From Security Bottleneck to Business Enabler

On-Demand

Video Transcription

Renee Reedle:
Hello.

Renee Reedle:
Hello, and welcome to today’s webinar, From Security Bottleneck to Business Enabler, presented by FireMon. My name is Renee Reedle and I’m the education coordinator for Fuel User Group. Our speaker today is Tim Woods, VP, Technology Alliances with FireMon. Before we do begin today, I’d like to remind the audience to please feel free to submit your questions throughout the event via the Q&A box. It is on your webinar toolbar. Our speaker Tim will address questions at the end of the presentation. For any technical questions you have, please use the chat box and address Fuel Education.

Renee Reedle:
Following the event, a survey will appear and you’ll have the opportunity to evaluate today’s webinar. We do thank you in advance for your feedback on that. Now with all of that, I’d like to turn the call over to today’s presenter. Please go ahead, Tim.

Tim Woods:
Thank you very much, I appreciate it, and very appreciative of our audience today too. I certainly recognize that you could be doing a thousand other things, but you chose to spend your time this morning with us, this evening, this afternoon, wherever you may be. For that, we are very appreciative, and I hope that you’ll get something out of this. As Renee said, be sure to write down your questions as we go along here. I may take some questions as we go through, but I’m definitely going to save some time toward the end. But go ahead, as I’m going through the slides I’ll try to also monitor some of the question boxes as we go through, as I’m talking.

Tim Woods:
But hopefully you get some good things out of this, and also this will be available later, and you can reach out to us if you have other questions, or you wanted to discuss some things offline, more than happy to do that as well. Without further ado, let’s go ahead and get into it.

Tim Woods:
Today we’ll cover a number of different topics. Our partnership with Palo Alto, which many of you are here because of your relationship with Fuel and relationship with Palo Alto. God, they’ve been around for better part of 14 years now, just as FireMon has. Better part of 14 years young, as I like to say, and we’ve been a partner almost immediately when they came onto the scene, and have been going gangbusters ever since. Very proud.

Tim Woods:
What’s really unique about our partnership, I think, is we have such good alignment from a technological synergistic perspective. We share a lot of the core values, especially as it relates to openness and well-structured APIs. Lately Palo of course, as you’ve seen, they’ve been on a tear when it relates to technology acquisitions, from Cyvera, Demisto, RedLock, what was the latest? PureSec, Twistlock. A lot of those.

Tim Woods:
For us, we’re excited about their recent acquisitions because that represents other lines of synergy for us to collaborate with them on, and to try to strengthen our better together story as well. For you, that just means more value. Likewise, we’ve made a number of acquisitions here at FireMon too, and I would invite you to look at our latest acquisition of Lumeta. For those not familiar with Lumeta, and you may not be familiar with FireMon, and we’re going to talk more about the FireMon value proposition as we go through here.

Tim Woods:
But our recent acquisition of Lumeta, I say recent. It was April of last year. Lumeta helps us to discover the unknown. We can validate address space, and validate the edge, and do a census of the network, ID devices, look at vulnerabilities, look at leak paths, things of that nature. The reason I’m mentioning this early is because we also have a community edition of Lumeta that’s free for you to download and try and use, and I would invite you to go to our website, firemon.com, and take a look at that, and hopefully you can extract some value out of that as well. It’s really solid technology, and it complements what we’re doing at FireMon when it comes to extended visibility across the hybrid enterprise quite well. We’re very excited about the technology as it complements our core products as well, and what that can mean for you as we go forward here.

Tim Woods:
Anyway, once upon a time and a long time ago in a land very, very far away, it was pretty simple for us, right? We had a fairly well defined perimeter. Today that perimeter is very blurred, especially as we adopt our cloud-first strategies, and we start embarking on our digital transformation journeys. What some people are saying that authentication is the new perimeter, and there’s tons of technology, as we see acquisitions being made and consolidation of technology. Palo has done a wonderful job consolidating technology, and with the recent acquisitions they’ll continue to do that. We’re seeing a lot of that.

Tim Woods:
Even at the highest levels within the organizations, we see, as I talk to CIOs and CISOs and CEOs and things like that, I see that they’re trying to consolidate their tool belt, and we’ll talk more about that as we go along here as well. But definitely, there’s not a lack of technology out there, right? I mean, we have more technology than we can manage effectively, quite honestly. We definitely don’t have a shortage.

Tim Woods:
It’s not just necessarily about the quantity of technology or the quality of the technology, but how we manage that technology. You can have the best technology on the planet, but if you don’t effectively manage it, it’s not going to give you the return on investment that you’re looking for. There’s a people factor there too, right? Even with this incredible growth of technology that we have at our fingertips today to help us manage the challenges that we’re faced with, the number of people that are actually in the organizations that are managing this, and you probably are experiencing this yourself, is not as many as you might thing.

Tim Woods:
We seem to be somewhat resource constrained, and in my position here at FireMon, I get to go to a lot of the trade shows and interact with our customer base directly, and I get to talk with a lot of the C-level executives and things like that. I’ve never spoke to anybody that’s told me they have too many resources, just quite the opposite. I had my best people doing some of the most mundane things, and I need to free them so that they can do what I hired them to do in the first place. Doing those higher value activities, type of thing.

Tim Woods:
If you’re not going to add people, if you’re not going to add resource, then what do we do? The only answer to that of course is we have to automate, we have to make our people more efficient. They have to be trained on the technology that we have, and they have to be efficient at using that technology. The technology has to work for us, right? We can’t find ourselves managing the technology. But again, it’s a changing world that we have. From cloud computing, and different types of cloud, whether it’s public or private or hybrid, and then virtualization, containerization, and then oh my God, the internet of things.

Tim Woods:
I don’t know how many of you have just taken your own personal census of how many IOT devices you have. I know I recently did one here at my home, and I’m a geek. I’ll be the first one to admit that I’m a propeller head as it relates to the love for technology and why I do what I do, but even here at the house when I looked at my Amazons, my Echoes, and security cameras, and networking technology, I counted over 30 different IOT devices. Smart lights, and first one thing and another. All of these things are connected to the internet, and of course any time you connect something to the internet, you become the potential of a target for some nefarious individual, doing things that might not be appropriate as well, right? How we manage those things is important as well.

Tim Woods:
I thought this would be a good opportunity to plug some recent survey work that we completed at FireMon. I think you’ll find some valuable information here too. Again, you can download this off of our website, and I’m not going to go through the whole thing, but I am going to touch on some highlights of this, because I thought it was some very valuable information that was contained inside. But it’s called the 2019 State of the Hybrid Cloud Security, and it looks at some of the challenges that people are faced with as we start looking at cloud adoption, and embarking on our cloud-first strategies and digital transformation strategies.

Tim Woods:
We talked to over 400, what I’ll call qualified individuals. When I look at that number, 400, we really had to pare it down. We had way more responses, almost three times the responses, but as far as the quality of the responses, we pared it down to those responses that we thought was relevant to the conversation, and was relevant to the context of what we were trying to provide from a good, quality data source. Only 21 questions. Any time you do a survey like this, if you inundate people with too many questions, they’re not going to take time to answer the questions thoughtfully for you, so you’ve got to put it, kind of the magic number is about 20 to get people to really be thoughtful about that.

Tim Woods:
We’ll conduct, we’re already launching ours for this year, for 2020 as well, and it’ll be very interesting. As you do these things and you go forward, it’s always interesting to contrast and look at the historical perspective of the differences, of the answers and how they change as you go forward as well.

Tim Woods:
It’s not just, although most of the answers were relegated to North America, we did have a segue of international responses. Some of it is not, it’s not all North American related. Good breakdown. Also, by industry, kind of broke this out of where we saw the companies that were responding, where were they? Basically, which market vertical did they basically reside in? We see that a lot of it was a lot of more IT related.

Tim Woods:
Also, who was it? Who was responding to this? Again as I said, as we broke it down trying to get those quality answers, we wanted to get a perspective from the C-levels. We also wanted to look at the people that are carrying the tool belt day in and day out, and are faced with these challenges real time. Both from an operational perspective, and then both from a maintaining perspective as well, such as network security engineer. We broke it down.

Tim Woods:
And different size, cutting it up, segmenting it into different sized companies as well, so you can kind of see the breakdown here. Greater than 1000 employees, greater than 5000, greater than 15000, and less than 1000, that type of thing. Again, I think it gives a good perspective of where everybody is across the relative … What’s unique about FireMon is we have customers in every single market vertical. I mean, you pick a vertical, whether it’s healthcare or travel or leisure or finance, MSPs, we have a large MSP contingent because of our commitment to an open API structure, and I’ll talk more about that toward the end.

Tim Woods:
But anyway, we get a nice view kind of from abroad, holistically across the different market verticals, of the challenges that people are faced with. Quite honestly, many of those challenges are common challenges, regardless of the industry that you’re in. A lot of those security challenges are common challenges that all the industries are faced with, not unique to any one particular market sector.

Tim Woods:
I thought this was interesting. Here, so I kind of broke it out also from the survey, you can see the little chart to the left, and I won’t read each one of those to you. But 27% of the respondents said that they used a third party firewall in their public cloud environment today, which I thought was good. Either via service insertion, or somewhere they’re still using what they’ve come to rely on, on prem or in their hyperconverged data center, they’re still using that. They want to carry that into the cloud with them.

Tim Woods:
Although I will say, the native controls for cloud is getting better. We see that a lot of the respondents are just using the native controls around public cloud. I had the benefit of being at AWS at the end of last year, and then also AWS re:Inforce, which was a security-centric trade show that just happened in Boston here a few weeks ago as well. I will tell you, as I interfaced with Azure, Microsoft and AWS, they’re definitely taking security seriously.

Tim Woods:
Just as a point of reference, AWS at the re:Invent show last year, one of their slides they talked about the number of different security enhancements that had been introduced over the last 12 months, and I want to say there was over 248 different types of security functionality introduced. They’re continuing at it. One of the biggest ones of course was making sure that your S3 buckets, that you’re not putting unexposed data out there, or data out there that can be easily accessed, that’s not encrypted. Which has been a big concern. It doesn’t take but a second for you to do a Google search on S3 buckets or bucket breaches and things.

Tim Woods:
I mean, and we see the bad guys. We’re living this today, we see the bad guys out there using automation where they’re just scanning for public IPs, trying to find the car that has the windows rolled down with the keys in it, and it’s running. They’re not even hacking, they’re just looking for that exposed data due to misconfiguration, and we’ll talk a little bit about that too, because we believe that misconfiguration is not just a training issue, but it’s also a problem of complexity. As complexity goes up, the probability of human error going up, it kind of directly correlates to that.

Tim Woods:
Making sure, being able to … That’s one of the things that Lumeta does well as a technology, doing this leak path detection, letting us know about things that may be exposed from within our infrastructure that we don’t know about. A data path going out to the cloud that we’re not aware of, that somebody nailed something up and has made data internal to the company readily available. Maybe not within the boundaries of security, and we’ll talk a little bit more about that, but anyway. Definitely a concern.

Tim Woods:
Oops. Let’s go back here again. Also, the different types of cloud services. This is something that I’ve been doing quite a bit of studying on here recently. We’re seeing this kind of mature and morph as well, whether it’s infrastructure or platform as a structure, or software as a service, regardless of what it is. Understanding … I’m going to say this. Understanding who has responsibility for what within those respective deployments, those cloud deployments, is very important to understand what I need to take personal security responsibility for within my company, for the data that I’m putting out there, for the applications that I’m putting out there, the infrastructure that I’m putting out there, and what the company that I’ve engaged with, what they’re taking responsibility for. Especially if I’m not augmenting that with my own security, I’m relying on those native controls or the provider security controls, then I need to understand not only what they’re doing to secure my data, but then also what my responsibility to that data is as well.

Tim Woods:
Again, it doesn’t really matter … It’s not the same for every cloud provider, and I’ve just listed some of the main ones here. But whether it’s multi-cloud, public, hyper-private, whatever it happens to be, it’s really important that we understand who has responsibility for what across those. One of the things that was brought out in the report was the number of companies that are using multiple cloud providers. They’re not just using, they’re not just going, “Hey, I’m going to be all Amazon.” When we see companies that are using one, two, three, even four different cloud providers, especially multinational global type companies …

Tim Woods:
What was even more surprising was the number of the surprises internal that they get sometimes, when they don’t realize that they’re actually leveraging multiple cloud providers, and that one part of the organization is providing data via one cloud provider, and another part of the organization is providing data via another cloud provider. Whether it’s application resources or services, that they’re not aware about. As it relates to how I secure that, the data controls around that. Sometimes that’s a surprise that you don’t want to have.

Tim Woods:
This is not an end-all chart, and I’ll show you here also that the various cloud providers, they also provide you, if you will engage with them, they provide you exactly for the infrastructure, platform, software as a service. They’ll show you the different areas that they believe that they’re taking judiciary responsibility for, what they’re protecting and what you need to protect. But anyway, just in general I provided a slide here.

Tim Woods:
I also found something interesting, and this is not my handiwork by any stretch of imagination. This is something out there, but I thought, I love analogies and I love this. I just put this on here, so that whenever you download the slides, if you need to explain this to somebody, this is just a perfect analogy here as it relates to pizza. Kind of fun, but we look at who’s doing what in order to prepare a service and provide a product, right?

Tim Woods:
As I said earlier, as you look at the shared responsibility model, this is just an example where this is direct from Amazon. The other one of course is direct from Microsoft or from Azure, so that they kind of break it down in the different areas. As you drill into these, you can get a little bit more discrete. This is more of a macro-type view, but you can get a little more micro discrete into the specifics of these, once you start drilling into them. But again, at a high level it’s very important that you understand where it is that I need to apply my own personal resources and technology in order to secure the information that I’m held responsible for.

Tim Woods:
This one here, out of the report, probably that top one there is something that we are hearing and that customers are coming to us asking directly for help with. It’s we believe that our business has accelerated past our ability to consistently secure it in a timely manner. What do we mean by that? What we mean is … For the right reasons, right? It’s not, the business hasn’t accelerated just for the … They’ve done it for competitive reasons, they’ve done it for positioning, they’re taking advantage of cloud technologies, they’re taking advantage of consolidation of technology, of platform and deployment efficiency.

Tim Woods:
We look at CI continuous development, and continuous integration. The DevOps, companies that didn’t even have a DevOps team two years ago have a strong commitment to their DevOps organizations today, and we’re seeing a lot of that continuous deployment type place of the applications that they’re putting out there to serve their community, to serve the customers’ needs. It’s for the benefit of the customers, it’s for competitive positioning and competitive leverage in the marketplace.

Tim Woods:
However, unfortunately the traditional methodologies and the traditional processes that we’ve used to secure things, as we’ve done on premise or in the enterprise, doesn’t always translate into the cloud. We have to look at ways that we can gain parity with the speed of the business, because we definitely are not there today. I’m going to talk a little bit about that as we get a little deeper here as well, about some of the things that FireMon is doing to help our customers gain that parity, or to collaborate more with the lines of business in order to achieve what we’ll call security at speed as well.

Tim Woods:
Interesting, though, that we’re seeing this. That people understand this. Again, as I said, we have customers coming in and talking to us, and telling us, relating their stories to us and their challenges to us directly. But in the survey, this was brought out and highlighted, quite prominent as well.

Tim Woods:
Positive impact, depending on from which … It’s all a matter of perspective, but depending on who you’re talking to, where they sit in the organization, we can see that DevOps definitely can have a positive impact to the business. But then also, we’ll see where we’ve found lines of contention, or friction and animosity, which is a strong word, but again, we’re seeing some of that friction internally with some of the companies too, as they’re trying to …

Tim Woods:
They’re frustrated, right? There’s a frustration that takes place whenever they’re not able to secure things, and they’re not able to ensure that my security policies are actually a reflection of the implementation of my security controls. We see that frustration coming out, and it all gets back to visibility. It all gets back to needing clear visibility. We’ve also seen, even the tools that we’re using, the tools that we’ve used in the data center. We’ve seen that those tools are not necessarily the same tools that we can use going into the cloud.

Tim Woods:
That can be a problem in and of itself as well, especially at a time when you see, at the very top level, when we talk about the C-level executives and I talked about some of my interfacing there. But I read somewhere, where the normal, in a large enterprise organization, there may be anywhere … And when you look across the network, and at the desktop, and you look in the data center and database control and everything else. All of these different technologies, they may have over 80 different point solutions.

Tim Woods:
There’s definitely an effort, a strategic initiative to consolidate that. This is one thing that Palo has done such a phenomenal job of, is being able to put a number of different technologies onto a common, unified platform, and able to free you from a lot of those point solutions and having that common point of management interface as well. Which is very important, and of course that’s the FireMon value proposition as well. We’re trying to extend visibility across the hybrid infrastructure, giving you that holistic view with a common pane of glass across this heterogeneous type environment, all these different technologies, and being able to give you a place that you can look at your different security key performance indicators at any given point or time.

Tim Woods:
Being able to source tools or integrate with tools that can be applied both on premise and in the cloud, and in my hyperconverged data center, I think is going to be even more important going forward in the future here as well. But anyway, just some more points there that was interesting, that we brought out.

Tim Woods:
But here’s kind of where the rubber meets the road, these next couple of slides here. Is compliance, was probably one of the biggest concerns we heard over and over again. Migration issues, where some things were keeping us from going forward because we weren’t sure how to take some of these brown fields and bring it over, and of course we have the new green field initiatives. But a big concern of cyber-attacks, and rightfully so, right? Just for those that maybe you didn’t see it, I mean probably everyone here on the call today is familiar with the Equifax breach that happened in 2017. Over 148 million people, personal records exposed, and anyway the news that just came out, I think it was yesterday or day before yesterday, is that Equifax has decided to … They finally settled, it may be payouts of upwards of 20k per person, if you can show evidence that you were affected by the breach.

Tim Woods:
But more than 425 to 700 million dollars in fines, and then 10 years of providing, over 10 years of credit monitoring. But anyway, it’s a big mess. But imagine, my point is here, imagine the people, the resources, and the technology that you can buy with $700 million, right? It’s one of these things, if the bad guys are out there, the nefarious individuals are out there, and it’s kind of a pay me now or pay me later type thing.

Tim Woods:
These concerns are warranted, right? They’re very true and warranted concerns, and companies are trying to get their arms around this. Lack of visibility, that was a big one. Just understanding, again, it goes back to the tools that I’m currently using are maybe giving me a level of visibility that I’m comfortable with today. But as I go into the cloud, all of a sudden I don’t have that same level of visibility that I’ve enjoyed on prem.

Tim Woods:
The other problem that we see that I didn’t really break out here but that we hear is that it’s who is taking responsibility for the security, as it relates to the management of it as well. What do I mean by that? We’re seeing a fragmentation of responsibility to the security policies for the applications and resources and assets that are being deployed into the cloud. We’re not seeing necessarily that it’s the same IT security team that is embracing responsibility for that control. We see DevOps, I see the stakeholders themselves, I see the lines of business. We see new cloud security teams evolving, and of course we do see the traditional IT security teams that have already been monitoring.

Tim Woods:
But the problem there is, they’re not adding either. They’re taking on greater responsibility and additional responsibility for securing these things that are going into the cloud, but they’re not adding resources to that resource pool. Again, if you’re not adding the manpower, the resources, then what do you? We need to look for ways that we can become more efficient. We have to automate, right? Very serious concerns here. Lack of visibility, training and skills. Again, you can have the best technology on the planet, but if you don’t empower your people to use it then it’s not going to give you the return on that investment that you’re looking for, and of course lack of control.

Tim Woods:
One thing I would say there’s no reason to recreate the wheel, either, from scratch, is the cloud providers are providing reference architectures that can be used for common deployment types. I’m seeing some third party initiatives develop out there as well. But for some of these common cloud deployment type scenarios, there’s definitely what I’ll call templates that can be followed, obviously that can be modified and customized to meet your specific requirements. But you don’t have to start from scratch, because now I know Azure is doing it, AWS is doing it, I would be surprised if I looked at GCP and they weren’t doing the same thing.

Tim Woods:
But we have these guidelines, these reference architectures that we can follow now to help us with a consistent process and a consistent deployment strategy, as it relates to deploying our cloud initiative.

Tim Woods:
Organic growth sometimes is good. What I’m finding, though, from a cloud perspective or from a network infrastructure perspective, sometimes it’s not as good as you might think. We’re already seeing evidence of what I’m calling cloud sprawl. That’s where assets, resources, applications, data is being deployed into different cloud entities, and not all within a well-defined process of deployment. What’s happening here is while it seemed easy at first, as we do more and more and more, and especially again as I put the eye on from a global perspective, it becomes an even bigger problem.

Tim Woods:
Here’s what I would say, is that it’s very important to follow a process of where you maintain visibility to those asset resource and application, that we know where they are. I was listening to a friend of mine, John Kindervag, actually used an example at a recent seminar. He mentioned Secret Service, he gave the example of Secret Service trying to protect the president. They never do not know where the president is at in order to protect them. Imagine if they’re trying to protect the president, and they wake up and they go, “Well where is he going to be today? How are we going to secure him?”

Tim Woods:
No, they know all the time where that asset is that they have to protect. Who has access to that asset, where that asset will be, where it’s coming from, where it’s going to, they know all of that. It’s very hard to manage what you can’t see, and it’s even harder to secure those things that you don’t know about. As you deploy these things into the cloud, it’s important that we maintain good visibility around these things, otherwise we’re going to get into this problem going on down the road, it becomes a bigger problem and it’s even harder to maintain or get our arms back around once it’s kind of out of the bag.

Tim Woods:
I would say now for those that are embarking on their digital transformation journey and their cloud-first strategies, just to take this into consideration on how I’m going to manage those assets in the future. How I’m going to manage those applications and those resources in the future, and how I’m going to track them. How I’m going to ensure at time of initiation or at time of spin-up that I have the right data controls always attached to those. Some of these things are very dynamic, right? As we get into the cloud, things spin up, things spin down, and so it can happen very quickly. Very important that we have a real time eye on these things as they take place.

Tim Woods:
I think this is interesting here, only because again I’m always interested, as we engage with clients from a sales perspective, I always want to understand what the strategic initiatives are at the top for a given organization, and then how we can help influence those initiatives. How we can help the companies achieve the goals that they’ve stated for themselves as it relates to their key strategic initiatives. Many times, many of the strategic initiatives and the projects are reliant upon either technology that you already own, technology that you own but you need to upgrade, or you’re adding additional functionality to that. The vendor has some new technology that you need to acquire to complement further what you’ve already made investment in.

Tim Woods:
Or maybe it’s a forklift, where you’re replacing something with something else. But regardless, we’re looking at technology many times to help us achieve some of those stated goals. But right below that, of course, we have to put an emphasis on the people as well. Whether it’s training, whether it’s acquiring or hiring somebody that has knowledge of the technology that we’re going to leverage or use in order to achieve these stated goals. We have to make sure that we have people that can use the technology that we’ve selected.

Tim Woods:
Then of course at the bottom, we have to understand, how does security encompass that as well? Many of the new compliance initiatives, take GDPR for example. Talks about security by design and default, meaning that, hey, our processes, we have to start thinking about our strategic initiatives and our processes. We have to put an eye on security at the beginning, not at the end. It can’t be an afterthought, meaning that … And if we get breached, especially as it relates to GDPR, if there’s a breach that takes place and you’re found at fault that you did not prioritize security at the forefront, then the potential for greater fines exists. That’s not a good thing.

Tim Woods:
Again, looking at technology, that’s absolutely … It’s fantastic, regardless of whether that’s upgraded, existing, or newly acquired. But understanding how we ensure that our people are properly equipped to use that technology, of course is paramount to the success of getting the return on our security investment that we’re looking for.

Tim Woods:
At the end of the day, it’s really about managing risk to a level that’s acceptable by the business. These are again, many of these challenges that you see listed here, they’re not unique to any one industry or any one vertical. They’re pretty common to at least all the companies across the different vertical sections that we’ve talked to. Different markets, horizons that we’ve spoken to, these are very kind of top of mind challenges that they’re looking at. Especially as it relates to migrating existing applications, resources, and services into the cloud, how I’m going to manage my security controls, how I’m going to maintain compliance, how I’m going to enable my security to gain parity with the speed of my business.

Tim Woods:
The value proposition for FireMon is just that. We try to give you clear visibility across your hybrid infrastructure. We try to aid in platform migrations. One of the first things, so what I mean by platform migrations. If I’m going from one, let’s say we’ll take a security firewall technology as an example. We’ve seen a lot of customers moving to Palo from a different technology. But before they do that, they have a mess on their hands that they need to clean up. It’s no different than when you change domiciles, or when you move homes. We have a garage sale, we give things away to charity, and then we throw out whatever is left over, but we don’t want to pack those things up that we don’t need, right?

Tim Woods:
If you’re trying to convert a policy from one platform to another platform, we find on the average when we engage with a new customer for a legacy enforcement technology that they have in place today … When I say legacy, it doesn’t go back very far. When I talk about legacy, I’m talking about something that’s been in place for two or three years, four years sometimes. But we find, it’s not uncommon for us to find upwards of 30, sometimes 45 percent unused rules in a security rule base.

Tim Woods:
Imagine that. Over half the policy that’s not doing anything, or has no purpose. It’s either technical mistakes in the policy, shadowed rules, redundant rules, overlapping rules, overly permissive rules. Dormant rules, not necessarily a technical mistake but just rules that have sat in that policy and are no longer used for whatever they were originally put in there for, in order to provide access to a particular resource. That resource has been decommissioned or retired, but no one went back and said, “Hey, since we’re retiring this, we no longer need that access. Let’s go ahead and get rid of that access.”

Tim Woods:
That could be across multiple different enforcement points. Then what happens over time is either IP addresses get reused, qualified domain names, whatever, but we all of a sudden, we incur what we call inadvertent access, or unintentional access across these. That represents another attack vector that we don’t want to be there.

Tim Woods:
Anyway, we can help in those migrations between platforms, making sure that we understand policy behavior, and understanding that when we get from where we were going to work, where we were at and then where we want to go to, that we have equivalent security measures in place when we get there. All the while making sure that we keep an eye on compliance as well. Compliance, and when I talk about compliance, I always talk about compliance in two aspects.

Tim Woods:
One is real time compliance. I always want to know, change happens all the time, right? Change happens all the time on the network. The real question though, that we have to ask ourselves is was it good change or bad change? Was it expect change? Was it scheduled change? Was it approved change? Then making sure that there’s no impact to the business, no impact to the system. The first thing that happens any time there’s an impact or an outage or a service impact, we always need to ask the question. What changed?

Tim Woods:
Very often, people are slow to raise their hand, but understanding when something changes and whether that change was compliant, or whether that change introduced unnecessary risk, it’s very important to understand. Being able to do that dynamically, or real time, is important. Even more important when we start looking at our processes and our workflows is if we can sandbox that change in advance, if we can assess that change in advance before it actually goes into the implementation stage, then we can take a proactive stance to make sure that we’re not introducing something that could be potentially harmful to the system, or introduce unnecessary risk into our system. Very important.

Tim Woods:
This chart, very simple chart, but I think it kind of puts it square, kind of where we’re at today. We’re seeing this accelerated growth of just the sheer volume of rules that organizations are responsible for managing. When I say organizations, I’m really talking about the IT security teams, that they’re responsible for managing today, and that only accelerates even further as we start talking about strategies in the cloud. Whether it’s containerization, micro segmentation, cloud deployments and things of that nature, it’s going up.

Tim Woods:
But again, what we haven’t seen is a relevant increase in staffing in order to manage that. Again, as complexity goes up, if we don’t make sure that we’re keeping that complexity … When I talk about complexity, I’m talking about unnecessary complexity. I’m talking about those things that creep into our infrastructure over time that just doesn’t need to be there. As I was talking about the firewalls earlier, unused rules. Duplicate rules, redundant rules, overly permissive rules. Probably one of the biggest things that introduces unnecessary risk.

Tim Woods:
But as complexity goes up, the probability of risk going up and introducing human error into the equation goes up as well. It’s very important that we identify complexity within our infrastructure, and how we manage that complexity. That’s truly what FireMon is in the business of doing here, is we’re trying to help you … We have this solution platform that helps you to manage growing complexity within environments. Being able to discover those things that are out there on a real time basis, making sure that they are in scope when it comes to security controls, that you have the right security controls. That our security policies are a reflection of our actual implemented security controls.

Tim Woods:
I ask this question a lot, especially when I’m in front of an audience, and I ask people to raise their hands. I always ask the question, how many of you here believe that your security controls, that your security policies are a reflection of your actual implemented security? Very few people can raise their hand to that, because it gets back to, I don’t have clear behavioral visibility to what my policies are actually doing. It’s very important.

Tim Woods:
That’s what we’re all about. We’re trying to give you a holistic view, across your infrastructure, from a compliance perspective, from a risk analysis perspective, that single pane holistic view so that you can monitor and alert, that you can clean up, that you have extensible dynamic policy compliance. That you can auto-make policy changes, that you can correlate vulnerabilities to policy and understand risk. That means importing vulnerability scan data, and making sure that I don’t have any rules in my firewall that’s providing access to a known vulnerability on my network.

Tim Woods:
But being able to provide actionable intelligence, so that I can triage the things that I need to, and provide actionable intelligence for my remediation efforts is so very important.

Tim Woods:
Here’s a perfect example. One of our products, Global Policy Controller, it’s a security-intent orchestration platform. What we’ve done is we’re trying to create a layer of abstraction that represents what I’ll call the desired security state. The desired security intent. To protect those applications, those assets, or those resources. Then we can use the policy compute engine that can translate the abstracted security intent into a security data control, wherever that lives. Whether that’s a native control on cloud, whether that’s a security enforcement point, but we translate that abstracted security intent into a security data control that can then be instantiated on the appropriate enforcement point. Typically, or usually, closest to the point of the resource, but not always.

Tim Woods:
But we do that automatically. Palo was one of the first ones that we partnered with, with Global Policy Controller. But anyway, we could spend a whole session just talking about this. But what it really does, it provides a platform that I can now collaborate with compliance, and collaborate with the lines of business. I can collaborate with my business owners. I can collaborate with DevOps. I can collaborate with my cloud security team, with my IT security teams. They can all have, we can create those guidelines.

Tim Woods:
Yeah, if somebody tries to color outside the guidelines, then we can arbitrate around that. But it represents a platform that we can all have a part in helping to ensure that we have the appropriate data controls around the data that we have responsibility for protecting. It also gives us the ability to break free of some of these traditional processes, by understanding when a firewall request comes in, or an access request comes in, if we already have a compliance match against that, we can let that flow on through. We can identify what enforcement point needs to be selected. We can go ahead and schedule that for implementation, or automatically implement it along the way, without having to have a human in the middle of that. It’s all about automation at the end of the day.

Tim Woods:
Here I’ve just kind of broken out some of the … I wanted to give you a quick view, and again, this is more for so you’ll have the slides and you’ll have the content in the slides here. Security Manager is our core product. We have some different modules, from Policy Optimizer, Policy Planner, which is our workflow risk analyzer. I talked about ingesting vulnerability scan data, and then correlating that to the policies that are enforced to make sure that we understand any known attack vectors. If a bad actor tried to come in a well-known tread entry point, how far could they get based on my knowledge of my root intelligence? Based on my compensating controls? Based on my known vulnerabilities? How far could that bad actor potentially get?

Tim Woods:
If there’s a root exploit somewhere out there on our network, if they can gain access to that, where else could they pivot from as well? But again, and then Global Policy Controller as I said, having that orchestration platform that everybody can be a participant in the conversation of is critically important.

Tim Woods:
At the end of the day, continuous … I talked about managing risk to a level that’s acceptable by the business, but it’s all about continuous monitoring. Things change, things move, we know that. We need to make sure that our security controls adapt as things change. We need to be collaborative with the lines of business, and supportive of the lines of business. We can’t be the Department of No as it relates to security. Compliance has to be on the forefront. We have to look at compliance as something that makes us stronger, not just an evil necessity. And consistency in deployment and tracking those things as we deploy as well, from an asset perspective.

Tim Woods:
Again, the last thing I’m going to leave you with here, and we’re going to open it up for questions. But I think going forward to the future, as I look toward the future and I keep my eye on the future, I mean we’re seeing great dividends from this today. But having an open API, when you select products. When you select products that you’re using for your future deployments and your current deployments, or your replacement deployment, make sure that those products have, that those vendors have a commitment to an open API. That they have the ability, even if you’re not using it today. Even if you’re not using it today, make sure that you have the ability to exchange information between disparate security solutions in the future, via these well-defined API structures.

Tim Woods:
I mean, it can serve to raise the total value of your organization’s combined security solutions. This not only results in a better return on your security or your overall security investments, but it can have a positive impact on the organization’s security posture. Just a note, again, today many of our customers, especially our MSP customers where they provide custom portals and customized portals for their customers, they use us because we make it readily accessible, and make our APIs readily accessible, and they can use that information. You don’t even know that it’s FireMon data that you’re looking at when you go into that portal. But we make that information, so again, it’s all about interoperability.

Tim Woods:
All right, and with that, I’m going to shut up here. I’m going to close it up, and let’s answer a few questions with the 10, 12 minutes or so that we have left. Now let me go to my internal question panel here. John says, “How is FireMon deployed?” It’s a good question. FireMon is deployed … It virtualizes quite well. We can deploy FireMon as a virtualized entity. Moreover, you can deploy it as a purpose-built platform in the data center, even though you’re looking at the cloud.

Tim Woods:
Really, it scales horizontally, I mean to fit the size of the environment. Without getting too deep into the weeds, basically there’s an application server, there’s the database, and there is a data collector. You can have as many data collectors as you want, collecting log data from the different things that we’re monitoring, from the enforcement technologies that we’re monitoring, and we parse that log data real time. We’re not trying to be a SIM, not keeping that data. I’m trying to extract information intelligence out of that data stream real time, such as hit counts against objects and rules, changes when they happen, who made the change. Give you that who, what, when, where detail when a change takes place by analyzing the change real time. Doing a differential comparison, extracting the delta and then giving you a nice change report. Things of that nature.

Tim Woods:
But back to the question, how is it deployed? Again, it can be all on a single unifying platform. Purpose built hardware. Or it can be, it virtualizes quite well and it can distribute. It can be deployed in a distributed manner as well. Hope that helps.

Tim Woods:
Here’s a related question, from Tom. It says, “Is there only one SKU or module?” No, that’s a great question, because not uncommon. Our core platform is called Security Manager, and that core platform gives you compliance, it gives you the ability to generate reports, it gives you the ability to monitor for change, evaluate change. We do have a few modules, I pointed that out in the slide before. The workflow is an extensible module. The Automatic Rule Recertification is an extensible module. Our Risk Analysis, even though the core platform has some risk mitigation built into it, we can extend that further as it relates to vulnerability scan data ingestion, by using our Risk Analyzer module.

Tim Woods:
Then the last module, of course, is our Global Policy Controller, which is built on top of the Security Manager today. That’s kind of the way that it shakes out, or that’s the way that the platform works in general. Hope that helps. If it’s still not clear, submit another question or send me an email afterwards, that’s fine.

Tim Woods:
“Do you support ServiceNow?” Absolutely, we support Remedy, Clarify, ServiceNow. Again, it goes back to that robust API structure. Do you have a commitment to a robust API structure? We make integration very easily between those. We also expose our APIs internal to the solution or internal to the platform as well, so it’s very easy to understand what APIs are available and how to leverage those APIs.

Tim Woods:
“How do I evaluate,” basically is what he’s asking here. You can go to the FireMon website, you can request a demo. Where we’ll actually … It can be a very interactive demo, that we have inside security engineers and walk through it with you, and talk specifically about your environment, and what are the challenges that you’re faced with, and then how would our solution help you meet those challenges or solve those challenges?

Tim Woods:
You can also … We make the product free to evaluate, so you can actually download it and put it on your own network. I think it’s free for 30 days on limited, so you can put it in the areas that you’re most concerned about and try to see what value you can extract. Of course, we don’t just throw it over the fence to you and say, “Here, have a good time.” If you want to do it that way, you definitely can, but we’ll provide you technical resources to limit any type of learning curves, and to make sure you get it up and running as quickly as possible so that you can start seeing what type of value you can extract from the solution very quickly.

Tim Woods:
Again, we’ve been doing this for a long time. Lot of deep domain expertise in the security platform management arena, and we’d love to interface with you to help you understand how you could use our platform to extract value out of it, definitely.

Tim Woods:
“How can I get a copy of your API?” As I said earlier, we actually expose … To get a little more technical, we expose our APIs in the platform itself. We have a Swagger interface, which is basically a derivative of the … Or it is the OpenAPI standard today. From within the platform, you can actually go … There’s a menu item that you can select, and you can actually expose our APIs real time.

Tim Woods:
Not only can you expose them, but be it the Swagger interface, for those that are familiar with the OpenAPI or the Swagger interface, you can actually exercise the API. Meaning that I can find the API that I’m looking for, it’s all categorized very nicely by the different sections and by the different modules. And you can actually plug in data variables right there in the interface itself, and then perform a GET to see what that API call would actually go out and do, and what it would return, and what the data return on that would look like.

Tim Woods:
We make it very easy, not only for you to see what the APIs are, but also for you to actually exercise the APIs as well. Another thing that I’ll point out for our solution platform also, is that we provide a security query language. Anything that’s stored, any piece of information, intersection of data, it’s all stored in the database. Of course, we don’t provide you direct access to that database. There’s no database administration required. It’s a Postgres database, so all the consolidation and aggregation, all that stuff is done for you automatically. You can set purge cycles, and how much data you want to keep, and for what your retention periods are and all that other good stuff.

Tim Woods:
But we use a security query language that enables you to go in and extract … Basically build any type of ad hoc query that you want. You can do that via the APIs, you can do that internal to the tool as well. You don’t have to know the syntax of the language, there’s no syntax that you have to learn in the query language, although we can expose that for you with one simple click. But we use what we call filter blocks inside of the solution, so you can build a filter. You just click on the things that you want to add to the query. It’s just point and click, and then you can basically create that ad hoc report to extract whatever that information is that you’re looking for out of the database.

Tim Woods:
We make it incredibly easy for you to do that, but that security query language, also you can take that if you want to look at what that query actually looked like that you built, you can expose that and you can even carry that over to the API and exercise it via an API. I know that got a little more technical. Hopefully that answered your question square on, but if there’s still any confusion there, we want to dig into it a little deeper, let me know. I’d be happy to do that.

Tim Woods:
“Where can I learn more about your Global Policy Controller product?” Again, just like we make the other products available, GPC is available for evaluation. We have a team committed to the Global Policy Controller, the orchestration platform. Be happy to demonstrate that for you, and help you get it set up and running in your own environment. Again, to see what type of value that you can extract from that as well. More than happy to do that.

Tim Woods:
For us, it’s one of the most exciting points of our product today, because again, it represents how we’re going to leverage automation to increase our speed of security. How are we going to gain parity with the speed of business? We believe that having a security intent orchestration platform is the way to go with that. We’d be more than happy to dig into the deeper details around that.

Tim Woods:
Renee, I’m going to go ahead and shut it off there. Again, if you have other questions, feel free to reach out. Email me. Happy to talk to you guys one on one or offline. But other than that, Renee, anything else?

Renee Reedle:
Great. Yes, thank you so much, Tim. With that, I’d like to close it out and give a big thank you to our speaker Tim today. But before we do conclude, please make note of our upcoming webinars, and our past webinars by visiting www.fuelusergroup.org. You can also join us at one of our Spark Summits. Information for our events is currently available on the Fuel website. Then finally, a recording from today’s webinar will soon be made available on the Fuel website. It’s under the Resource tab, then Webinars.

Renee Reedle:
I’d like to thank our speaker, and everyone online for attending the event today. Again, there’s a survey after this webinar for you to complete. We do thank you in advance for your feedback on that. Thanks again for attending today’s webinar, and everyone have a great day. Thanks so much.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO