Drive Innovation with a Strong Security Posture

On-Demand

Video Transcript

Renee Riedel:
Hello, welcome to today’s webinar, drive innovation with a strong security posture presented by FireMon. My name is Renee Riedel and I’m the education coordinator for Fuel User Group. Our speaker today is Elisa Lippincott, the director of product marketing with FireMon. Before we do begin today, I’d like to remind the audience to please feel free to submit questions throughout the event via the Q&A box. It is on your webinar toolbar. Our speaker Elisa will address questions at the end of the presentation. For any technical questions that you may have, please use the chat box and address Fuel Education. Following the event, a survey will appear and you’ll have the opportunity to evaluate today’s webinar with us. So we do thank you in advance for your feedback on that. So now with all of that, I’d like to turn the call over to today’s presenter. Please go ahead, Elisa.

Elisa Lippincott:
Great. Thank you Renee. Good morning. Good afternoon. Good evening. Thank you so much for joining my session today. My name is Elisa Lippincott, and as Renee mentioned, I am the director of product marketing here at FireMon. For those of you who are unfamiliar with FireMon, we pioneered the network security policy management space over 15 years ago, and we continue to deliver persistent network security for multi-cloud environments through a fusion of asset visibility, compliance and automation. So, I always like to start my webinars with a little fun, I’d rather not PowerPoint poison you to death, but I found this comic from, from Dilbert and he wants to be efficient at his job, right? But at the same time, he doesn’t want to lose his job. And what struck me here is that seems to be a big misconception with automation.

Elisa Lippincott:
And we need to make sure we’re speaking the same language. Automated doesn’t mean automatic. You still want to have some control just in case, right? And like Dilbert, we should be able to automate a task that takes three hours, so you can focus on more important stuff. But as we’ve been talking with customers they want to be efficient too, but they can’t for a number of reasons. There’s a shortage of cybersecurity staff. I’ve seen estimates as high as 3.5 million cybersecurity job openings by 2021. That looks pretty bleak at this point. Then there’s all the massive number of devices from different vendors that may or may not talk to each other. There’s a lack of integration. There’s not being able to respond and remediate to critical threats. There’s migrations to the cloud, or I should say clouds because I know many of you out there probably have more than one.

Elisa Lippincott:
And then to top it all off, compliance. Audits are long and the fines are real, but if I take all of that, to me, it all ultimately comes back down to people. There’s just so much that everything that I just mentioned and not enough qualified people to tackle all of these challenges. Now, let’s talk about this cybersecurity skills shortage. It’s not the fact that organizations can’t hire qualified people fast enough. It’s also affecting the existing staff. Found a cooperative research project by ESG and ISA called the life and times of cybersecurity professionals. And their survey showed that at one third of survey respondents believe that the global cybersecurity skill shortage has had a significant impact on their organization.

Elisa Lippincott:
67% say the skill shortage has increased the workload on existing staff, 47% report an ability to fully learn or utilize some of their security technologies to their full potential. 41% say that the organization has had to recruit and train junior personnel rather than hire more experienced InfoSec pros and 40% claim that cybersecurity staff has limited time to work with business managers. And they also did a three-year research trend where it clearly showed that organizations aren’t improving their ability to deal with this skill shortage. You have increasing technology sprawl, you have lack of skilled personnel and you have this massive complexity gap, but as all of this rises, the staff numbers don’t and it’s a trend that is going to continue for some time. And so what happens when your team is overworked and understaffed? We’re only human. Sooner or later mistakes are going to happen.

Elisa Lippincott:
A couple of misconfiguration error types there’s cloud native security controls that are misconfigured. It’s probably due to lack of knowledge of how to use and implement cloud native security controls properly. I know a ton of network security professionals who are rock stars when it comes to traditional network security, but when you start talking cloud, it’s an entirely different story. And it’s more than norm that an organization will just move forward with moving data to the cloud thinking, they’ll just figure it out later. I remember that stat from the previous side 47%, they report inability to fully learn or utilize some of their security technologies to their full potential. That’s probably what’s happening here. So the next thing they have a wiki AWS bucket, and they’re caught in the headlines and subject to compliance fines, tied to regulations like GDPR.

Elisa Lippincott:
You have also misconfigurations on your internal security controls. That’s usually the case when product and DevOps teams are prioritizing time to market over security, or again, just plain human error in misconfiguring their own security controls, but every effort should be made, whether you’re configuring devices on the cloud or on-prem to try to mimic and be consistent with your implementations. I say should, like I said, we’re not perfect. Cloud implementations don’t always give you as much control over the security architecture as you do on-premise. Sometimes you’re at the mercy of your cloud provider and operating within their parameters. What’s even more interesting is that even if you know change is coming, the lack of automation and staff can still derail your efforts.

Elisa Lippincott:
We conducted some internal research with the sampling of our customers and found that even if it’s an approved change, like they know that something is going to happen, they’re going to switch out firewalls or other network devices. These approved changes are still causing problems. Read a report from Gartner saying that 99% of firewall breaches will be caused by firewall misconfigurations not flaws in the firewalls. I mean, sure there’s going to be some crazies or a day that’s going to knock everyone for a loop, but for the most part firewalls, they’re pretty good at their job. But the fact that these misconfigurations are happening, even when you’re not dealing with a critical security event, it’s just astounding to see that. And one of my colleagues here at FireMon calls it the misconfiguration apocalypse, and he’s basically saying that misconfiguration is code for human error.

Elisa Lippincott:
So, triggers for security policy changes, we normally put these into two types. One is usually real time or event driven. So, that could be that security threat event where everyone has their hair on fire. And you may be getting notices from your SOAR device, your IDS, anything that happens with your device, where the posture changes. And this is where the timing can come into play because usually with the security threat event, you don’t want it to take days or weeks or weeks or months you want you want something to be done pretty quickly, but a lot of times the gap between the urgency of a change request to approval and final deployment is going to not always be in line with what you ultimately want. And that’s going to cause stress all across the board and could eventually lead to errors accidental exposure, or service disruptions, because you’re having to block conductivity.

Elisa Lippincott:
The other type of trigger is going back to when you know that the change is going to come, whether you’re making context changes to an existing service application. So you might be deploying new VMs, you’re making some other network changes or you’re implementing a new service or application. And so, again, these are changes where there’s still some level of urgency, but with security processes or lack of, then you might run into the typical timing versus the desired. And so when we get into talking about automation, and ultimately what we want to automate from a policy perspective these trigger events come from a non, a number of sources. So, as I mentioned, SOAR, so something coming in from your SOAR device, your ITSM like service now, or JIRA, there might be a ticket request.

Elisa Lippincott:
There’s requests coming in maybe through an API from a CICD workflow, there’s the good old manual email and spreadsheets, because those are probably still being used as well. Then you also have environment changes and these could be route changes, interface changes that could ultimately affect your policy. And so if you look at the process under about traditional SecOps, this might look like a typical policy change process. It goes through various steps, reviews and approvals, which take time. And as we said earlier, we never have enough staff. So these deployments are probably going to be delayed. So, if I go back to the environmental change, for example, say there is an environmental change. You need to be able to understand that in real time, because is that ultimately going to affect… Is that request change affecting your effective policies? Does it change your guardrails?

Elisa Lippincott:
You need to be able to determine this pretty quickly. And if you’re using this traditional process, it’s going to take you awhile. And at FireMon, we can actually help you dynamically recalculate that, so that you’re always in compliance. We’ve been speaking with customers about this whole concept of automation. And what we’ve found is that between 50 and 60% of them, of those changes, can be made into templates and moved into what we’re calling this fast track or continuous adaptive enforcement. And so what we’re trying to do here is we’re not trying to change your policy process, your policy change process, what we’re trying to do here is make you more efficient. Not trying to change what you currently have, we’re enhancing it so that you can decide on which services can be accelerated. If you have a lot of routine requests, we can make those automated for you, so you can focus on the more strategic ones.

Elisa Lippincott:
And ultimately this will reduce the team’s load of manually handling simple requests and being able to do it at a high rate and across different network devices. So if you have one-off changes that need more review before they get approved you might take a slower process, but if it’s something that’s kind of a run of the mill, then you can take that fast-track and it’s done automatically. So, offloading that redundant change, making your standard change requests as templates, like for example, allowing scope DNS server access, or approving VMs or servers being added to existing apps, et cetera, those can be established with guardrails, and they can be pre-approved or automatically approved. So, the way that we do this is what we’re calling in FireMon automation. So, speaking with customers, we wanted to make sure that we had some things that catered to their needs.

Elisa Lippincott:
They’re dealing with SLSAs that are always getting tighter and tighter, that lack of cybersecurity staff, it’s very common for them to have open tickets, open for a long period of time. And this is impacting their bottom line.  And so we feel the only way we can address this is with automation. And so the first tool that I have here on the screen, automated design and automated and implementation, before I even start talking about these, I’ll talk about the full manual process, if you will. I mean, I don’t have it on the screen, but this is where a lot of organizations find themselves. It’s a fully manual process. It presents a significant time burden with high probability for error between handoffs, right? Everything’s done in spreadsheets. Things are going to get lost because nothing is automated. Everything is done manually.

Elisa Lippincott:
But at level one, we start to move offline manual processes into an online tool with human reviews, at the bottom, we’re still letting you monitor and react to environmental changes. In addition to the convenience and standardization we’re giving you automated design and roll recommendations as well as auto-generated standards, compliance reports and risk for reports, but still these recommendations had to be reviewed. The changes have to be implemented, verified, and documented. So there’s still some level of effort here. With automated implementation, now we can implement the changes across firewalls from different vendors and at scale, as well as verifying document that change. Customers who use these tools are finding they’re very valuable. They can reduce copy paste and other human errors and reviews and decisions are done by the team for all the changes.

Elisa Lippincott:
Where it starts to get interesting is when we get to the level called Zero-Touch automation. With this level of Zero-Touch automation, now we’re getting much more helpful in helping you monitor and react to environmental changes. At this level Zero-Touch means the policies can automatically be pushed and activated on all of your network devices without having to go into different consoles or connect to individual enforcement devices. But we’re going beyond that here at FireMon, we’re actually allowing you as the operator to define global, as well as per application access rules through abstraction, your access roles will define the security intent. For example, the application server can communicate with the database server while abstracting the need to deal with zones and IP assignment management, we can create best practice, gold standard guard rails, things like no FTP or no SSH to devices, not on the land. And we can also define that fast track process for your applications or services.

Elisa Lippincott:
And those routine changes that you want to offload. For example, SSH from the engineering subnet to the network devices, or allowing HTTPS to the web servers, et cetera. Now keep in mind that this has to be consistent at scale, especially in a multi-vendor environment to the individual device level. This is not a problem if you only have five firewalls, for example, but it could be a big problem if you have tens or hundreds. So when we define the access roles, these gold standard guard rails, and fast track access we’re reducing the burden from you, but you still have supervisor control. You’re able to keep your hands on the wheel, if you will, while of this is going on. And I’ll cover on the next slide, what is the underlying technology for all of this, which is our FireMon compute engine. It kicks in at this level, it is contextually aware to the environment it’s fetching fresh data from all your network devices and allowing us to compute the current state and efficiently utilize the abstractions.

Elisa Lippincott:
And also at this level, we start to see automation implemented, as with integration with other systems, typically using API, those integrations can be with SOAR or any of your CICD tools. With level four or continuous adaptive enforcement, this is what is really unique to FireMon. So this is critical because global policy management cannot end after deployment. The context of the infrastructure, network, your workloads, as those are constantly changing, you need to be constantly aware and an automation solution can’t be complete unless it continues that contextual awareness. You need to be able to have that policy with recalibration and continuous deployment, just pushing a deployment is not enough. Even if there are some that will call that Zero-Touch, but at this level we’re detecting and competing dynamic environment changes and adjusting policies accordingly based on compliance requirements and as defined in your templates, your guardrails, your golden rules, whatever you have on your fast track. And very interesting and cool feature of this is we can also automatically fix any rogue or out of band changes that are done at the device level.

Elisa Lippincott:
So, if that’s done directly from a firewall vendor console, for example, we’ll be able to not only detect that, but actually fix those changes so that you’re continuously, or you’re always in compliance. One thing I also want to note here is that these levels do not necessarily, they don’t represent a progression, so it’s not a, you move from design implementations, Zero-Touch, et cetera. Ultimately, you know what you want to have automated at which level. And you ultimately have the power to determine the right level of automation that fits your pacing comfort level. So, as you adopt the solution, there’s some things that you’ll start out with automated design. There may be some stuff that automatically goes to Zero-Touch automation, et cetera. It’s a nice way to automate to your specific needs.

Elisa Lippincott:
So, as I mentioned, the Fairmont compute engine. Our automation is driven by our patent pending compute engine. It transparently adapts and recalibrates your global security policy around all of the underlying networking platform and infrastructure changes. And so essentially what it does, it starts out based on incoming change requests, and will either create a new access rule or modify an existing one. Access rules define security intent. We use a tagging mechanism to define the needed objects or checking against the guard rails and golden rules. And so we’re checking on things, for example, SSH from the engineering subnet to the network devices, allowing HTTPS to the web servers.  And at this point in the compute cycle, we’re making sure that the change requests match the guard rails and the golden roles to ensure compliance. Then we select the devices the role applies to and we even provide route-based hints to make it a little easier for you.

Elisa Lippincott:
And we deploy the roles in activate it across your selected devices. This takes seconds, so it’s a pretty quick process here. And then as the context changes, as I mentioned, we’re always monitoring for those changes. We’re monitoring for any changes in the network continuously, not just at specific times. It’s constant. We’re always making sure that any changes in the environment that we know about. And then we calibrate that policy if there are any changes in the network, and we continually repeat this cycle with checking the logic and the new context, and always making sure that you’re compliant. We can address a couple of use cases using FireMon automation. There’s more than this probably, but we’ve put some in buckets under operational efficiency, having a central point of control application obstruction layer, and proving that SLA fast track that we spoke about earlier have use cases around integrated security efficiency. So, anything you’re doing with CICD trying to integrate your threat and vulnerability management and any issues that you’re having with a unique vendor environment, where you may have one vendor that you’re trying to optimize.

Elisa Lippincott:
So, there’s use there as well as cloud migrations, being able to move your workloads around, and then just having that speed for your private and hybrid cloud. And I’ll address a couple of these on the next couple of slides. So, this real world example is from an online retailer and their use case here was a central point of control. Their challenge here was that they only have three admins on staff, SLAs are getting shorter and they spend 35% of their time writing manual roles to 25 Juniper SRX firewalls. We were able to work with them and have them use our security manager solution, which I’ll cover in a future slide for visibility and cleanup and using FireMon automation to get their firewall policy management under control and extending the viability of their Juniper devices. And ultimately they were able to offload all these redundant roles that were conflicting with each other, or just slowing down the boxes. And they were able to offload many of those manual redundant tasks that take up so much time.

Elisa Lippincott:
And then we have another example with a hospitality organization. They were trying to enhance what their SOAR solution was doing. And yeah, trying to figure out how to integrate the SOAR, any changes that were coming through the SOAR across four different firewalls. And they also wanted to apply global malicious IP blocking. So, with FireMon automation, they were able to use an access role with an automation tag. And they were also able to trigger policy changes when a tag was hit via API, and this helped them reduce their time to globally block malicious actors from once a day to a few minutes. And they were able to make sure they didn’t miss any triggers from their SOAR device. I would be remiss if I didn’t talk about our API, and I mentioned it a few times during this webcast, most likely you have security solutions in your network from multiple vendors, and they need to be able to work together, and you need to be able to centralize your management of these devices to make your jobs easier, right?

Elisa Lippincott:
So, we support integration with the rest open standard architecture that lets you incorporate all of the critical information necessary to perform conclusive analysis of all your network security devices, policies, and underlying risk. And we also support integration, leveraging nearly any web based language to support your unique requirements. And we can integrate with solutions including, but not limited to ticketing and management platform, Sims, vulnerability management tools and more. And if you’re adopting a Zero Trust network, APIs are mandatory. This quote is from Forrester Research report titled the Zero Trust extended ecosystem.

Elisa Lippincott:
Basically saying any vendor or technology worth their salt will have advanced API integration available for your team to use for development purposes, as well as to integrate other security solutions into your Zero Trust ecosystem, what you don’t see on this slide is the rest of that quote, which states if your selected technology does not have solid APIs to use find another vendor that does. So I think I should change this quote to that quote, and it’s probably more stronger, but thought that was a pretty interesting statement from Forester. And last but not least, I did kind of want to quickly highlight the breadth of our entire FireMon product portfolio. I’ve been mentioning a couple of names here and there. We believe visibility is a starting point, if you’re going to get control and consistency in your security controls. In April of 2018, FireMon acquired Lumeta. And with that addition to our portfolio, we can provide real-time network visibility across all environments, virtual, cloud, software-defined, et cetera.

Elisa Lippincott:
I’ll give a quick example. We had a customer that thought they had around 600,000 IPS. And after deploying Lumeta to identify any new physical or virtual assets, we found 1.2 million. So there was a 50% visibility gap there that we were able to close. And now they know what they need to go out and secure. They didn’t have that knowledge before. Our foundational product is security manager. We let you automate, excuse me, we provide single pane, real time, centralized management across your entire network. We have policy planner lets you automate change workflow. Global policy controller defines business intent, and allows the context of the network assets and the policy to automatically determine and enforce the necessary access using your existing infrastructure. But policy optimizer, you can automate rule review and link security teams with policy owners to validate any role justification for continuous assessment and audit risk analyzer enables you to analyze and prioritize vulnerabilities. And you can even evaluate impact of attack scenarios in your organization and provide predictive remediation and patch recommendations.

Elisa Lippincott:
At the end of the day, we can help you gain real-time visibility and control of your hybrid network and ensure continuous compliance of your security policies from that single pane of glass. And if you do end up using FireMon automation, it will help you ultimately reduce human error by preventing mistakes that increase your attack surface. We’ll eliminate the friction between DevOps and SecOps, so you can deliver security at speed. We’re going to increase your security agility while lowering your SLAs. We’re going to increase operational efficiency while reducing operational security costs, and we’ll stop that revolving door of compliance violations by checking compliance proactively prior to implementation. But you don’t have to take my word for it. You can visit us at FireMon.com/automation and sign up for a live demo. I’m going to stop here and see what we have for Q&A.

Elisa Lippincott:
Have one here. What are some of the misconfiguration issues that you’ve come across? I think there’s a ton of them. I think just off the top of my head, some of the easier ones I can think of overly permissive access of just allowing too much access or incorrect access, you may have given incorrect access to a particular zone or subnet open ports to known vulnerable hosts, any rules that bypass the proxy. So anything that violates your egress policy, and I would say any access that violates your internal, or regulatory compliance standards. Those are a couple of the ones that come to the top of my head. At the end of the day, these are errors that automation can certainly play a part in reducing the probability of misconfiguration, right? Because most of the time this is someone that is doing it for several devices. And if they’re not able to do it centrally, then there’s going to be more risk for error.

Elisa Lippincott:
See what else we have. The question here is, can I deploy multiple levels of Fairmont automation or am I limited to one? As I mentioned, actually, that’s the beauty of FireMon automation, the levels aren’t progressive. So you might need different levels based on the specific tasks that you want to automate and the level that you want to automate them at. So you might have some tasks at the automated design level and others at the Zero-Touch automation level, you’ll be able to do automation your way at a pace they’re comfortable with. So, we can… Definitely not limited to when you can do them all. See what else is here? What other ways can FireMon help to optimize security policy? I think that question is besides automation? I’ll answer it in that context of hopefully this will be the answer you want. What are the other ways we can optimize your security policy?

Elisa Lippincott:
We actually have a feature called traffic flow analysis. We can monitor traffic through any firewall rule and we can look at any of the behaviors on the network. And we can let administrators know which rules they can create to allow only the necessary access. And we can even look at application data to see what applications are being used in a rural in between which sources and destinations and all of this traffic can be broken into flows, and help you refine your rules in a policy and we can monitor and analyze that traffic not only on-prem, but we can also do that in the cloud as well. So, we can monitor traffic coming to and from the cloud in the same manner. And I don’t see any other questions, Renee, I’m going to pass it over to you.

Renee Riedel:
Great. Well, with that, I’d like to give a big thank you to Elisa our speaker today, but before we do conclude, please make note of our upcoming webinars and our past webinars by visiting www.fuelusergroup.org. You can also join us at one of our spark summits information for our events is currently available on the Fuel website. And then finally, a recording from today’s webinar will soon be made available. It’s going to be on the Fuel website, under the resource tab, and then webinars. I’d like to thank our speaker and everyone online for attending the event today. Again, there’s a survey after this webinar for you to complete. We do thank you in advance for your feedback on that. So, again, thanks for attending today’s webinar and everyone have a great day. Thanks so much.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO