalls are continuing to go up and we also see just the sheer volume of rules across an infrastructure going up. So whether that’s to meet additional regulatory compliance initiatives, whether that’s to meet deployment of our cloud initiatives, whether that’s to meet new services, mergers acquisitions, we see this volume increase, in the number of rules that the IT security staff and others are taking responsibility for managing. But the problem is the resources from a manual perspective necessary to manage that is not going up. In fact, it’s remained somewhat stagnant.

Tim Woods:
I think we’re going to see the same challenge exists just in the sheer volume of applications, assets and resources and services that are being deployed out there too, that if not tracked properly and managed properly, then that becomes a challenge as well. And if you’re not adding people, if you don’t have sufficient people that are sufficiently skilled at the task that you’re asking them to do, then how do you bridge that gap? And of course, automation is one way to help empower your people to make them more efficient and more consistent in some of the processes that they’re required to work. So firewalls are not going away. We see that definitely highlighted in the report too, just by the sheer number of firewalls that are being deployed. The fact that the firewall spending is continuing to go up. Firewalls, the response, 95% of the respondents said they’re as critical or more critical than ever. So we definitely see that, that’s not changing anytime soon.

Tim Woods:
So many benefits to automation. We could take each one of these and probably make a separate presentation out of them, but, reducing human error by eliminating misconfiguration, where we can make our people more efficient, where we can give them the ability to become more consistent leveraging automation, we should. From a collaborative perspective, eliminating friction between DevOps and SecOps. Again, being able to deliver consistent security process, as part of the agile development stream, I think is an important and an opportunity. Customer satisfaction by shortening the SLA associated with the requests that are coming in is a big deal. I think also once security is able to bridge that gap to say that I can gain parity with the speed of business, that security can gain parity with the speed of business, then we’ll see this propensity for people to take response, take responsibility for their own security controls.

Tim Woods:
I think we’ll see that diminish as well. We’ll see people starting to more closely collaborate around the security of the things that are getting deployed. Something’s going to have to happen because this problem of misconfigurations in the cloud and hackers being able… They’re not even hacking, they’re just searching for public IP space that is unprotected out there. The sad thing is, is they’re finding it almost weekly. That’s definitely got to be shored up. I think automation can definitely lend a hand in that effort as well. Operational costs and security, of course, being able to do things more efficiently is just going to go hand-in-hand with reducing the cost impact. And last, but certainly not least compliance. Being able to dynamically ensure that your compliance posture is maintained.

Tim Woods:
It’s hard enough just becoming compliant. It’s hard enough getting to where you need to be, to be compliant, but maintaining that compliance in light of the frequency of change. And especially as we go into the cloud and we see the frequency of change happening at an even greater rate. So being able to ensure that our security posture is maintained and that when we have policy drift or when we have something new that’s introduced, when we detect that something new has been deployed, we need to make sure that the appropriate security controls are attached, at the time of provisioning and not after the fact. But compliance and listen, the teeth, the potential for the depth of fines is growing with compliance to the definitely bigger teeth. A breach nowadays can be crippling if not, can dismantle a company. Not all of us are Facebooks and can take a hit on the chin like they can. So it’s really important that we shore that up to. And again, here’s where to compliance can lend a hand.

Elisa Lippincott:
And Tim, we didn’t represent it in the slides today, but in the actual report, which you can download from firemon.com, one of the questions we did include in the report was for respondents on a scale from one to 10, how prepared would you be for a compliance audit tomorrow. Talk about not only the lack of automation, but a lack of that continuous compliance, only 51.3% were 60 to 80% prepared, if they were going to get audited tomorrow. And so definitely that continuous compliance is definitely there.

Tim Woods:
I think I remember us asking a question also about whether you had… Had you passed the compliance? Seemed like there was, I forget exactly what the question was. You may recall better than I do. But-

Elisa Lippincott:
Fail the compliance audit.

Tim Woods:
Yeah. There was a hesitancy to answer the question of whether they had failed a compliance audit or not.

Elisa Lippincott:
Yeah. 17% said that they would rather not say and seven percent said maybe. So they just don’t want to… Readily admitted out front, but yeah, and that can go back to not only lack of automation, but also the lack of visibility and being able to even begin to think about whether they could even pass a compliance audit.

Tim Woods:
GDPR has really given way to kind of as one of the newer regulatory compliance initiatives out there. Of course, it’s specific to the EU, but global in nature. But just the reporting, the number of reporting of incidents and or breaches and compliance violations has went up almost 50% since GDPR, went into effect. That in and of itself tells you something too, as it relates to what wasn’t previously reported and what is being reported today. I don’t think that number of breaches just automatically went up overnight. It’s just that we’re getting better insight to, what’s actually taking place on some of these networks, today.

Elisa Lippincott:
It’s only going to get worse because I don’t know about you, but I’ve been getting emails from various companies that I subscribed to where they’re updating their privacy policies and that’s for the upcoming California privacy law that we’ll go into in January. So there’s just so many different regulations that companies have to keep up with. It’s just crazy.

Tim Woods:
Yeah. And it’s not just for California. I mean, all the attorney generals are watching what California is doing too, and we’ll be following suit very soon, I think as well. So they’re just kind of paving the way and we’ll be setting the standards that other States will follow.

Elisa Lippincott:
Right. Well, Tim, I am going to go ahead and check for any questions in the Q&A section. A reminder to everyone, if you have a question, please submit it in the Q&A box below and that we don’t happen to get to it. We will make sure I’m follow up with you. We did have one question come in. Oh, this is a doozy, Tim. This will probably take the rest of the other time we have, but, let’s go for it. “The capital one brief was a result of a misconfiguration. Where does the fault lie? Capital one, Amazon or both?”

Tim Woods:
I was just speaking to an esteemed analyst last night, about this. His opinion was, and I’m not approved as say who it was or would, but his opinion was that AWS really dodged the bullet on this one in that they distanced themselves very quickly when this came out, to make the point that, “Hey, our systems operated as designed and this was definitely a result of human error.” I think Amazon CISL I believe also made that statement in public, said, “Unfortunately human mistakes happen.” But for things like capital one, in this case, this was… It was the misconfiguration of a control on a web application service, that allowed this knowledgeable hacker who had kind of inside, we believe, had inside knowledge, as to the security profile as well.

Tim Woods:
So it was combination of several things but regardless it was a devastating, kind of breach that took place. It’s interesting as I’ve been looking at these too, it’s interesting to see what the tail of a breach looks like, too. And what I mean by that is how your response and how you have to deal with the breach upfront. And they say within the first year, you can kind of deal with 65% of the fallout. And then the second year, there’s more, and then the third year, and we’ve seen that even with Equifax, right? Even Equifax is still trying to reconcile with the users. And now they’re giving out free credit reporting. And they’re talking about, if you already have credit reporting, then they’re going to give you compensation. Monetary compensation in lieu credit reporting and now there’s questions about how much that is. But needless to say, that’s going back almost three years. And so the fallout, from one of these breaches is quite interesting. And of course, then there’s all the public response that you have to make, to maintain a good statute with your customer base.

Elisa Lippincott:
Would it be safe-

Tim Woods:
What are you doing about it? And go ahead.

Elisa Lippincott:
Okay. Would it be safe to just assume that the responsibility should ultimately be on you as the customer versus the provider?

Tim Woods:
I think, and we’ve seen this before, where there’s been kind of a misunderstanding of what the lines of demarcation are around what the public cloud provider takes responsibility for and what the consumer of the service is responsible for taking responsibility for. And that differs whether it’s infrastructure-as-a-service and a platform-as-a-service, software-as-a-service. Who has responsibility for what? No different in a on-prem where you take responsibility for everything, or if you’re engaged with a managed service provider and you have your information, and they’re managing something on their premise for you, who’s taken responsible for which pieces of the security around there?

Tim Woods:
So I think it’s very important for a consumer of public cloud to clearly understand for the service that they’re subscribed to, is where those lines of delineation exist, where those two lines of demarcation exist as it relates to security responsibility. And if you don’t clearly understand that, then you’re setting yourself up for potential error that could expose some customer data in the future or internal data and or breach your customer trust.

Elisa Lippincott:
Yeah. And it’s going to vary based on the provider, right? If there’s no-

Tim Woods:
They’re not all the time. That’s right. Yeah. They are not all the same. There is some variance there.

Elisa Lippincott:
So another question that came in, what are some of the misconfiguration issues, that are most common and how can we make sure they don’t happen?

Tim Woods:
That’s a good one too, right? So probably the biggest, well, no configuration being… Notwithstanding. There’s no silver bullets out there either, as it relates to our security best practices. But, one of the biggest things that we come across that I think represents a glaring gap in the security, in any given security policy is these overly permissive rules that creep in over time, for various reasons too. I can cite many personal examples, from clients that I’ve engaged with. But, I think a lot of times it comes where the IT, I think it’s a manifestation of being overworked or stretched too thin, or trying to get to too many priorities on your plate.

Tim Woods:
Take an example, here’s an IT security professional who has been given the task of helping a particular new business application launch and they don’t have all the clear information. They don’t have the full subset of information that they need to create the best access rules possibly. Where are the consumers coming from? Where are they going to? What should be allowed? What isn’t allowed? What ports, protocols services is the application itself need. And so, when there’s an absence of information, then they try to create the best security rule possible, until they can get further information. And so a lot of times what that ends up being is an overly permissive rule in order to meet a deadline.

Tim Woods:
So this is a perfect example of business trumping security, which happens very frequently. But there’s good intention of going back and cleaning that rule up later, or cleaning that access up later, or expanding on that access, tightening it up, applying better hygiene to it. The problem is that, that same individual has 15 priority ones on their plate already, and they’re struggling to get to these. And so once the business is up and running, and everybody’s happy, they’re off to their next thing with that still in the back of their mind somewhere, but it never gets back around. And so this overly permissive rule kind of takes on a life of its own. I hear this story repeated over and over and over and over again.

Tim Woods:
I was in a personal meeting with another engineer. We were doing a policy review with a client, we were looking at policy complexity. There’s a report in our platform that specifically kind of looks at policy complexity. And what we try to do is surface the most complex rules and what that typically means, show me the rules that are providing the most access, which is usually not desirable rules are designed to restrict access, not provide great access. Anyway, we pulled the report up and there was two rules that made the top of the list very quickly. And both of those, one of them had over 4,000,000 logical access paths. And the other rule had over 2,000,00 logical access paths.

Tim Woods:
Our customer stopped the meeting right there to go and correct the problem for these two rules that had surfaced and no telling how long they had been in existence. But overly permissive rules is probably one of the biggest misconfigurations that takes place out there and it’s just… Anytime that you’re giving greater access of what it’s necessary meet the needs of the business, then you’re just setting yourself up for potential exploitation.

Elisa Lippincott:
Okay. And, one final question. It’s actually from me to you, Tim. We’ll be doing this report next year. Is there anything that… Any new questions you would want to get perspective on from respondents that weren’t in this year’s survey?

Tim Woods:
Yeah. As I think about that, I think SD-WAN adoption, again, I think is an interesting area. I think edge security, defining what edge security really means, the edge of cloud security, going from one to another, even intercommunication between clouds, that’s starting to pop up now as well. What security looks like for that? We definitely don’t have a lack of technology out there, right? If anything, anyone that’s ever attended RSA will clearly… The annual RSA expo clearly understands… Or any of the technology VMworld or reinvent. AWS reinvent. You clearly understand quickly that there is no lack of technology out there, but the ability to consume that technology and ensure you’re going to get the return back on that investment is really the key. And of course, again, if you go back and look at the cybersecurity shortage, companies don’t have the same breadth of ability that they want to add to evaluate the technology, from a POC perspective, from a proof of content perspective. And so they’re relying on analyst input, partner input, network input from their own networks and from the vendor providing direct references and stuff.

Tim Woods:
Nobody wants to have buyer’s remorse when they acquire new technology. So again, I’m very interested in… We’re very interested, obviously it’s our world to continue to look at the challenges customers are faced with, as it relates to cloud adoption and migration to the cloud and how we can not only make that migration easier and better, but make it more secure and how we can ensure that we’re monitoring change real time. One thing is for sure, anytime a change happens, you have to answer the question. You have to answer the question to say, once this change happened, was it good change or bad change? Change is happening all the time, but was it good change or bad change? And did that change have any type of impact on my security posture, on my compliance posture and my business posture? I mean, at the end of the day, it’s about managing risk to a level that’s acceptable by the business. Right?

Elisa Lippincott:
Yeah. We did have another question come in with micro-segmentation of network resources becoming mainstream, isn’t it in the end similar to firewalling and its management just by another name/buzzword.

Tim Woods:
You could say that. I mean, we hear people talk about North and South and East and West. I think it’s just important whether it’s micro-segmentation or not. I think it’s important to understand what your zones of control need to look like. So when I’m going, whether I’m going from one DMZ to another DMZ, or I’m going from one department to another department and not to pick on anybody, but this is kind of a perfect example, let’s take the target breach for an example. There was clear access, that was commandeered from the HPAC network to the PCI network.

Tim Woods:
Now that type of access should never be allowed. That’s a zone-to-zone access that should never be allowed. But that’s the type of things within a… When you have a centralized security policy that can be technically enforced, we can eliminate those things from creeping into the equation, within our infrastructure, for those policies that are written, but not enforced. When you ask somebody to… Many times when I’ve been in front of an audience and I’ve asked the audience to raise their hand, “Everybody raise their hand. If you think your security implementations are a direct reflection of your actual security policy, raise your hand.” People are very hesitant to raise their hand.

Tim Woods:
But I think we have to get to a stage where, whether it’s micro-segmentation, whether we’re concerned about East West traffic, Northwest, North South traffic, we have to get to a place where we have a technically enforceable policy and in order to do that, we’re going to have a platform, an orchestration platform that allows for that, where we understand where the focus is placed now, not just on the firewalls and the enforcement point technologies themselves. I’m not trivializing the importance of that, it’s critically important, but the focus shifts to these assets and the resources and the applications that we’ve been talking about, and the services that we’ve been talking about, understanding at any given point in time, what that security needs to look like. What is the security intent around this application?

Tim Woods:
Regardless of when that’s where that security application moves, or when it spins up, or when it spins down, we need to ensure that the security controls are consistent, at the time of startup or spin down, or even if it moves in and understanding where are the security controls within our environment that can apply the necessary policy against that, is important. So call it micro-segmentation, call it zone control or segmentation. Definitely all that is important, but I think what’s equally more important or equally important is that we have a security policy that can be technically enforced.

Elisa Lippincott:
Great.

Tim Woods:
That everybody adheres to, by the way. We all, to use a cliche, we need to all be singing from the same sheet of music.

Elisa Lippincott:
Right. We don’t have any more questions. So I’m going to go ahead and wrap everything up for today. I do want to thank everyone for taking the time to attend our webinar. I’d like to thank Tim wood for his time today and for the great session. As I mentioned, you should be able to download the full report on firemon.com or it might be attached in actually this session, I’ll have to double check. But yeah, thanks again for joining us and have a nice day.

Tim Woods:
Thanks everyone. Appreciate your time.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO