5 Ways to Make Your SOAR Initiatives Take Flight

On-Demand

Video Transcription

Paul:
Hello. Good afternoon, good morning or good evening if anyone’s in Europe. Thank you for joining today. My name is Paul Anderson. I’m a Vice President Solutioning focused on automation solutions for FireMon. Personally, I’ve spent the last few years [inaudible 00:00:26] in a converged space focused on private cloud and agile infrastructure, and certainly see security automation as a very important solution in the majority of customer stacks spend a few years at F5 Networks before that.

Paul:
The focus of today’s Webinar. And I’ll introduce Josh Williams here shortly. Who’s going to be speaking the majority of the time is five ways to make your SOAR initiatives take place. Josh is going to share a quick overview of the SOAR market or what SOAR is, how it’s relevant to firewall policy management, the five steps to SOAR success and then a touch of a live demo. Please have questions coming at any time. We’ll answer them either in real time. We’ll save them for the end depending on the content and related to the train that Josh is on.

Paul:
In addition, we are live tweeting or Carmen Harrison is live tweeting on Twitter at hashtag FM live. Before Josh gets started, I will share a brief overview of FireMon in case anyone doesn’t know. I know we have a lot of existing customers on the line, very familiar with the product set. But for anyone else, FireMon is the number one network security management and policy solutions for hybrid enterprises. FireMon prides itself, delivering continuous security for multiple cloud enterprise environments, three powerful fusion of vulnerability management, compliance and orchestration.

Paul:
Since creating the first ever network security policy management solution, FireMon has continued to develop real-time visibility into and control over complex networks, security infrastructures, policies, and risk postures for more than 1700 customers located in 70 countries across the globe. Something we’re very excited about over the last few years is the data set of policy that we have has led our customers to move further and further towards automation to meet the goals of their companies to move faster in the change process, but without compromising accuracy and compliance in the act of moving further and further towards speed and agility.

Paul:
All that being said, I’m going to turn it over to Josh Williams and he can introduce himself and then go ahead and dive into the content on SOAR. Take it away Josh.

Joshua:
Hey, thanks, Paul. Appreciate it. And thanks everybody for showing up. My name is Joshua Williams. Let me get to the presenter slides. So yeah, my name is Joshua Williams. Just a really quick background on me. I’ve spent a lot of my time with government agencies, the DOD, the DOE doing cybersecurity network engineering across those enterprises. Went into financials into a FinTech organization where we were stock exchange doing network engineering there. I really enjoyed my time with that. And then I came to FireMon where I’ve started as a work security engineer, actually working with integrations focused around cloud and how we’re going to integrate cloud into the FireMon product.

Joshua:
From there I moved into the sell side, I think because they talk too much. I don’t know. I really enjoy engaging with people. So I think this was a better fit for me to really come over and engage with clients and help solve problems for them. And I focus a lot with the cloud and mostly with the automation side of FireMon. What we do in the security automation space. So that’s why I’m here today to talk about the SOAR Integration, how we can discuss around what’s going on in the space right now and find a constraint around what one of the constraints we’re seeing and then just talk about some ways to solve it.

Joshua:
So we’re going to dive right in here. The first thing we’re going to do is level set on SOAR. Let’s talk about what it is, the components that make it up and then the advantages you get from it. Right? So let’s talk about the first components. And the way we see SOAR, security orchestration, automation and response, the way we feed that is breaked out into three different parts that is threat intelligence, security orchestration and automation, and then it’s security incident response, and that’s logical. It makes total sense, right?

Joshua:
So what we have is threat intelligence. What is the threat? How do we find where the threat is at? How do we know what that is? Then once we get it, we have to have some idea of what to do with it, right? So it’s easy to identify something. Well, maybe it’s not that easy, but once you identify something, you have to do something with it. You have to say in your environment, I found something bad. How do I treat this? How do I act now?

Joshua:
So the security orchestration automation helps with that. One of the things it does is that it’s able to build a logical bridge between finding the problem, finding the issue or the malicious action, finding that, and then bridging the gap between that and actually responding to it. That’s what the security orchestration automation does. So let’s take those two terms really quick and let’s break those two down because we hear that a lot with our customers. We hear the interchangeability between them a lot. What is orchestration or they’ll use orchestration for automation, automation for orchestration and we hear a lot of that.

Joshua:
So let’s define those two really quick. Automation is simply a task that is being done, a repetitive process that’s being done over and over and we can do it without human intervention. So if we were to really boil it down, we would say automation is a single task that can go over and over and over and over again. Orchestration is going to be of the logical process of these automation tasks. So when you orchestrate something, you build out logically this task runs and this task runs or something is met in one automation task, we can kick off another.

Joshua:
So that’s the way we’re going to define. And when we talk about those two terminology through this Webinar, that’s what we’re going to mean when we talk about the two. So that’s the difference between automation and orchestration. Then we get to security incidents response. That’s the third part of SOAR that we’re talking about here. So that’s the logical, we found the threat, the security automation and orchestration has mapped us to what to do now. And that’s a security incident response. So again, like I said earlier, when you find a threat, when you find that something is wrong or something malicious is happening in your environment what you want to do is you want to do something about it. How do you respond properly to that threat?

Joshua:
So that’s the three components of SOAR. That’s how we’re defining them and we’re looking at them and we are looking at them and we’re saying, “Okay, this is what it is and how do we interact with that now, right.” So how do we interact and integrate with that? But first just talk about the benefits. What benefits do we get through having a SOAR in our environment? Well, I think they’re all pretty obvious, right? One, it binds up the threat hunting and incident response together.

Joshua:
So SOAR is able to say through an automated orchestrated process that now that I’ve found something, what do I need to do? So by automating that we add speed to the process, we’re able to save bad IP one. Somebody is doing something from this IP, or I have an IOT device out in my factory area that is beaconing to some malicious IP and we need to stop it. We need to cut it out now. So we know there’s malicious activity. We need to put it into it. SOAR enables that and speeds that up.

Joshua:
It’s able to handle the security alerts proactively. So instead of having a reactive, going through logs, finding something that just doesn’t look right and then saying, “Okay, now how do we act on it?” So you have to do a little bit of intelligence gathering on it, then you have to perform some action on it, based off of what you’ve learned throughout an interrogation process, a source able to be proactive about that. It’s able to see it and act immediately again going back to the first point that there’s an automated secure or an automated orchestrated process to get us from threat to respond.

Joshua:
The third one is a very important one. And the two key terms here are consistency and efficiency. So it provides consistency and efficiency in your security operations. So when we talk about consistency, one of the things we’re talking about is that there is a deterministic model in your security operations. Consistency provides us with that. It says, “When you have X event happen, I know exactly how my security infrastructure will act. We’ll adapt to ensure that that malicious event has been mitigated.” That’s what consistency gives it to you. Consistency is how you sleep good at night, knowing that whenever there’s something bad could happen, that you have a way to mitigate that in place.

Joshua:
That’s what consistency gives you. Without consistency you will not know what your environment will do. You won’t know how to react to it. You won’t know if something’s happening in and amongst your secured situation or your secured environment because there’s nothing to say. I know every time this happens, we’ll mitigate it this way. SOAR provides you consistency and then there’s efficiency. If we could have a word that you have, that’s a for like money happen, this would be that word. Because efficiency gives you the ability to say, “I have a way of utilizing or performing a process without all the noise involved or without all the extra tax involved that are going to take my attention away or take my skills away and it forced them to perform something that is not providing great value to the process.”

Joshua:
So that’s the efficiency part of SOAR that is able to say, “I have a process built or orchestrate a process that takes me from malicious activity into a true response. And then I’m able to do it correctly without a lot of extra noise or a lot of extra processes aligned with it. Let’s take out all the things that are necessary or let’s automate the things we can automate, right? Let’s automate the boring thing. Let’s automate the complex thing. So, that’s the quick benefit to SOAR. That’s the benefits we see.

Joshua:
So now let’s talk about the problems. Let’s frame the problem or the constraints. And let’s see where we are seeing some of the hard parts, some of the problems with current SOARed appointments that we’re running across. So one of the main things is we’re seeing that there’s a gap in the integration. Right now with a lot of SOARs, they do a great job of providing a way to integrate with product, right? You have a BYOI, right? Like, bring your own integration. What do you want to bring to the table? What do you want to have plugged into the SOAR environment to allow for best use of your current network security tools for the security operation technician.

Joshua:
So right now, what we’re seeing is you can plug a bunch of different things into it, but there’s no one good way to say this, give a single integration point that allows for a great magnitude of effect after it. So we’re also seeing that there’s an issue with speed. So those SOAR provides you that orchestration automation aspects to get you from the threat to the remediation. There’s also an issue with speed when it comes to network security policy. So for instance when you were looking at integrating like a defense in depth across your infrastructure with the SOAR automation one of the things you’re going to run into is…

Joshua:
Well, you still have to know the routes, you still have to know what firewalls to apply them onto. So you can send to whatever firewall vendor you have the policy you want to use to change, to modify, to block this malicious IP, but you still have to know which firewall to do this to. You still have to have some intelligence to be able to say, I want to do this. So you start to reduce the amount of speed of this deployment to remediate by not having the integration point across it. The two points I put below here, like speed should not be negotiated. Security should not be negotiated. Right. And that goes back to the core of…

Joshua:
That’s the first thing you learn, right? When you’re learning security is like, Oh, you can’t have both, right? That’s something people always tell you, you can’t have both. You can have your cake and eat it too when it comes to speed and security. But I don’t think that’s the case anymore. SOARs really aiding with that. There’s a good product and security automation is really helping with that. It’s really helping take antenna something that needs to happen. And being able to say, “We can push quickly what you need to change. The modifications are in the new policy. We can push quickly through your infrastructure and we can do it with some guide rails around to ensure we reduce the amount of misconfigurations or we don’t allow something overly promiscuous, an overly promiscuous rule in your environment.”

Joshua:
So let’s talk about some of the ways we’re looking at solving this problem, getting over this constraint or breaking through this constraint. One of them is one that I just mentioned is we want to reduce the risk of human error. So SOARs do a really good job of that integration point. And if you peeled your playbooks out really well, you can have a solid playbook that allows for this to happen, but there’s still a point to when it comes to network security policy, that you have to make some human decisions. Now I’ve done many years of policy deployments and firewall rule building across a lot of vendors of firewalls. And I’m not going to sit here and tell anyone that I’ve never made a mistake about it or that I haven’t caused an outage.

Joshua:
I’ve done plenty on both sides of that. So we understand, and I understand that there is an issue with the humans touching the keyboard, in factoring something or running a commit with something more in it than they expected and causing an outage. We’ve talked to plenty of customers that have said that they’ve opened up and they’ve had risks or they’ve had threats come to life based off misconfigurations on the perimeter firewalls. I don’t think it takes much of us to think within the past few weeks, we’ve heard about misconfigs and the issues that they can create in an environment.

Joshua:
So we want to reduce the amount of human error when we’re working with SOARs and when we’re getting to the deployment of that defense in depth idea throughout the infrastructure. Next, we want to reduce complexity, right? And those two are almost hand in hand. The more complexity environment, the more difficult it is for you to make a very good initial review and deployment of the policy. I know I’ve worked before where it’s like, okay, I have a request command. I’m going to go to firewall one that I know, and I’m going to open it up. Does it work? No. Well, what’s the next firewall in line, right?

Joshua:
So we’ve seen more complexity really slows down the deployment process and it slows it down even in a SOAR environment. Now we want to achieve security adaptability. And what does that mean? What’s security adaptability? So to us, security adaptability is that as your environment changes, your security changes on top of it. So let’s say that a SOAR has sent out that there’s… we’ve found through the threat intelligence, that there’s a malicious IP out there and that malicious IP needs to be mitigated.

Joshua:
So what we have to do now is we have to say, “What are we going to do? How are we going to respond?” And we build this into our SOAR to say, “Okay, let’s block this IP across our entire firewall or across a security infrastructure.” So now as this IP is blocked throughout however many months as your infrastructure grows or shrinks, or your firewalls get changed out because you’re not going to stop your current project of changing out and upgrading firewalls. As this happens, we want to ensure that that policy is maintained, that it’s maintained across all of the firewalls, through all the projects, the growing, the shrinking, et cetera.

Joshua:
So that’s what we mean when we say security adaptability. That the security continues to stay in place as your environment underneath it changes. And then we want to maintain continuous compliance. So as the rules are being built, we want to make sure that rules in this firewalls, across the network security policies stay within the compliance that you have built as an organization. So for instance, if you have a bunch of paper rules, paper policies, if you’re using PCI or Sox2 or STIG, any of this stuff that you use in your environment as a standard or as a framework we want to make sure that as there’s a point of automation as a layer of abstraction, that’s being built where people or SOARs are putting in new policy, we want to make sure that everything stays within the compliance that you demand out of your security infrastructure.

Joshua:
So then step five, the solving the problem that we have is we want a single point of integration. And that goes back to the one I’ve mentioned whenever I talked about defining the current constraint that we want to break through. We want a single point of integration that has the ability to build an abstracted policy across all the firewalls that helps us with that BYOI issue. So that when you build your integration for your SOAR, that you build it at one point, and what we want from that integration is we want to provide the intelligence in it to reduce the complexity of what’s happening.

Joshua:
We also want that integration to be able to push out a task that reduced the human touch point, that reduce the human errors, thus reducing misconfigurations that we potentially could find by doing that. Through that also we’ll gain speed. Wherein this goes back to the beginning when I said, “We don’t want to negotiate speed and we don’t want to negotiate security.” So with that single integration point, that has knowledge of our network and security policies, and our security infrastructure. We’re able to make smart decisions and we’re able to push them out quickly and maintain that amount of security that you’re demanding from your security appliances.

Joshua:
So we want to validate also all the rules that we’re pushing out. So again, there’s this idea of compliance that goes along with it. And as you can see at the bottom, this little graphic we have here it shows you the way that we can bring your SOAR, right? So, we can flip that back on the SOAR head we say, “Yeah, you have to bring your own integration.” When we can say from a FireMon perspective, “Well, bring your own SOAR, bring your own ability to threat hunt, to orchestrate very complex, maybe playbook,” and we can help with the response side to say, ” Here’s what we’re going to do to enable your security and the speed of your security implementation.”

Joshua:
So from a FireMon perspective, here’s just a couple of quick screenshots. I just wanted to pull up just to show the ability that we have to integrate into a SOAR. So what we’re looking at here is one of our products saying we have a current rule set up that says, “When you have found a malicious IP address, once this has been identified and you’ve taken it and boiled it out through filters and whatever you want in your playbook, you run a module that really all you do is you create, you build into this dynamic list of this dynamic object inclusionist,” you build out and say, “We’re going to deny this IP address across the network enterprise wide.”

Joshua:
We hold that into a state that stays the same throughout the underlying security infrastructure changing. Meaning if you have changes in your physical firewall, if you’re growing your infrastructure. What we’re going to do is we’re going to maintain that state. And we’re going to say, we have to continue to allow or continue to block this malicious IP. So we build that abstraction layer on top, and we’re being fed through the SOAR, what is bad and what shouldn’t be. Think about it from an IOT perspective. You could put agents on your PC throughout your enterprise. I get, it makes sense, right? There’s some really good ones out there, and you could start doing things on the host, but when you start to getting into an IOT-

Paul:
I think you’re cutting in and out. Is that-

Joshua:
Oh, I am.

Paul:
Let’s try again. Yeah.

Joshua:
So when you get into an IOT perspective where you have IOT devices, raspberry pies all over the environment using an IP address, what we’re able to do is we’re able to ensure that as the request or the malicious IP from IP that we’re beginning to as we find that we’re able to provide that defense in depth that said at the firewall beyond what the agent can do on a host, we still want to ensure that our firewalls are blocking anything talking to this malicious IP. So that’s the idea of being able to provide a point of entry into the SOAR that we can use to take a malicious IP and respond to it appropriately across your entire security enterprise.

Joshua:
The second big point with this is we’re able to do it continuously. So as we have the… and it goes back to the adaptability as your enterprise continues to do the projects that you’re doing every day from doing firewall upgrades to expanding to new buildings. So on and so forth, we are continuously enforcing this compliance or this policy to mitigate the threat that we found through the threat hunting. So just to summarize what we know and what we’ve seen from our customers, and a lot of different touch points we’ve had is that SOARs are providing great opportunity and they’re providing great opportunity to enhance consistency, which remember is our way of providing determinism throughout our environment.

Joshua:
And it’s also able to enhance efficiency, which, right? Like that’s our wish we had a sound bite that I could do that with when I say efficiency, when we enhance efficiency. So we’re able to reduce the pet’s time that’s needed and start to take the great brains of the engineers who have, and turning them into or moving them to do that truly enhance your security architecture and infrastructure even more. So we see SOARs doing that. And what we’re trying to do and what we are doing is we’re creating that single integration point where we can help enhance what the SOAR is doing in your environment today, by providing defense in depth across your firewalls, mitigating malicious activity throughout your entire infrastructure, we’re reducing human error, we’re reducing complexity, and we’re giving you the ability to have an adaptable security environment.

Joshua:
And we’re also continuously doing this through having compliance checks, as we are implementing the automation or orchestration across your environment. And again, like I’ve said many times, we’re providing that single soar integration point. So Paul I think we got them 00:26:11] shamelessly jump on that.

Paul:
Yeah, I know shame on my side, we will be at next week, demoing an integrations for automation into NSX, as well as multiple firewalls across for customers that are managing traditional data centers, firewalls plus NSX distributed firewalls. So very excited about that. If anyone’s at VM world please come and find us at booth number 226. And we also have Mario Kart Competition set up somewhere in the South Concourse. So find us a booth 226 and come challenge Josh. And some of his friends, some of his friends to Mario Kart he doesn’t have any time to practice. So you will probably kick his tail.

Paul:
The other shames plug we had is the 2019 State of the Firewall Survey, we have one more week left I believe to get responses on that. Anyone who’s on today, will get a link. And if you want to participate, please do. It’s one of the things that the industry FireMon is known for the most just providing the state of the firewall report, excited to get that wrapped up and get the feedback out. So all that being said, we have a few questions and please keep the questions coming in. We wanted to keep the content reasonably short to make sure we had time to answer questions or anything that didn’t make sense.

Paul:
The first question that I’m being fed to by the post is how do your customers get organizational approval to allow automated change? That’s a great question. Actually, we did a presentation at Palo Alto Ignite and that was the first question. One of our customers was asked when he presented how he was going to use FireMon Automation. For anyone that doesn’t understand the context of the question, Josh showed an integration for SOAR where there’s a path with pre-approvals for a fast lane or a path with multiple approvals along the process.

Paul:
The majority of our customers have some firewall change workflow in place. And what we do in simple is show customers that each part of that workflow can be achieved if they set up a pre-approval for the SOAR path and then they appreciate the fact that we are not just blindly pushing change through a firewall, but calculating that change against it.

Paul:
So every organization is different. Sometimes it’s political, sometimes one team has the authority to make that decision. So the question is, within your organization is there an opportunity to find redundant types of changes or pre-approved paths of changes that you could go to your security review board cabin or other departments that have authority on that and say, you’d like to get that type of change pre-approved? What would be the process? What would be the evidence that you need to supply. Do you need to schedule a change window or can it push during the day? It all depends on your organization strategy. Josh, anything you want to add to that? It’s a common question.

Joshua:
Yeah. It’s a very common and you hit it on the head there Paul. Everybody’s different with that. One of the strategies I like to take, and this comes from my time that I’ve done work in a production factory area. And they had this idea with the Lean Six Sigma, right. So if anybody’s out there has done it and got their green belt in Six Sigma, but the idea was always look for the process and look to ways to reduce noise in the process, to take that out and find how do we add the value by taking something out and reducing the time that this process lives. And I think when it comes down to our organizational how do we get this involved? And how do you work that in look at the process. There’s always a way to enhance that process in some way. And so I think this is a good way to start, but like I said, everyone’s different and every customer we’ve talked to it’s always been a new situation. So yeah.

Paul:
It’s proof that show us, don’t blindly automate, show us what’s happening. Let us look at it, let us trust it, let us test it and then move it into something. It’s funny because it’s actually the same way SOARs have been successful. Right? The majority of things that SOARs automate our level one support tickets and just tons of things that SOAR can do. But when I talk to customers it’s Oh, we offload as many level one tickets in the SOAR as possible and provide as much data up for decisions. Right? Same concept. How did they decide to start to automate some of those level one responses? Well, that’s a repetitive task that the company was comfortable approving. Let’s see. Question number two.

Paul:
What are you seeing in the market in terms of the adoption of automation in the security space? I’ll be brief. There’s a lot of names of companies and software and automation technologies that I could throw out. What I’ll say is there’s a lot of tech and a lot of strategies that are out there. We see adoption in a variety of different ways and basically similar to what Josh just said. You’re looking at either machines and software assisting in part of the workflow or actually executing tasks and part of the workflow and you’ll see FireMon’s marketing around levels of automation coming out soon, speaking to different phases that customers are in, in the automation journey.

Paul:
I’ll let Josh add, but to me we hear different things on almost every call with different customers, but the goal is the same. How do I improve my SLA without compromising accuracy? And again, this comes a lot down to, yes, the tech is important to enable the action, but equally or more important is process analysis, silos within the organization. What teams are involved in the process who has to approve certain things to be automated, and then what’s the value or metric the organization will place on automation in general, Josh, anything you want to add to that?

Joshua:
Yeah. And when it comes to that, adopting security automation, one of the things that… like Paul said, there’s a lot of tools out there. There’s a lot of open source and free tools out in the past that have been extremely simple to latch onto and learn and to figure out, to get implemented. But I think what we’re seeing is that people are starting to see the complexity that ends up building from there, right? Like we really want that one product to solve it all. And I get it. It’s not really going to happen, but we can find things that it can help us solve the next hardest step. You can provide a form of pushing a policy to a firewall. I get it. I’ve done it. But what gets tough is how do you ensure that you’re able to push it across a growing enterprise? Right.

Joshua:
So that’s what we’re seeing people hit. We’re seeing them try it out and they’re saying like, Oh yeah, I got to this point. But then I didn’t once we grew or once our compliance got more complex or once we gave somebody access to this Linux server that we’re running our playbooks off of and they starting to push their own thing. So there’s these issues that need to be addressed further. So we’re finding customers jump into it like they should, right. I get it. But they’re starting to find the walls of really quick. Like, okay. We got to figure this out and this might be a little difficult.

Paul:
Yeah. Thanks Josh. You got another question here. It says, what are the main issues people run into when automating for the first time or mistakes that you’ve seen people make to avoid… It’s actually a really good question because the dream that automation is going to solve every problem, or there’s a silver golden bullet out there, I think is always a fantasy in IT. Right? So the key is setting proper expectations and comparing error rates to your current process and speed versus error rates to a new proposed process or an augmented process. Right. We’ve run into customers that have made misconfigurations, what either leads to a risky policy that could be exposed to a breach or outages. We have seen that actually in a SOAR automation scenario, not with us, but a customer that was using a scripting automation software.

Paul:
I won’t name the brand because it’s not even really that software’s fault. It’s just a matter of what function it does. And basically they had a bunch of IPs to block, and somehow it got translated in properly and they took down a bunch of firewalls. And that’s why at FireMon, one of our big positions is get the accuracy right first. Build that template, calculate against the existing policy and then push even as it all happens within minutes, make sure that your existing policy and your existing stances computed into that automated change because there’s a lot of ways to push change. There are only a few ways to go validate accuracy and design of where those changes go.

Paul:
The next most common one, I see… We saw this a lot last year, this year we’re not seeing it as much, but again, the fantasy of going from completely manual to fully automated. We’re seeing customers have a lot more success picking off projects, one by one looking at software that can go find redundant tasks and say, “Okay, here’s the list of the first 10 things we want to automate.” Every time a new DNS request comes in. If the and then it passes these compliance rules, we’re going to approve it. Right?

Paul:
Establishing some gold standards within your organization. What are the things that you will always allow? What are the things that you never allow and then start to pick off some of the common tasks so you can focus more time and energy onto the tasks that take more time. Josh, anything you want to add there?

Joshua:
Yeah. My quick add is I think… There’s this book, I think most people have read, but it tells you to begin with the end in mind. And so I think when you’re looking at the first steps will define what you want your instinct to be. We talk about that a bit. Okay. What are you looking for? Right. Well, we want to get this Excel spreadsheet out of our process. I’m like, well, that’s not your in-state like, what are you really trying to get out of this? When you’re talking about security automation, where do you want to be? And so once you start to reverse engineer that I think you’ll actually start to see things pop up that say, “Oh, this is okay.” We can do this with a few scripts, but once we get to this part here, I think we’re going to have difficulty trying to keep this in some containment or to prop guard rails up around this spot here.

Joshua:
So you start to identify the issues. So that way, when you start into the security automation, you’re like, okay, well, for instance, you would say like, okay, we can get the pushes down, but how do we ensure that the people actually requesting the pushes are actually requesting things correctly and staying within compliance that these standards, these frameworks that we have to adhere to… how do I ensure that? And I start to lose it here. That’s where we usually come into the security automation process. We come across many customers that said, “Oh, I got to this point.” Right.

Joshua:
So I would say that would be the first thing. Start with your end in mind, have a target and then reverse engineer that target. And I think that’ll really help you understand, hey, this is where we might have some issue. And this is what we want to do and how do we get around this, so.

Paul:
No. Thanks Josh. The next question is actually very, very similar in nature. It says, how long does implementation of an automation change program take? It’s a good question. And I believe that the translation of that is probably, where are their wins? When is ROI achieved? When is it a success? When is it a failure over time? And I’d say, there’s no way to put it into a bucket of specific time, but rather like we were just out on the last question to us, we see customers have success in chunks and it’s a process. And whether it means that customer has a team dedicated to automation or robotic process assessment, where they’re going in department by department saying, where can we find a win or it’s a group of firewall admins or security architects or network operations going, we’ve just got too much work and we’ve got to figure something out.

Paul:
We see the strategy that succeed being a crawl, walk, run. I actually, from my background equate this a lot to server automation. Again, I know that firewall change automation and network implications are very different. But when we think in terms of templates, when we think in terms of repetitive tasks, the first ones you find are the lowest hanging fruits, what are the repeated types of requests? How do we templatize those? How do we validate they’re going to work? A huge difference in the server world. You can kill a VM and not necessarily mess up any other VMs in the firewall world. We recommend again, that every change is calculated against your existing policy and existing connectivity to make sure you don’t take down other things on the network. And that’s something that we believe we’re in great position to help with.

Paul:
Next question, what departments need to be involved? Oh, very similar questions. Well, what departments need to be involved in the implementation of an automation change program? I’ve mentioned it to you, but we see this, anything from C-level down a CISO that is chartered by their C levels across the board or the board of executives saying, “Hey, we’ve got to go faster and you all have to figure out a solution and security to not get in the way, and also not get us breach.” That’s a tough ask, but we see that top-down drive. We see customers that are in the seats doing the changes, saying, “I literally can’t keep up or I have too many people or I can’t hire more people,” and we have to propose a different way to do things or we see a lot of times architects looking at the bigger picture.

Paul:
A year down the road or six months down the road and say, “Hey, 80% of our operations are in the data center today, but we expect 40% or 60% of our Apps to be in the cloud tomorrow. And how are we going to meet the speed and demand of the cloud?” The fact that the cloud has taught everyone that everything should be available right away with our current security processes, without foregoing those that are important that keep us secure and keep everything up and available. Josh, anything you want to add? It’s I know it’s similar to the rest of the questions, but-

Joshua:
Yeah. But know, you’re right. I want to say everybody, but the project manager and I really wish I could get the feedback on the laugh there because as a joke, but it’s almost to that point. There’s so many people that need to be involved, especially when you’re talking about automation, because it’s going to affect and touch so many people’s lives. Right. It really will. So, the idea is that, who has a stake, who has a process that needs to be involved with this, and I’ll tell you, we talked everybody from security operations and network engineering, cloud engineers, DevOps, all the way to the.

Joshua:
We’re talking to everybody because network engineers will come to us and say, “Hey, we have to deal with getting the policy right.” Right? We have to deal with, whenever something comes in, something bad, some malicious thing we have to deal with. We’re the ones that have to go out into the routers and check the routing table and make sure that we’ve identified the firewalls at the policy we need to go on. So we have a stake in that. And then the security engineers are like, “Yeah, we got to build the policy.” After they tell us what to put it on or tell us the zones that things are coming from.

Joshua:
And then we have to build a policy and commit it. And then we have GRC saying, “Yeah, we have to make sure everything is all in compliance.” So we have so many people that are involved these days with enterprise security. So, I say the joke about everybody. And then I say the joke again about except project manager, because… But the thing is, is that there’s so many people involved today with enterprise security that it just makes sense to open the flood gate to communication and ensure that what you’re doing. And again, this goes back to the last question like Paul said, it’s sure that when your in-state is that you have the right people involved to get you there. And I think that would be the biggest thing.

Paul:
Great. Let’s see if there’s any more questions coming in, please don’t be shy. We have a few more minutes and we’ll be happy to answer more. I think that the shortest way to sum up what we’re saying is whether your goal is a 36 month digital transformation, where at the end of it, everything’s going to be automated. Or if it’s just a… We’re a team that has too much to do too little time and we’re being scolded for not meeting our SLA at the same time, we don’t have the luxury of making mistakes and getting breached along the way. We’ve taken a strong approach with our software, not just their software, but also the way we engage with customers to find opportunities for short-term wins while also thinking of the longer term win for speed and then again, accuracy in terms of security posture. And it doesn’t matter if it’s data center, SDN cloud there’s many different ways to go about these types of projects.

Paul:
So that being said, I don’t see any more questions coming in. Anyone want to throw a flyer. Josh, Where did you get that jacket and shirt in your picture?

Joshua:
My wife bought it for me.

Paul:
All right. So there’s no more questions again. You’re going to get recording of the presentation. You’re going to get a link to the survey, if you want to take it. And anyone that didn’t put any questions that have any questions, please don’t hesitate. And please tweet at FireMon live. Please tell Josh, thank you. It takes a lot of energy and time for him to put this type of stuff together. And more importantly, I was joking about that by the way, and more importantly, thank you all for attending. We really appreciate you taking time out of your day. And any questions you have, please let us know.

Joshua:
Yeah. Come by VM World. Play some Mario Kart eight. A colleague, but y’all come on out. We’ll play.

Paul:
You get it.

Joshua:
Thanks everyone.

Paul:
Right.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO