3 Steps to Gain Control of Cloud Security

On-Demand

Video Transcription

Charlene O’Hanlon:
Well, good morning, good afternoon, or good evening, depending upon where you are in this world. And welcome to today’s Security Boulevard, webinar. I’m Charlene O’Hanlon your moderator for today’s event and I welcome you. We have a great webinar on tap today but before we get started, we have a few housekeeping items. First of all, today’s event is being recorded. If you miss any or all of the event, just know you’ll be able to access it on demand later on. We’ll be sending out a link to the webinar on demand and we are taking questions from the audience. If you have a question for our panelist at any time during the presentation, just go ahead and use your GoTo Webinar control panel and submit your questions. And we’ll take probably about 15 minutes or so near the end of the presentation and go through those questions.

Charlene O’Hanlon:
And finally, we do have two polling questions during the webinars. Please, we hope that you guys will take advantage and be a part of the webinar. Okay, with that, we’ll go ahead and get started. Three Steps to Gain Control of Cloud Security. Our speaker today is Tim Woods, who is the VP of Technology Alliances at FireMon. Welcome, Tim. Thanks for joining me today.

Tim Woods:
Thank you very much. I’m happy to be here.

Charlene O’Hanlon:
Excellent. Well, I’m going to let you take control now and give your presentation and then I’ll pop in again when we get to the first polling question.

Tim Woods:
Awesome. Awesome, Charlene. Thank you very much. And I want to say thanks to our listening audience out there today. For those of you that attended, we are quite aware that you all have busy schedules and probably could be doing something else right now but you chose to spend your time with us. And for that, I am sincerely appreciative. And so I hope you get something good out of here today. And as Charlene said, be sure to write your questions down as we go through. If there’s something you want to dig into a little deeper, I will leave time at the end here so that we can address those and talk about those. And if there’s something you want to talk about offline as well, more than happy to talk to you one-on-one as well. We invite you to reach out to us and link up.

Tim Woods:
We always love talking to our customers out there and our fan base. Without further ado, let’s go ahead and get through it here. I start of by … Let me get my clicker going here. I start off with this because I think it’s relative and it’s fun. We’ll try to have a little fun as we go through this as well but this was almost prophetic. Software is eating the world. If you don’t recognize this, there was an article written, I’m going to say almost seven years ago. In August of 2011 by a gentleman by the name of Marc Andreessen, who’s a venture capitalist. But back then he was actually co-founder of Netscape. And for those of us, if I’m going to date myself here a little bit, you may remember the first internet browser called Mosaic.

Tim Woods:
He was one of the co-developers of that as well but what Marc’s article and it’s a quick read. I would solicit you if you haven’t read this before, or if it’s been a while, you maybe want to go back and look at it. But it’s so interesting to look at what he’s discussing software disruption in the marketplace and he titled it Software Is Eating the World. And he goes through all these different market sectors and talks about, whether it’s digital music migration or talks about Google. And talks about Salesforce challenging Microsoft back then but he talks about borders selling their online book interest to Amazon. And we see what happened there. Today Amazon is the biggest online book retailer in the world now and seller as well, both online and hardback as well.

Tim Woods:
Talks about the evisceration and that’s the word that he uses. He talks about the evisceration of Blockbuster by Netflix. And so anyway, it’s just a real interesting read but it underscores because I’m going to talk a little bit about the speed of business today. And a lot of that is driven by this wild ride that we’re on with software acceleration as well. APIs, I can’t say enough good things about where the APIs are going today. I would say this, this isn’t part of the presentation but I’m just going to throw it out there. As you’re looking at your vendors that you’re selecting for your solutions within your environments today, make sure that those vendors have a well-rounded API because the future is really going to be dependent on our ability to interchange information between our various solutions and the APIs are the key.

Tim Woods:
We now have standardization in the form of an open API forum that was an adoption of what we call swagger. But I digressed a little bit but at the same time, it’s just something I think is so critically important and I would invite you to be cognizant of that because the world has changed. Things are really speeding up the acceleration of cloud adoption, virtualization, internet of things. Very interesting to see everything that’s encompassed inside of IOT. I know a lot of the banks they’re looking at cryptocurrencies and blockchains and things like that but they’re also looking at IOT as well. I know we’re getting ready for our Amazon AWS re:Invent show here at the end of the year, coming up in front of us here very soon.

Tim Woods:
And I remember even last year when they were introducing the Amazon Echo for business and integrating their digital assistant inside of businesses. And then I remember right on the heels of that day, they introduced something called the Amazon Echo Look and being a security guy at heart, I looked at the Echo Look, they want you to put that in your bedroom to help you get dressed, to help you with your style and things like that. And I’m thinking to myself, here’s a problem waiting to happen. But the concern with IOT, it’s the operating systems, how well are those operating systems vetting it and how do I secure it? How do I secure these things as they pop onto my network? Sometimes without the knowledge of IT, as we’ll call it shadow IT. I guess, is the best way to put it but it’s a very interesting area to follow as well.

Tim Woods:
Our position at FireMon as we go through and I look at some of the key tenants of the FireMon security solution with you today. And we talk about some of the areas that we try to help you to tackle those challenges around. We believe that the hybrid is here to stay. Yes, we’re going to cloud adoption. Yes, that’s happening very quickly but there’s still a lot of things that are going to stay on-prem. There’s still a lot of things that are going to stay in the data centers, still a lot of things that are going to stay, even in the hyper-converged data centers. There’s still a lot of things that are not going into the cloud. And so, as we keep our focus on helping our customers secure their security infrastructure, our eye is not just on the cloud, obviously, big focus on the cloud but our eye remains on the premise as well.

Tim Woods:
Any security solution we believe has to be aware of both, it has to give you that visibility of both. It has to give you that full visibility across your entire security infrastructure and not just a part of it. We believe the hybrid at least … For now the hybrid enterprise is here to stay and that’s not changing anytime in the near future. I did something just a little different today. As Charlene said, we do have a couple of poll questions and I’m fixing to give you one right now. But what I did rather than just having a random poll question is each year FireMon does a state of the firewall report. And that report we … This is our third year that we’ve done it. And it’s chocked full of questions around firewall adoption, next-generation firewall adoption, some of the functionality in the next-gen firewalls, SDN, Cloud various questions like that. Consolidation services, just a lot of information.

Tim Woods:
It gives you a good insight to what people are doing across the various industries. This year, I want to say that we surveyed approximately 300 plus respondents across many diverse industries and market segments. And mainly in IT security, mainly looking for people that have an IT security background. And so what I did rather than just giving you a random poll question, is I pulled a couple of poll questions out of the state of the firewall report. And then what we’ll do, is we’re going to look at your answers and then see how that compares to the survey reports as well. I thought that would be fun. And here’s the first poll question. How critical is the network firewall as part of your overall security architecture today? More critical than ever, as critical as always, less critical than in your past or not critical at all.

Charlene O’Hanlon:
Okay.

Tim Woods:
And so we’ll give you a few minutes, Charlene to do that.

Charlene O’Hanlon:
Yeah. Just push the poll out to the audience. If you could just take a few seconds and submit your answer and we’ll take a look at the results as soon as we have attained a critical mass. But while we’re waiting, I do want to remind the audience that if you have a question for Tim, you can use your GoToWebinar control panel at any time and submit your question. And it’s always really interesting to hear how organizations have set up their security within their network and what technologies they deem to be most important. I think this is really going to be an interesting poll to see the results. I’m looking forward to it.

Tim Woods:
Yeah, to preface the audience here. When I talk about the network firewall here, I’m asking you to consider your virtual firewalls, your container, anything that you would consider part of your network enforcement technology. The IP tables on your containers, the virtual firewalls, it may be an insertion in the cloud, your on-premise firewalls everywhere that you have an ACL, an access control list or a firewall rule. How critical is that to maintaining access across your infrastructure?

Charlene O’Hanlon:
Okay. I’m going to go ahead and close the poll now and share the results here. Let’s see. Okay. It looks like most people think it’s more critical than ever. So –

Tim Woods:
Wow.

Charlene O’Hanlon:
Yeah.

Tim Woods:
This is so interesting so because I’m going to show you the results to the poll here as well. That’s 100% basically saying it’s either critical or as critical as always. You’re right in line. I’ll go ahead and advance the slide here or not.

Charlene O’Hanlon:
It should be working for you.

Tim Woods:
Something, let me see here. I’m getting the spinning ball of frustration here. One second. Audience, bear with me.

Charlene O’Hanlon:
It’s still not working for you?

Tim Woods:
Yeah. Give me one second here.

Charlene O’Hanlon:
Sure.

Tim Woods:
Wouldn’t be a good webinar if we didn’t have one technical blurb along the way.

Charlene O’Hanlon:
There you go. There’s no such thing as perfection with a webinar. While we’re waiting again, I do want to remind the audience if you have a question for Tim, you can go ahead and use your control panel and submit your questions. And as I also mentioned at the top of the webinar, we’re going to have the webinar available for you on demand if you miss any or all of it. We’ll be sending out an email to the webinar, the email will have a link to the webinar afterwards and it’s also going to be on the Security Boulevard website. If at any time you’re having trouble locating the webinar, you can always just go to the Security Boulevard website and click under webinars and click on upcoming oh sorry, on demand, since it will be on demand at that point. And you should be able to find it there. And we have a bunch of other webinars there so if you take a look around, hopefully, there’ll be one or two or three or four that peak your interest as well.

Tim Woods:
Okay.

Charlene O’Hanlon:
Okay. It looks like you’re back in business. Excellent.

Tim Woods:
We’re back. Yeah. Thank you, PowerPoint. Here’s the respondents, here it’s very interesting. Again, you’re almost exactly aligned here. 94% of our survey of the 300 respondents said, again, more critical than ever, as critical as always. Very interesting. Hopefully that’s useful for you guys as well but it does. It resonates, right? People do believe that the firewall is still … I remember years back when they talked about the death of the firewall and the firewall was dead. And of course, the evolution of the firewall toward next-gen, all the new functionality and the consolidation of features fit and functioned has breathed. It has given it new life but it definitely is still viewed as a cornerstone in the foundation of our security, which is good fit.

Tim Woods:
All right. Speed of Business. The speed of business, it’s no doubt that business has greatly accelerated. How much it’s accelerated can probably be debated but if we had to put a number on it, I would have to say that it’s somewhere between six X and eight X. And again, this is why I brought up that software is eating the world because the speed of business is definitely related to it. It’s fueled by a lot of digital transformation and digital adoption and things of that nature. And it’s definitely sped up and there’s a lot of reasons for that, why it’s continuing to speed up. Part of it’s competitive, marketplace advantages, are companies continuing to seek competitive advantages in the marketplace.

Tim Woods:
And in fact, any company that’s not trying to seek a constant competitive advantage can run the risk of being made irrelevant. But technology, as I look at the different companies and I had the unique pleasure of talking to companies around the globe, which across almost every market vertical. And I see in the overarching or the strategic initiatives of a company that technology plays a big role in many of those strategic initiatives. Meaning that it’s technology that’s going to fuel the enablement or technology is going to help them to achieve those goals that they’re stating. And whether that’s technology that they already own, it’s technology that they need to acquire, it’s technology that they need to upgrade or enhance, its technology is just going to help them. But by and far, it’s definitely helping to drive the speed of the business.

Tim Woods:
And so you say, well, so what Tim? That’s a good thing. It’s a good thing that business is accelerating. It’s a good thing that business is more agile. It’s a good thing that business can meet what we call the changing context of a demanding market. Yes, it is. It’s definitely good. But the problem is that while the speed of the business has significantly accelerated, our ability to secure that business has degraded, meaning that security implementation is not able to match the speed of the business. And so security as an inherent component has suffered and in there lies the problem. And I believe that many of the business leaders are just now beginning to recognize the importance, we’ll say of striking a better balance between business acceleration and an application security. How do I maintain or outpace increasingly aggressive competition without sacrificing the security of my deployed applications and access to the data that I’m making readily available for my consumers? And so that in and off itself is the challenge.

Tim Woods:
We have this gap, I’ll call it the gap between business and security IT. And we have to look for a way to close this gap. And by the way, we have a webinar tomorrow, if you can actually go to our website and look under resources, I believe it is tomorrow at 1:00 PM Central and it’s called the future of network security. And it’s with a gentlemen at Forrester by the name of Chase Cunningham who is leading the eXtended Zero Trust architecture implementation methodology which he inherited from John Kindervag who was there previously. And also our VP of Product Strategy, Matt Dean will be on the webinar. And they’re going to talk about security intent. They’re going to talk about security intent, orchestration, micro-segmentation, zero trust and things like that.

Tim Woods:
And I think that’s the answer as we look at bridging this gap between business and IT security as we look at how we need to enable security to match the speed of business. I think the future will be held around security intent. And so I would invite you to attend that if you have time in your busy schedules to do so. One of the problems also that creeps into the equation that I think we’d be remiss if we didn’t address, or we didn’t talk about and it’s just the growing volume of the rule basis that the IT security departments are challenged with servicing, that are challenged with maintaining, that are challenged with attending to and so over the years. And we’ve seen this personally here at FireMon. For those not familiar with FireMon, we’ve been in the security management business for better part of 14 years now. A lot of deep domain expertise in this area and we’ve seen this happen right in front of our eyes where a firewall …

Tim Woods:
I remember the day when I saw my first firewall that had over 5,000 rules on it and I’m like, how in the world could you have a firewall with 5,000 rules? Where are you going to put 5,000 rules? And now it’s not uncommon to see a firewall with 12,000 rules, with 15,000 rules. I’ve seen firewalls with 80,000 rules. And even we start getting into the cloud and spreading that stuff out, it’s just crazy where it’s whip. And unfortunately, the staffing required to manage that has not mounted that same curve. It has not really met. And so, as a result of that, we find ourselves making some compromises in our security posture sometimes where we’re allowing overly permissive rules, or we’re not applying as good a hygiene as we could. And I’m not faulting the IT security individuals for that. It’s just I have so many things I can do in the given time of the day that I have and it’s not that I don’t know what to do, it’s having the time to do it.

Tim Woods:
But it is a challenge and so we have to get smarter about how we’re … Even firewall bloat when I look at on the average and this may or may not come as a surprise for some of you that are listening to us today. On the average, a legacy firewall and I use the term legacy very loosely because legacy could be. I’ve seen three firewalls that have been placed for three years and four years that we typically will find anywhere between 40 to 50% unused rules on that firewall. And when I mean by unused rules, I’m including the technical mistakes, whether it’s rules that absolutely are being shadowed or they’re redundant to some other rule. They serve no technical purpose for being in the policy, or rules that have just went to sleep, become dormant because the access to the IT resource or to the resources that they serviced or provided access to are no longer there. Now we have these holes in the policy and the problem with that is sometimes we can get inadvertent access so IP addresses can change or be reused.

Tim Woods:
And all of a sudden that rule is servicing something that we never intended it to service. And probably one of the biggest problems is this overly permissive issue. And that’s where typically happens … I’m going to go into my next slide. It typically happens as a component of the workflow where we don’t have the IT security individual, doesn’t have all the information necessary to build the best rule possible. And so, as a result, and they have a deadline and so the business is saying, we need this access, or we need this implemented by XYZ date. And so in order to meet the needs of the business, we go ahead and we put that in but we don’t have all the answers to our questions. Where are they coming from? Where are they going to? What are the ports? What are the protocols? What are the services that the application requires? And so we end up putting an overly permissive rule to meet that business objective with the intent of going back and cleaning that rule up later, or tightening the hygiene around that rule later.

Tim Woods:
But unfortunately, 15 priority ones on my plate, I can only get to so many of them. And then I have to go back and service those. And I don’t know, guys, I apologize here. I have no idea what’s going on with my silly PowerPoint today.

Charlene O’Hanlon:
No problem Tim, we can actually drive it on our side if you prefer. And then you can let us know when to advance the slide.

Tim Woods:
Let me try it one more time and if it does it again, then we will do that.

Charlene O’Hanlon:
Okay.

Tim Woods:
That might be the right idea.

Charlene O’Hanlon:
Or I can do that and you can see it? I don’t see it right now. No. Guys, we apologize for the technical difficulties here but this is a good time to think. If you’ve got a question for Tim to go ahead and use that control panel and submit the questions and we will … Okay, I see a slide, then now it’s gone. Now it’s back. Okay. Great. So –

Tim Woods:
Okay. You see it there?

Charlene O’Hanlon:
Yeah.

Tim Woods:
All right. We’re good. All right. This is probably recognizable to anybody out there. It’s a traditional access request flow. And the problem is, and again I go back to the speed of the business, related to the speed of the business. Is the business is going so fast, the information coming into our traditional workflow models is sometimes lacking. It is that we’re finding that our traditional methods are just not scaling the way that they used to. And we’ve tried automation, we’re trying to make the wheels go by faster and some of these other different things but we’re still not maintaining pace or not even close to maintaining pace with the speed of the business. So somehow some way, we have to remove a portion of the human element here.

Tim Woods:
We have to find a way to leverage technology that at a minimum we’ll eliminate those redundant. I hear all the time, I’ve got my best people working on some of the most reoccurring, repetitive, redundant, mundane type access tasks and it can bog down. It can bog down those key IT resources, that could be used more important initiatives. I was at VMworld this year, quite recently and I talked … There was a gentlemen on the stage. I didn’t get the opportunity to talk to him directly but he was from Sky UK, the streaming media company. They even stream TV into the cars there but this gentleman was a lead solution architect. His name was David Matthews and he said something and I thought just really resonated with me. He said, “There came a time when we had to support the speed of our DevOps.” He said that our traditional networking change ticket punching, that’s what he called it, change ticket punching, he said, “Did not work for us any longer.”

Tim Woods:
And he said, “Today we are striving to bake our compliance and to bake our security into our applications.” Anyway, I thought that was very interesting and it resonated. Next poll question. And this, I think you’ll find interesting too, because who is primarily responsible for your network security in the cloud and there’s five answers here and then we’ll look at the results there.

Charlene O’Hanlon:
Yeah. Great. Yeah, the poll is up on your screen now. The question is who is primarily responsible for your network security in the cloud? As you can see the results, we have IT/Cloud team, security operations, security engineering, security compliance, or application owner. Go ahead and submit your response and we’ll give it a few more seconds and then we’ll take a look at the responses. Tim, just an FYI, we’re actually running the deck on our side. You can just let us know when to advance the slides and that way we’ll make sure that we can keep the presentation going for you.

Tim Woods:
Perfect.

Charlene O’Hanlon:
And yeah, we’ve gotten some great questions and so far from the audience but there’s still time. If you have a question for Tim, go ahead and use your GoToWebinar control panel and we will get those questions in. We should take probably about 10 or 15 minutes at the end. Okay. We’ll go ahead and close this out now. And I’ll show you guys the results. Looks like the majority of attendees said that the IT/Cloud team is primarily responsible for their cloud security, which kind of makes sense.

Tim Woods:
Yeah. I’m just writing these down right quick. As we look at the next slide, I want to compare them to what the next slide says here as well.

Charlene O’Hanlon:
All Right. Great. I think it’s kind of interesting that 18% said that the application owner is primarily responsible for their network security in the cloud. That seems a bit out there but perhaps I’m going about it or thinking about it a little differently than everybody else. I think that if security, we’re talking about cloud security, it should be somebody who’s actually tasked with security, to do the security but hey. You got them done, Tim, can I go ahead and close this out?

Tim Woods:
Yeah, you can go ahead and close that up and let’s go and let’s look and see how that resonates with … There we go. All right. Now we’re seeing it being screened there. So 31 more than almost perfectly aligned. 39, 21 to 22, 14 to 12 and then it tapers off. And then that’s very interesting. Almost a perfect alignment again, with the second question. And it is spread, it’s kind of muddy, it’s cloudy, we’ll call it to be kind of funny. It’s kind of cloudy. Who has responsibility? It’s not your traditional security, not always your traditional security engineering team. Now, as we go into the cloud and the problem that we see with this is that sometimes responsibilities are, there’s some gray areas between who’s responsible for what and when. And it’s leading to some security gaps as well. It gets back to the need of a clear visibility across your entire security infrastructure, regardless of who is implementing those security controls. Next slide.

Tim Woods:
And so, one of the things that we focused on at FireMon, is giving you … And the title of the webinar today was, three things to help you control your cloud security. And we’re going to talk about three key functionalities that we provide in some security manager our enterprise security suite and focus on those. And we believe that these are three key tenants in any good security solution that you absolutely, positively have to have if you’re going to maintain security in your cloud. But it’s not just for the cloud too, many of these have been adopted from what we were doing within the on-prem solutions as well and we’ve moved those into the cloud.

Tim Woods:
Let’s go on to the next slide. We’re going to start with the risk landscape. Reduce the attack surface, combined part. And we hear this a lot, right? You hear this a lot from vendors. How do I reduce my attack surface? But there is a way to reduce the attack surface and for the cloud, it’s so critically important because of the dynamics of the cloud, because of the way things are moving and changing on a continual basis. It’s so important that you’re always testing the security of your cloud access. And so combining policy with vulnerabilities to simulate attacks, score risk and prioritize action. What does that mean? What I can actually do, what we actually do, is we overlay. We import this vulnerability scan data and overlay it onto my compensating controls, onto the rules of my firewalls in order to correlate that with policy behavior.

Tim Woods:
I also need to clearly understand what does my route intelligence provide. In other words, what does my route tables who can get from where and then what do my compensating controls allow? And then by being able to run what we call some risks, threat, vector algorithms, we can see if a bad actor came in a well-known threat entry point, how far could they get? And if they could gain access to this known vulnerability that we haven’t patched that exists on our network, could they potentially exploit it? And what’s the severity of that vulnerability? Is it a root exploit where they could pivot off of it and go deeper into my network? We want to analyze that. And I’m going to give you a picture of this later on. We’re going to revisit this part real quick, look at some of the challenges and then I’m going to show you a quick actual snapshot from the solution suite that paints a picture for you.

Tim Woods:
We always say picture paints a thousand words and show you what that looks like. We’ll come back to this here in a little bit. Going onto the next slide, Compliance, I call it one of the unsung heroes here, always being audit ready. Compliance can truly be what I’ll call the glue that binds, you know? If you take a dynamic compliance engine, it can help you to literally technically enforce your written policies. Now, it’s not necessarily trivial. And I ask people all the time, do you have confidence that your security policies are a close reflection of your written security policies? And do have your written security policies? Here’s my intent, here’s what we’re actually doing. Do those two map, or is there a gap there that needs to be closed? And the response almost unanimously is yes, no, I don’t have confidence that my written security policy is a reflection of my actual security implementations. And so why is that? And it gets back to visibility and applying a level in inspection to change as it happens dynamically every time.

Tim Woods:
Compliance, if done right, can literally help you to technically enforce your written policy. Every time think about this, every time a change happens, I want to inspect that against whatever my best practice is. Or if I’m driven by regulatory compliance initiative, whether it’s HIPAA or FISMA, NERC, or ISO 27,000 or NIS, PCI, GDPR. God, don’t get me started on GDPR, the newest compliance regulation on the block, the new kid on the block. But regardless of what it is, I want to make sure that that change that just happened in my security infrastructure did not break my compliance posture. It did not add unnecessary risk. It did not just expose a route vulnerability that wasn’t previously exposed. And we can even take that a step further. We can take compliance a step further to say. Hey, wouldn’t it be nice not that you told me about it after the change went in and yes, I see that it broke something.

Tim Woods:
And I don’t want to just alert you that there was a control failure. I want to take that control failure and assign responsibility for somebody to address it, meaning I want to automatically create a ticket and I want to, within that ticket, give you the actionable intelligence that you can create a solid remediation plan around to say, hey, here’s how we’re going to resolve this. And it may be whitelisting, maybe it’s temporary access or whatever it happens to be. But the flip side of that coin is saying, every time a change happens, what are, or rather than waiting for the change to happen. What if we integrated compliance as a component of our workflow assessment to say, hey, let’s sandbox this change, run our compliance controls, our compliance assessments around this proposed change to see if it breaks anything in advance of it being implemented on a security enforcement point. And that’s where some of the greatest value can be realized out of compliance.

Tim Woods:
But I’ll say this, that if done right, if you take the time to write a solid compliance initiative and you have a system that can help you support that compliance initiative, that the return on that investment can be tenfold as it relates to dynamic security. Next slide. And as we talked about this, we saw the distribution of responsibility as we see people moving into the cloud. Excuse me. As we see people moving into the cloud, it’s paramount that you also have clear visibility across your entire security infrastructure. You need that central pane of glass that really holistically brings all the statistics, brings all those key security performance indicators to the top, with the ability to drill down into it so that you can get context around and then quickly you want to be able to find that needle in the haystack very quickly on that orchestration, on that single pane of glass within that security orchestration platform. So very, very important that we have that clear view across the entire security infrastructure.

Tim Woods:
And so, that’s exactly what we’re trying to do, is we’re bringing those three tenants together inside a single umbrella, giving you good visibility across your risk horizon, giving you the ability to implement dynamic real-time compliance and or proactive compliance. And then giving you that central pane of glass to give you visibility across the entire security infrastructure with those holistic dashboards. And I’m going to give you an example of this, too. Some of the key, what we’ll call, key KPI security indicators that you can see. This is going to give you an indication across your infrastructure, what your security posture looks like at any given point in time. Next slide.

Tim Woods:
Projects and strategies. As I was putting this slide together, God, I used it in another presentation a couple months back. And I was actually at an event while I was putting this together and I was talking to a gentleman there. And he said, “Tim, it’s interesting.” He said, “Everything you have on this slide is either an initiative, something that we’re working on or something that we’re already working on or being proposed”. And he says, “A lot of our questions are fueling around how we’re going to achieve that.” But so there’s all these different projects, all these different strategies that are taking place. And the real question our mind is how are we going to achieve these things? And I think the answer to that is, we have to look at what are the technological solutions out there that can help us be successful around these projects and these overarching strategies within our environment today. Next slide.

Tim Woods:
I told you I’d come back to this. Again, this is talking about the attack surface and I’m I said, I want to show you a couple of before we wrap it up here, we’ve got about five minutes left. I want to open it up. I want to make sure that we leave enough time for questions. But want to look at … As we talk about the reduction of the attack surface and what that really means, it’s understanding which vulnerabilities pose the greatest risk. In other words, if I’m going to patch something, if I know that I have limited resources and I can only get to so much in a given time period based on the resources that I have, where can I make the most effective use of those resources? Where do I get the biggest return on my investment? Where can I get the biggest risk reduction for my time spent patching the vulnerabilities on our network, understanding that sometimes patching requires taking systems offline for a little bit? And it’s not always straight.

Tim Woods:
Everybody says, “We’ll just patch it.” And sometimes it’s not, when you’re talking about a real time live production system, it’s not as straight forward as you might think when we’re going to have to try and to patch these various systems. And so we have to be respective of the business at the time that we’re trying to implement our vulnerability patching and things like that, too. But being able to understand which vulnerabilities pose the greatest risk to my environment is key. It’s not necessarily just patching that critical resource. It’s not necessarily patching the most critical assets and resources and applications over and over and over again, sometimes it’s about understanding where those potential exploits lay and where patching one vulnerability may have an effect on 700, 800, 1,000 other vulnerabilities that may exist on the system. And so being able to simulate that in the context of your real-time policies, having a real-time picture of your network, having a real-time picture of your policies, understanding policy behaviors, access path across the network, traffic flow analysis across the individual security enforcement points themselves. Being able to orchestrate that in a single pane of glass is critically important.

Tim Woods:
Next slide. Again, I’m quantifying the risk attack simulation and trying to reduce that sprawling attack service. The fusion of vulnerability management, continuous compliance and orchestration and I know those are some nice marketing buzzwords but it’s really true when you can bring those three poles together, when you can bring this continuous because everything that we do on the FireMon security management platform, everything we do is real-time. And so when we talk about continuous compliance, we meet it. Every time a change happens, or every time our proposed change is submitted, we want to evaluate that. And we want to understand what the risk factors are to that. And we want to make sure that everybody has visibility into that. Next slide.

Tim Woods:
This is great picture, picture paints a thousand words. This is exactly what I was talking about here. Here we have a dynamically generated map. This is a real time depiction of a network topology. This could be cloud. This could be the containers inside a segmented portion of the cloud. But essentially what we’ve done here, is we have launched a simulated attack, if an attacker, if a bad actor came in a well-known threat entry point, we want to know how far that nefarious individual could get. And so that’s what we did here. And based on this simulated risk threat vector attack, we’ve determined that, there is a 62.47 risk rating here that this bad actor could actually get to a critical resource that has a potential route exploit on it. And they could pivot off of that potentially and go somewhere else within the network.

Tim Woods:
And so what we show you over here to the right and I’m going to apologize here because as I’m looking at this, it may be that you can’t see this clearly but we show you what the risk rating is at the top. And if you’ll see right above the little gray that says asset to patch and services right above that, there’s a line there that says, patch eight compromised assets is assets. Getting tongue tied here. Patch eight compromised assets to protect 733 assets. And so what we can do is we can simulate the patch to see what the impact on our environment to be, to see what the impact on our risk posture would be. Next slide.

Tim Woods:
We’re going to go ahead and do that and what that did, is it eliminated that ugly red line that you saw going to the core of our network there. And all of a sudden, we go from a 62% risk rating down to a 7.5% risk rating. And you can see that I should have put two arrows there though, the one that’s where we were the arrow to the left is pointed. These are our metered recommendations on where we should apply our patches or what assets we should patch. And then we see what the resulting impact is to those patching efforts. Where can I get the biggest return on my investment? Where can I reduce the greatest amount of risk and the least amount of time making the most efficient use of my resources? That’s what we’re trying to get to here. Next slide.

Tim Woods:
Key performance indicators for security. This is just when I talk about a central pane of glass, when I talk about bringing those holistic numbers, those KPIs to the top, this is what I’m talking about here. What’s my average device complexity? And I’ll talk about that here. How many redundant rules, unused rules do I have in my environment? How many unreferenced network objects do I have across all of my policies, across my entire real estate? How many unreferenced service objects do I have? Why are they there? Why are they there in the first place, if nobody is using them? We want to look at that. We want to be able to … And any of those lines, these aren’t just really nice, pretty graphs that I could throw up in a sock and say, oh, wow, this … But they are things that we can chase.

Tim Woods:
They are things that give a good, accurate reflection to say, what is my security posture or the actions that I’m taking inside of my security operations, are they moving the needle in the right direction? The one I like the most is down there at the bottom. Again, I’m going to apologize because that’s a little hard to see but what it’s showing is complexity by device. And what that really means is, we go out and we try to find the security enforcement points. I don’t care if they’re virtual, if they’re in the cloud, wherever they happen to be, which ones have the most open policies. And that’s usually not a good thing. Usually, when you have an open policy, it means that some overly permissive rules have crept into the equation over time. And we need to identify those so that we can apply some traffic flow analysis around those to tighten those rules up. Next slide.

Tim Woods:
And then lastly here, this is looking at my compliance initiatives here. This is my KPI indicators for compliance here. And I can see where my critical control failures are at, I can see which rules have critical control failures on and again, I can drill into any one of these to get some detailed, actionable intelligence out of that as well. So very important to be able to get to that information quick. It’s really hard to create a solid remediation strategy or remediation task, if you don’t have actionable intelligence that you can use as well. Next slide.

Tim Woods:
And so that’s really it continuous security for the hybrid enterprise giving you the tools that you need to control the security in your cloud, looking at the risk landscape, looking at your compliance initiatives and having that single pane of glass to bring it all together is critically important. I promised to leave you some time here for the next slide. I believe that’s it so we can go ahead and answer any questions that we have teed up.

Charlene O’Hanlon:
All right. Great, so we’ve gotten some questions in but if you have a question for Tim about any part of his presentation go ahead and use your GoTo Webinar control panel. First question. And I have a feeling, I know the answer to this one. Are IOT devices the biggest concern when it comes to securing the network? I have a feeling the question is no but I’ll let you answer.

Tim Woods:
I would say no, it’s not the biggest concern today but it’s definitely a concern. Because again, a lot of times the vetting of the security operating systems around those IOT devices is unknown. You don’t know what potentially could be exploited, or you don’t have some of your traditional tools that you’re using in the infrastructure don’t necessarily give you the insights that you need to those IOT devices. But we hear about all kinds of potential exploits that can lay away for you inside of those IOT devices. It is an interesting dilemma that we’re faced with in the security field today, is how we better secure those IOT devices. And I see industries, I see some companies popping up around that just specifically to address that. It is interesting. Are they the biggest concerns today? I’m going to say no but it is something that we definitely want to keep one eye open on.

Charlene O’Hanlon:
Awesome. All right. Great. Next question. How does my company determine the risk of our cloud environment?

Tim Woods:
Cloud again, I said this earlier, it’s one of these. It’s a continually changing dynamic, right? It’s applications, spin up, applications, spin down, applications, move. It seems to be constantly in motion or it can be. And so again, you have to have a way that you are looking at the security controls that are in place around those different applications. And so, what we find is while once upon a time, and a long time ago in a land far, far away, it was really nice to have a firewall that could protect a single entry point into our network. And even if you have remote locations all over the planet, everything was backed called into the corporate office and then fed back out. Today that doesn’t exist.

Tim Woods:
When we look at IOT, when we look at BYOD, when we look at this, when we look at public cloud and private cloud and multi-cloud, the perimeter as we once knew it, is no longer there. And so we have to understand where our security controls are at. We need visibility across all of those security controls. Again, back in, I get back to my single pane of glass topic but we have to have good insight into that and we have to have a good testing methodology for exercising the security around those to make sure that the policy behavior is understood and that we have a way to validate that policy behavior. We have to have a way to make sure that our written security policies are written security intent, our security intent around those applications as far as focusing.

Tim Woods:
I think the focus has to shift to the applications, instead of focusing on rules on the firewall, not that that’s not critically important. We see even based off by security and security poles, how critically important the firewall still plays as a foundational structure to our security infrastructure. But the focus has to shift in a little more micro manner around the applications themselves, the assets, the resources, and the applications that we’re protecting. And then we write our security policies around that, what our security expectations, what our compliance intent, what our business intent, what our security intent is around that application and then we work backwards from there to secure it.

Charlene O’Hanlon:
All right. Great. There’s still time if you guys have a question for Tim, just use your GoTo Webinar control panel and we should hopefully be able to get to your question. Next one. Is this just automating processes that are already being used in our data center but now in the cloud?

Tim Woods:
Not exactly, some of it, yes. It’s not just automation, it starts with, as you saw from the distribution of security responsibilities, collaboration becomes a big part of this. Because distribution of responsibility is starting to widen as it relates to who has ownership over the security of the assets, the applications and the resources. We have to have a way, we have to have a platform that allows us to collaborate our security with one another. And I won’t get back into the APIs again but the API is plan to this down the road as well, when we start talking about sharing information between solutions as well. But I think it’s important that yes, there’s some automation that comes into play here. And yes, we should be taking advantage of technology automation but also in order to make this work, we have to have a platform that supports collaboration across our security unit. Whoever has responsibility for securing the interests of that asset resource or application. We all have to have common visibility into that in order to make it work so collaboration is the key.

Charlene O’Hanlon:
Okay. All right. Great. Next question. Is FireMon a service?

Tim Woods:
No, it’s used as a service. But we definitely have, we’re very popular in the MSP space. We’re very popular in the XSP space only because we have multi-tenant capabilities. We have very granular role-based administration. We scale to incredibly high levels. Those are some of the basic requirements than any MSP has. And so, we also do, I talk about APIs. I preach APIs all the time. We have over 90% of the functionality found in our solution suite is exposed over API, our secure APIs as well via REST and JSON and everything. We make it very easy also to extract information from our system, if I’m putting that into a customer portal or I’m sending that over to another system somewhere, or I’m exchanging information to raise the value of my combined security solutions, we make that a very easy process as a result of our robust APIs that we offer.

Tim Woods:
That’s important. But no, it’s typically it is a solution that you purchase and you buy a license that you own. We do have subscription license as well but it’s not a service. It’s used by some companies as a service, a providing service and sometimes it’s recognized that that’s paramount providing that service. Sometimes it’s white labeled, you don’t know that it’s paramount data that’s driving that. But in general, no, it’s something that you purchase to deploy in your environment.

Charlene O’Hanlon:
Okay, great. We are looking at about five minutes to the top of the hour so I think we have time for one or two more questions. Next question. Your example about growing rules is a problem for my company, how can we more effectively control them?

Tim Woods:
Great question. There’s really two … I break it down into three parts, which is understanding the technical mistakes that creep into a policy over time. And again, this has to do with speed. I’m in a hurry to honor the business requests sometimes, or I don’t have the visibility that the native management tools from the key vendors that you’re using across your heterogeneous environments. They do a great job in purposing the firewalls. They do a great job in managing the firewalls. They don’t always do as great a job as when we get into policy behaviors and things like that. Sometimes we need to understand when those technical mistakes creep into the policy and an example again, of a technical mistake could be.

Tim Woods:
I have a request in, I don’t have a way to necessarily vet the behavior of a policy act and I stick that met new rule down at the bottom, right above the cleanup rule. And not knowing that there’s either a rule above it, that’s already blocking that access or a rule above it, that’s already allowing that access. And so, one of two things is going to happen either it works and we’re like, oh, cool. We put the rule and it works, the business owner is happy, not realizing that it already worked because we didn’t really get that out. Or we find out that, oh, it doesn’t work. Now, I’ve got to go back and troubleshoot and figure out in this 15,000 rural policy, which one is blocking my access to this rule that I dropped at the bottom of the deck. And so, having good visibility into that and that’s not necessarily, that’s just policy behavior. That’s just kind of a math exercise.

Tim Woods:
Next to that is understanding usage on an ongoing basis. You have to understand real time usage analytics around your policies, which rules are being used the most, which rules are being used the least, which rules aren’t being used at all. Not necessarily a technical mistake but it’s just a policy, it’s just a rule that, like I said, may have outlived its usefulness and is no longer needed, although it did serve a purpose at one time. And so, the way that we identify those, is looking at usage across our firewall policies over time and then we can. And that can help us in optimizing our firewall policy. Firewalls are somewhat sequential animals and they process things sequentially for the most part, not always but for the most part. And so being able to put those rules that are used the most at the top of the deck, can be very beneficial to in these very, very big, large policies.

Tim Woods:
And so again, that’s what I’ll call, step two, is understand uses analytics around the policies and you need a system that can do that. That can parse the large data coming from these firewalls and correlate that to the policy that’s enforced at the time that you parse and ingest that log data. And so there’s a correlation that takes place there. And then lastly, of course, is looking at those overly permissive rules. One of the biggest culprits in an overly permissive rule, is the use of an NE statement. And so anytime, NE creeps into the policy, you can almost guarantee that there’s going to be some over access being provided. And so, what I want to know is I want to be able to analyze that NE, if I put an NE in a service field, or I find a NE in a service field, I want to look inside that NE over time to see what is actually being transferred through that NE and then lock it down.

Tim Woods:
Rather than having this, any statement in a policy that’s allowing 65,000 plus services, what if I locked it down to just those things that I actually know are being used. Without visibility into that, it’s impossible to do. And so, those are the things. There’s definitely some things that you can do to help optimize the behavior of your policy and get rid of that firewall blow. But most importantly, is to get rid of that complexity because one thing we know for sure, beyond a shadow of a doubt, we’ve seen it time and time again, as complexity increases. And when I say complexity and I preach this all the time but I talked about unnecessary complexity. Any good security implementation is going to have a certain level of complexity. What I take exception to, is this unnecessary complexity that creeps into the policies over time. Being able to eliminate that unnecessary complexity, is going to greatly benefit our security posture and reduce risk.

Charlene O’Hanlon:
All right, great. Well, that is all the time that we have for the questions. I thank everybody who did submit a question to Tim and also I want to remind the audience real quick, that today’s event has been recorded. If you missed any or all of it, you will be able to access it on demand. Hopefully, later on this afternoon, you should be receiving an email that does have a link to the webinar on demand that you can access. Tim Woods, thank you so much for being here today and giving such a great presentation. Judging from the quality of the questions, I’m sure the audience got a lot out of it. I know I did. Thanks very much. Appreciate it.

Tim Woods:
Charlene, thank you very much and thanks to our audience again. Appreciate it.

Charlene O’Hanlon:
Yes. Thank you all for joining. This is Charlene O’Hanlon signing off. Have a great day, everybody.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO