Migrations Made Easy

On-Demand

Video Transcription

David:
Welcome everyone, and thanks for being with us for today’s webinar: Migrations Made Easy, brought to you by FireMon. A reminder that this webinar is being recorded. You’ll receive an email from us within a couple of days with a link to check us out on demand. Also, there’s a Q & A box on your screen. So when you submit a question, it’ll disappear from your box and queue up on our side, but don’t worry we have it and we’ll ask those questions at the end. If we don’t get to your question, remember we’ll be able to follow up with you after the event. There’s also a live chat, so jump in and have a conversation with your fellow IT pros.

David:
Also, be sure to check out the resources section in your screen for some links to get some more information. So let’s get started. Our presenter today is Tim Woods, VP of Technology Alliances at FireMon. So, Tim, I’ll hand it to you to get started.

Tim Woods:
David, thank you very much, and good morning to our audience. First and foremost, I want to thank everyone for attending today. I clearly recognize that you here today at the expense of something else. So, I’m very appreciative of you spending your time with us this morning. So we’ll go ahead and get started. I hope the information that we present today you’ll find useful. We’re going to talk about migrations, and so it’s a very popular topic right now, especially for FireMon.

Tim Woods:
For those not familiar with FireMon, we’re a security management firm, software development company, we’ve been in business for a better part of almost 14 years going on now. So we have a lot of deep domain expertise in this arena, dealing with security management. It’s an interesting world we live in today with the advent of cloud computing, people adopting cloud, we have SDDC. Let me see if my slide is going to build out here for me. This slide did not build out for me. That’s okay. But with the advent of cloud, we have SDDC, we have virtualization, we have containerization, we have people taking their assets from on-prem to the cloud, just a lot of activity in that area around it.

Tim Woods:
So we’re [inaudible 00:02:20] what I’ll call existing legacy policies for those assets that are protected in the cloud that may have lived in on-prem at one point or may be a duplication of assets that were on-prem. But one thing we do believe for sure, that the on-prem piece is not going away anytime soon, we believe that we are moving into a hybrid enterprise, we’re in a hybrid enterprise today, and we’re going to be there pretty much forever, but obviously people are rapidly adopting cloud and taking advantage of all the benefits that it provides. So would definitely help, it can help there.

Tim Woods:
One of the number one killers, I call it the number one reason for heart attacks in the security world, is complexity, and it’s growing complexity. I take exception to unnecessary complexity, I think in any good security implementation, in any good security architect, there’s going to be an inherent amount of complexity, and anybody that tells you they can remove all your complexity and make security completely easy, I would raise one eyebrow. I would remain somewhat doubtful because security is not easy. FireMon clearly recognize the struggles as IT professionals, as IT security professionals that you’re faced with, lack of resources, time of day, number of priorities, lack of information sometimes that you receive. We’ll talk about that.

Tim Woods:
But where we can eliminate, where we can reduce complexity, that unnecessary component of complexity, the benefits are huge. That’s one of the things that we’re going to focus on today, as well as we talk about migrations is reducing some of that complexity that is typically associated with an attempt to migrate from one platform to the next. The benefits are many, so we can reduce human error. I firmly believe that as complexity goes up, that the probability of human error creeping into the equation also goes up. I’ve talked about that separately in other webinars, but also just the number of service impacts, the number of changes that you have to back out during a change window due to misconfiguration or wrong information, the risk, having holes in our, we’ll call it, in our security fabric, having unnecessary holes, and we’ll talk about that here in a little bit.

Tim Woods:
Being able to maintain a strong compliance posture, making sure that we keep our compliance and our compliance intent where it needs to be. Then also there’s migrations, and so being able to make our migrations easier and not having to migrate those things that we don’t have to migrate unnecessarily is a big factor and something that can be removed as a prescriptive process as we go through reducing certain complexities within our firewall environment. So we’ll talk about that. I’m going to assume, hopefully, for the most part, most of the people that I talked to, I have the luxury of talking to people in my capacity. At FireMon, I have the luxury of talking to people globally, across almost every market sector.

Tim Woods:
What I see is, most people are migrating from what we’ll call our traditional legacy firewall to a next-gen platform. That’s not always the case, sometimes it’s just a simple vendor change out or adoption, sometimes it’s due to mergers or acquisitions and a lot of reasons why, but traditionally we’re going to the next-gen platform. What we have to be ever mindful of there, of course is, we’re now required to manage additional, what I’ll call, tuples of information, traditional legacy firewall, we have our source destination services, and then of course, when we get into the next-gen firewall, we’re talking not just source that services but we have to take into consideration application, user content, user ID, content ID, things of that nature too. So we have basically six tuples of information.

Tim Woods:
I don’t mean this in a bad way, but traditionally we’ve done maybe not the best job in managing our legacy firewall. So, if we’re going to see ourself up for success in managing our next-gen, having to manage additional information, then we need to step back and revisit how we’ve traditionally managed our legacy firewalls in the past. If we’ve fallen short there, where we can strengthen our management abilities around that as we’re building in additional management capabilities for our next-gen platform as well.

Tim Woods:
I wanted to give just a quick plug here of some very useful information. We do a survey each year at FireMon, and you can find this at our website, at our home website, www.firemon.com under our resource section. We do a state of the firewall report where we’ll survey IT professionals, primarily security centric across the different market verticals asking them various questions, and it’s filled with not just next-gen questions and firewall questions, but also it talks about SDN, we talk about cloud, we talk about different technology adoption, and then we trend that over time, and we add new questions from year to year. So where you don’t see a line with additional years down there, it just means it’s a new question that’s been placed into the fold, and we’re starting to track results from that.

Tim Woods:
I pulled just a couple out here to share with you today, because I thought it was interesting to see that. Last year, the survey basically reported that complexity is trending down, or the concern for complexity is trending down just a bit, but it’s still the number one, one of the number one concerns across the individuals that we survey. I also found very interesting, in this new question here, we talked about the different types of network security controls that people are adopting across their cloud implementations, and that varied quite a lot too.

Tim Woods:
Also, kind of a side note here, in some of my discussions, some of the people that are responsible for managing that security are somewhat … some of them are actually new to the security management horizon, we’ll say, they’re not the traditional IT on-prem firewall teams that have been traditionally managing some of those assets in the cloud or managing some of those on-prem assets. We have a different set of people that are managing some of the firewall implementations in the cloud, and that’s not an overall characterization, that’s just what we’ve observed as we’ve interviewed some of the folks that we talked to.

Tim Woods:
So I thought that was interesting, but regardless, they’re all looking for help on how they’re going to construct and structure their security policies for those assets both in the cloud and on-prem using native security controls, and then also using additional vendor controls in their cloud implementation. So anyway, again, just a really quick plug for that book, I think it’s chocked full of very useful information, and I would solicit you, encourage you to go there and take a peek at that when you have a chance.

Tim Woods:
Also today, David pointed out in the material section, we’ve assembled some bonus material for you for this webinar. One is just a quick review of this presentation and what we’re talking about today called the four essentials of successful migration and then we put together a really nice little infographic as well for your benefit that you’ll have access to there as well. So I’d invite you to take a look at those and use them as you can. So let’s talk about some of the causes of policy complexity that gives us the challenges that we’re faced with. Sometimes it’s just the sheer size of the environment. As I mentioned earlier, sometimes it’s acquisitions and mergers. I see a growth in regulatory compliance initiatives.

Tim Woods:
For those on the call today, if you’re familiar with GDPR, especially for our MIA friends, but GDPR … it’s for the EU, the new compliance regulation for the EU is an example of that has people are racing around right now trying to get in line to be compliant to that. Ineffective change management, and I don’t mean that in a negative way, I mean that in a way that it’s a challenge, meaning, with the tools that we have today that you’re provided either do not give you the necessary visibility that you need in order to accurately understand policy behavior or real time policy behavior or give you the ability to react dynamically and or proactively.

Tim Woods:
I also hear quite frequently from some of the CISOs that I talk to, and some of the security directors that I talk to, that many times some of their best people are doing some of the, what I’ll call, more repetitive or mundane tasks, and they’re trying to free them up, they’re trying to empower their teams to be more effective and efficient in order to buy back some time in the day to do some of those other things that they were originally hired to do. So again, it’s resource constraints, it’s time constraints. I have 15 priority ones on my plate, and I can get to, three of them in a given week and what do I do with the other ones? So they get shifted off to the side, but nonetheless, they’re still important.

Tim Woods:
Then we have to come back around to address those. And of course, in the meantime, those ones that have already retired were replaced with additional priorities. Another thing that we see quite frequently is this process of rules going into our policies, but we unfortunately don’t see the same number of rules going out. So over time we incur what we commonly refer to as firewall bloat, where we’re basically incurring additional security debt, I’ll call it, within the policies and what that really amounts to is added complexity.

Tim Woods:
Again, as I said earlier, what I take exception to personally, is this unnecessary complexity that creeps into the firewalls over time and just causes all kinds of different problems, and definitely as it affects migrations. Then sometimes you’re given insufficient information in order to put the access requests in that you’re trying to fill, but oftentimes more times than not, we also see that business has a tendency to trump security, and so the IT security professionals left with the decision to satisfy the business requirements using sometimes incomplete information. So, we try to define the best access rule possible, given the information that we have, but sometimes that results in an overly permissive rule.

Tim Woods:
With the good intent of going back to clean that up later, unfortunately we talked about those different priorities that are on our plate, so we have to go back and address those, and then this overly permissive rule takes on a life of its own and gets buried and gone and forgotten until it pops its head because of a business impact or impact to the security. I don’t want to trivialize this either, we clearly recognize that migrations is not a trivial task, it can be very expensive, especially if we’re embracing an external consultant firm or external professional services in some capacity, so that’s definitely something that we’re keenly aware of. Again, if you don’t have the right tools in place or don’t have access to the right tools, that can add some additional challenges in and of itself as well.

Tim Woods:
So, I definitely get that it’s not a trivial task and it’s something that has to be very well thought out, and it needs the engagement of … it’s not just a single person task. It needs the engagement of a solidified team. This is just a short slide that basically takes into consideration that there is a resource constraint out there today. It’s a good field to be in for you, IT security professionals, you’re in a great field and it’s a high demand field as well, but there is a significant lack of skilled resources out there in the security IT field today, and it’s projected to even get worse over time.

Tim Woods:
So, what does that mean to us in our daily jobs? It means that we are resource constraint in trying to tackle some of these challenges that we’re faced with in this new hyper-converged world that’s approaching us quite rapidly with all the new technologies that we’re faced with that we talked about earlier. So, the adoption of technology, the acceleration of business, speed of DevOps and things of that nature, that’s not slowing down at all, regardless of these security challenges that we’re faced with, if anything, the speed of business is only continuing to accelerate. Unfortunately, security is not meeting the speed of business today, and that’s one of the challenges that we’re focused on at FireMon, is trying to help organizations with … is trying to match the speed of security with the speed of business.

Tim Woods:
All right. So it’s time to move. Guys, I apologize here. I’m at a trade show this week and I have been talking nonstop, so I’m on the verge of losing my voice. Again, I apologize. So as we’re getting ready for migrations, we’re looking at all the different things that we’re going to put together in our, I’ll call it, our migration box or our next-gen box. Then we got to look at the different platforms. Where are we coming from? Where are we going to? This is a really important. Also here, I would say, as we talk about migrations, there is no silver bullet. There is not one solution out there on the planet today that you can push a button that’s going to take you from vendor A to vendor B. But there are pieces of the solution that help you meet that challenge more readily.

Tim Woods:
I would definitely urge you to seek out the vendors. Most of the vendors have their own migration tools as well, and while they may not completely fulfill the needs for your specific environment, they are getting better every day. I talk to every one of the vendors you see here, especially in my capacity as a technology partner, as a technology alliance partner to these vendors and to our technology partners, we support about 50 different permutations of vendor devices today in FireMon. These are just some of the ones that I talk with a lot and that we see migration efforts around a lot. So just pointing that out, but all of them have some pretty nifty conversion tools, albeit they don’t necessarily …

Tim Woods:
Again, it’s not a silver bullet, it’s not a one button push thing, and it still requires some good planning and that planning starts with people, it starts with defining the process, also defining your objectives, “Here’s where we’re at today, here’s where we want to get to, these are the goals that we’re going to set in place. This is the technology that we’re going to leverage.” We need somebody, it’s real important in the migration process that you have somebody who not only has good historical knowledge on the current platform, but you need somebody … and it may not necessarily be the same individual, but you need someone who also has good technical knowledge on the target platform.

Tim Woods:
But that historical knowledge cannot be misstated, it can’t be undervalued because when we’re looking at these rules and in the absence of documentation, when we’re looking at who’s the business owner for this rule, what’s the original business justification for this rule? When was it first put in? When was it last reviewed? What’s the current need? A lot of times we find that that documentation is missing. I’ve seen organizations track documentation around their policies in multiple different ways. I’ve seen it via spreadsheets, I’ve seen it via homegrown databases, I’ve seen it via CRM tools, I’ve seen it via even email. What I would suggest here is that the proper place for good documentation around your policies is in the policy itself.

Tim Woods:
So, we actually put FireMon as a solution, we put documentation in the context of the policy itself. So when I click on a rule, when I’m looking at my firewall rules inside the FireMon tool, and if we have time today, I’m going to give you guys a quick peak of our solution of our tool of our interface, but we put that documentation in the context of the policy itself. Then we make that readily searchable too, reportable and searchable is very important, but we capture those essential pieces of information, especially just from a compliance perspective, when we’re talking about who is the business owner? What’s the business justification? When did we last review it? When do we need to review it the next time? Who’s going to be notified if the business owner changes? I want to be able to reflect that.

Tim Woods:
But from a migration perspective too, having that type of information, having that type of information in the context of the policy is so incredibly useful, and it can just save us an incredible amount of time, because now we do know what the business justification is. Even if that original business owner is not still there, has moved on or has taken on a new role or what, at least it points us in the right direction, so that we can go do our investigation piece to determine the need for this rule and the business logic behind the access that’s being provided.

Tim Woods:
So critically important, but any migration starts with a well-defined success process or criteria that involves both people, process and technology. When I talk about technology, I’m talking about the vendor tools that you have at your disposal, I’m talking about any type of historical tracking tools that you have or that you’ve used that carries for that documentation, and then a solution like FireMon of course, can be incredibly valuable in helping you in that migration process. We’ll talk about that.

Tim Woods:
There’s so many different methods, and again, this goes back, and I’m not going to go deeply into covering each one of these, but it really gets back to what’s your defined goal. “I’m going from what I’ll call a legacy firewall, and I want to go to a more next-gen centric type platform, or I want to go to an application centric type protection model.” Regardless of what your desired outcome or goal is, you still have to define what your migration method is going to be. A lot of people follow the like for like at least to make sure that we have the same data models that exist both from my previous platform to my new platform. But having the ability to test that, you still have to have the ability on our target platform to test policy behavior.

Tim Woods:
So, do I have that same access? I don’t want to create more access, I don’t want to just put any there and get on with life, but I want to be able to make sure I have the same level of security, and then I’m not decreasing my security, regardless of what state that security is in at the time, I definitely don’t want to go backwards, I want to go forwards here, and that’s the whole purpose for going to that next-gen platform is to try to take advantage of some of the consolidation of technologies and perhaps new technologies that are being added at maybe either point solutions that you didn’t already have, or point solutions that you’re trying to adopt integrated onto a next generation platform.

Tim Woods:
But a typical method that we see is a like to like, but we have to evaluate what’s going in, what’s going out. Our site to site, our VPNs, zones of control, very important, especially when we get down to a compliance initiatives. We have to make sure that we clearly understand what our compliance zones are and the things that reside inside those compliance zones that we have to become compliant around. GDPR is especially important there, PCI is especially important there, all of the compliance, HIPAA, anything that has to do with personally identifiable information and or credit card information, things of that nature. But we can help you, we support FISMA and HIPAA and GDPR and DISA and STIGs and all of that good stuff there, we help people with.

Tim Woods:
But again, getting back to our migration example here, determine the migration method that you’re going to use and adopt, and then understand what the variables are around that. Keeping it as simple as possible always believe is going to help you reduce risks, as you go through here, you’re going to reduce the possibility of causing some impact to the business or an impact to the service. Then you also want to also have a fallback plan, right? When I switch over, when it’s time to switch over to that new platform, and I believe that I have my policies aligned, should something go awry, I want to be able to go back to my previous platform. So, always have that safety net or that fallback platform available. So it’s always a good idea. Where possible, if you can do your migrations in parallel from old platform to new platform, then you provide yourself that safety net to fall back on should you need it.

Tim Woods:
What I would like to introduce to you here is a prescriptive process for reducing complexity which I think is where all good migrations start. You saw that 40% number with the unused and shadowed and duplicate and redundant and things, I’ve been at FireMon for almost 10 years, and what we see traditionally, just from our own experience, when we engage with a customer to help them get their arms around the management of their firewall real estate and their security real estate, it’s very, very common to see somewhere in the neighborhood of 40 to 50% unused rules on a legacy platform. That’s over half the policies.

Tim Woods:
By the way, I’ve also seen over the last 10 years, we’ve seen where we went from security policies being in the hundreds 500, 600, 700, 800 to being in the thousands, if not 10 thousands, which is just crazy, but it’s definitely going up into the right, the sheer number of rules that we’re required to manage is going up into the right. There’s a lot of things that are driving that, again, compliance initiatives and cloud adoption, different types of security strategies, zero trust, things of that nature, micro segmentation, all kinds of reasons for why those rules are going up into the right, but it doesn’t take away from the fact that we still have to manage those rules.

Tim Woods:
But again, also a lot of those rules … So when I say that we see 40, 50% unused rules, I’m talking, if you have a policy that has 10,000 rules on it, 5,000 of those rules don’t need to be there. If you have a policy, it has 80,000 rules … We helped a client here recently eliminate, this a very well-known corporation that any of you on the call today would recognize, they eliminated across their security real estate. Over a four month period, they eliminated over 122,000 security firewall rules, 122,000 rules, they eliminated across their entire security real estate.

Tim Woods:
Now, typically you don’t see a reduction in the security rules that quickly, it’s usually a little bit more of a drawn out longer process. It really depends on the amount of documentation that you have around your firewalls and your policies, but in this case, they had buy-in, and from upper management to say, “Hey, this is a key objective. This is a key initiative for us, and we’re going to reduce this amount of rules. These are how many rules we’ve identified as not being used within our environment, we want to eliminate those, and we clearly recognize that we may cause an impact to service along the way, but that’s okay, we’ll correct it and we’ll go on with it because it’s more important to us that we reduce this unnecessary complexity within our environment.” That’s what they did.

Tim Woods:
They had minimal impacts across that because they had done such a good job of identifying the business justification around those identified unused rules. So, it was very successful. One thing I’d like to point out because it’s no different. I use the analogy of installing a doggy door in your house. If you don’t own a dog, you wouldn’t do that. So why do you have access provided around your perimeter, around your assets, around your resources, around your firewall policies, if they don’t need to be there? So, how do we do that? So, I want to walk through here, just hopefully this makes sense. I’ll define it as we go along. Then again, hopefully here, if we have time, I’ll show you a quick glance of the tool to give you some insight on how you can look at this information holistically across the entire real estate, and then drill down into those things that are very actionable quickly.

Tim Woods:
So step one is removing the technical mistakes. What I mean by a technical mistakes, these are the things that we find inside a security policy that absolutely positively serves no purpose for being there. It’s either a redundant rule, it’s a shadowed rule, it’s a duplicated rule. Shadowed rule by the way, for me is even a bigger concern because a shadowed rule, basically it’s a duplicate rule but it’s providing a different action. One is an accept and one is a deny. If you’re trying to manually evaluate the behavior of a policy, these rules typically don’t live next to each other. There could be a very large area of separation between them within the rule base itself. So, sometimes if you miss one, or it’s embedded as part of an aggregated rule, then you could very easily misinterpret what the actual policy behavior is.

Tim Woods:
So for me, a shadowed rule represents even a more special case of something to be aware of. But regardless, these are things that take on a life within the policy that contribute to unnecessary complexity and can cause you all types of problems. Again here, typically we can see right off the bat, 20, 30% reduction in just the technical mistakes of things that are not being hit. We’ll talk about that a little bit more here too, because also sometimes when you find these unused rules or what I’ll call these technical mistakes, it may be because they are shadowed by a higher level or more overly permissive rule, and we’re going to talk about those overly permissive rules here in just a second too.

Tim Woods:
This is just a quick screenshot. They show you that holistic view where, right up the top, right at the very top of our KPI dashboard, we show you how many unused rules you have across the environment. Then again, I can click into this and it’ll actually show me the actual firewalls and then the actual rules contained within the policies where this particular metric resides. So, hopefully we’ll get time to take a look at that here too. So let’s go on to step two, in order to properly evaluate step two, we need to be looking at usage. We have to analyze usage of our policies. So, which rules are being used the most? Which rules are being used the least? Which rules are not getting used at all, right?

Tim Woods:
So, those rules that are unused that have become dormant, that have become stagnant, maybe somebody decommissioned the server and just didn’t tell the firewall people, this is what I talk about when rules go into the firewall, but rules don’t go out. We don’t necessarily know when that rule is not needed anymore and less we’re monitoring that usage. Yes, there’s going to be business recovery rules and disaster recovery rules, and there’s going to be some event-based rules, what we’ll call cyclic rules, that are in place there. But again, documentation can handle those, can identify where we have those special use case rules that maybe don’t get used very often, but understanding usage and like any good data report, as you look at usage longer over time, it becomes even more valuable so that we can see how rules are being used or not being used over time.

Tim Woods:
So that the next place to start looking at is to develop that statistical information about how rules are being used and not just the rules themselves, also the objects contained within the rules, understanding how the objects are contained, but because those objects as you place multiple objects in the context of a rule, of course, that gives us additional logical data paths across there. So one rule could actually represent 24 rules or a 100 rules or 500 rules if we start looking at the logical paths that are given a path through the network that a particular rule provides. So looking at that unused rule is variable important.

Tim Woods:
Again, here’s just a really quick screenshot where I’m just showing you again, right at the very top holistic view of the unused rules that we have within the environment and the percentage of those across the entire real estate. Very quick snapshot of that. Also, when we drill into the specific informations, we tag those, we have what we call metadata and tags that we apply to those rules so that we can report on those. It becomes a really big deal too from a compliance perspective. We’re trying to keep those things in line on our compliance initiatives and compliance controls and audits and things of that nature. So, really, really important.

Tim Woods:
Step three, little more heavy lifting and here, but the payoff can be tenfold. This is where we start looking at those overly permissive rules. Again, sometimes our unused rules or our technical mistakes are overshadowed by a higher rule in the rule base that is overly permissive. When I say overly permissive, I’m talking about a rule that’s providing way more access than what the need of the business actually dictates. So, being able to go in and understand the behavioral parameters around that rule is really important. So you have to be able to look inside, let’s take an ANY for example, being able to go inside and look at actually what’s being passed across any say in the service field, is extremely useful. Being able to extrapolate from that service too of what applications are related to, the use on that field is extremely useful.

Tim Woods:
Also, as we’re moving toward, or we’re trying to migrate toward an application centric policy, we have a facility that’s called traffic flow analysis to help you look inside these overly permissive rules. It could be an extended address range or an overlapping address range, or it could be that infamous Any in the service field. Again, the business owner comes in and says, “We need this access, we need it by yesterday. Where are you coming from?” “I don’t know where we’re going to, I don’t know.” Or what services does this application leverage? I don’t know. So again, the IT professional goes off and builds the best rule possible with the information that they’re given, but it results in overly permissive access.

Tim Woods:
So being able to go in and analyze who’s talking to who, what are the flow, what are the flow relationships across that rule, but then also being able to look inside that overly permissive, any statement in that service field to say, “Not only what services are actually being leveraged or used, but then also to denote how frequently they’re being used. I want to make sure that I’m not just picking up a service that maybe as a result of some type of port scan or something like that, I want to make sure that I understand what are the actual services that are being leveraged to support this access and lock it down. There’s no reason to have 64,000 plus, 65,000 plus services open when you need four of them or you need 10 of them or 11, 15, whatever it happens to be.

Tim Woods:
We’re basically opening the door, rolling down the car windows and leaving the keys with the engine running there. It’s just potential for exploitation that we don’t want to afford the bad guys. But again, trying to do this manually, trying to match up usage and get against a policy that’s enforced or the actual policy that’s actually enforced on the enforcement point itself, trying to do this manually is just not humanly possible over time, very, very time-intensive and a manually intensive process. So, you need some way to do this in an automated fashion that gives you clear visibility to what the actual behavior across a given rule is. Traffic flow analysis from FireMon can give you that.

Tim Woods:
Then step four is definitely something that I don’t want to understate as well. If you’re going to spend the time and the money in the effort to clean your policy up in preparation for a migration, or just in preparation for better security posture, or maybe it’s for compliance reasons, there’s all different, there’s so many benefits to having good hygiene across a good firewall policy. In the end result, of course, you increase your security posture, you better your security posture, but like a crash diet, it doesn’t do us a lot of good to go on a crash diet if we go right back to our same model of previous behavior. So, we want to understand what got us there in the first place and fix that.

Tim Woods:
So, we can do that through this process of continuous monitoring, where we’re bringing in aspects of risks, we’re bringing in aspects of dynamic compliance and proactive compliance initiatives and understanding in real time, how our policies are being used across the enterprise, whether you have five firewalls, whether you have 10 firewalls, or whether you have 15,000 firewalls, we want to be able to get a snapshot of what our key performance indicators are, of what our key security index, security information looks like and what our risk posture looks like at any given time. So being able to be able to monitor that real time, to know when a change happens, to understand whether that’s good change or bad change, to understand if an audit fails or why that audit failed, getting back to being able to technically enforce our security policy is just so critically important.

Tim Woods:
It’s one thing to write a security policy, a declarative policy that we’re going to define that basically states how we’re going to achieve security across our environment, whether it’s an application port guide or whatever it is you’re establishing in written form that security intent, but then how do we go and technically enforce that and keep it up to date? We can’t do it, we tend to fail with the people that we have on hand. So how do we empower our people? How do we become more efficient, more effective at doing that? So, continual policy monitoring and continual policy management is the last piece of this puzzle that’s so critically important for keeping us where we worked so hard to get to.

Tim Woods:
This is just an example of … and I apologize, I realize this probably is hard to see, and this actually scrolls down if I’m actually in the tool as well, but we capture that key security metadata. So, around that policy rule. Again, business owner, business justification, last time it was used, last time it was reviewed, next time it has to be reviewed, all that information that qualified security assessor or an auditor is going to come in, and they’re going to pick out that one rule that you cringe about, like, “Ah, I knew they were going to pick that one.” That has no information attached to it, and they’re asking you, “Why does this rule exist? What’s the purpose of this rule in your security policy?” Without business information in the context of that policy, sometimes those can be hard questions to answer and can result in the failure of a compliance audit.

Tim Woods:
So, being able to capture that as part of your continual monitoring and continual management process is really, really critically important. All right. So we’re wrapping up here. We’re going to leave time for some questions at the end. Love to talk to you guys. We understand you have … I’ve listed some of the projects that we see along the top here, migration is just one of those micro-segmentation rule cleanup, controlling cloud security, compliance, real time compliance, proactive compliance, dynamic compliance, just trying to reduce your attack surface, trying to integrate risk as a component of our policy overlay and vulnerability scan data onto our security policies and understanding when I open up that new access, if I’m actually exposing a known vulnerability that wasn’t previously exposed, things of that nature.

Tim Woods:
Aligning with the different strategies from the top, we’re definitely would be excited to talk to you about those. FireMon is focused on providing continuous security management within the hybrid enterprise. So, we have our eyes clearly set on the cloud. We also have our eyes firmly planted on the enterprise as well at the on-premise as well. We believe that there’s three components that make a successful security implementation, and that is understanding risk, understanding your compliance posture, and then being able to orchestrate all that in a continual motion. So, we would invite, I would invite you to reach out to us if it sounds interesting, if it sounds like something that you need, if it sounds like something that we can help you with, especially as it applies to either migrations, helping you reach compliance or maintain compliance or reducing your attack surface, we would sure love to talk to you about that.

Tim Woods:
So, real quick, before I open it up for questions, I’m just going to give you a really, really sneak peek here, at our interface, and of course, I’m logged out. Let’s see if I can log on again. Love it when technology works the first time. Anyway, I just wanted to give you a really quick view. Hopefully everybody can see this. This is just a top dashboard here, so you can see my key performance indicators here, key security index. Here’s the devices that were last revised. Here’s my unused rules, here’s my security concern index, which is kind of a relative number but it gives you a gauge of understanding whether I’m going forwards or backwards as I take on management of my policies across the real estate.

Tim Woods:
But what I was talking about here is from an enterprise level, from a holistic view, I can click on this and I can actually get down into some specific, suggested actions from cleanup needed to improvement needed to failed controls, things of that nature. If I click on this, then I can actually look at those rules. Here’s a rule that’s been tagged as unused, it’s been tagged as shadowed. I can go down a little further here. I can find other devices, let’s click in on one of these, click in on the Cisco.

David:
Excuse me, Tim, if you could click that screen so we can see your screen.

Tim Woods:
Oh, okay. All right. I thought I did. Said stop showing the screen.

David:
Here we go.

Tim Woods:
How about now? All right guys, I apologize.

Tim Woods:
Thank you for interrupting me there. Let’s go back here. Again, guys, this is what I was talking about here. This is the top look, enterprise look, the holistic approach. What I was verbalizing there was looking at this unused rules area here, and being able to click in that, I also wanted to point out this security concern index, which is that relative number that gives me a gauge of how I’m doing, maybe as far as cleaning up the unused rules, reducing complexity. We’ll talk about complexity. Complexity is not just a factor of unused rules, it’s a factor of risk. It’s a factor of just the amount of data paths that we have through a given rule source times, destination, time services, things of that nature.

Tim Woods:
I can pull in, I can look into the policy itself and very quickly get an idea of what my average complexity makeup looks like. Again, I’m still keeping that key security information at the top here, my unused rules, my unreferenced networked objects. I can look down here, complexity by device, rule usage, cumulative severity, a lot of really, really good information right here at your fingertips. I can go into my security compliance perspective. I can look at where I’ve had failed controls across my different compliance initiatives, whether that’s PCI or HIPAA or STIG or FISMA, whatever it happens to be CIP, NERC CIP. I can look at those things firsthand here and then drill into the individual data that exists here.

Tim Woods:
Anyway, I want to make sure that we leave time for some questions here. So I’m going to shut it down right there. I just wanted to give you guys a really, really quick sneak peek at the tool. So let me go back to our main screen here and stop my screen sharing. So you should see that back. So, let’s go ahead David, and turn it over for some questions while we have some time left. I want to be mindful of what time it is.

David:
Yes. Just a few minutes here. So let’s dive into it. This one is, how does FireMon do the administration orchestration once I have the rule that’s cleaned and migrated?

Tim Woods:
Right. Great question. FireMon looks at everything real time, and so we’re actually analyzing log data coming from the enforcement points that you’re allowing us to monitor real time, we’re parsing log data whether it’s coming from the management safe, wherever that enforcement point log data is coming from, we feed that into the FireMon system, we parse that information real time. I don’t want to confuse it as when I say log data a lot of people immediately jump to, “Oh, you’re a SIEM. You’re acting like a SIEM.” It’s not a SIEM. We don’t actually keep the log data in that respect. I want to break that image of you picturing these large necessary storage environment that’s required. It’s not that at all. We look at this usage real time.

Tim Woods:
What we’re looking at for in that uses is I’m looking at hit counts against rules. I’m looking at hit counts against objects. I’m looking for anything that would be an indication of change. When I detect that change, I’m actually going to log into that enforcement point. I’m going to initiate a retrieval of the policy. I’m going to normalize that policy. What I mean by normalization is I’m going to apply a schema to that policy that says, “What am I going to store in my common database plane?” Once I get it in there, I’m going to actually do a differential comparison. I’m going to extract what … I know the old policy looks like, I’m going to compare that to the new policy. I’m going to extract the delta, and I’m going to give you a really nice change report, the who, the what, the when, the where? All the details around that change.

Tim Woods:
But now that I have that freshly modified policy that I know is an actual reflection of what’s implemented on the enforcement point fabric itself, now I can help you manage that policy, and I can continue to evaluate usage across that. I can continue to evaluate potential risk across that, I can continue to evaluate rule order and effectiveness of that policy in real time. That’s what we mean by real time orchestration. I can implement those factors that I talked about, whether it’s risk or compliance, usage, things of that nature, and I can’t stress the importance enough, everything that we do, it’s a snapshot in time, everything we’re doing is real time as near real time as possible. Great question.

David:
All right, this next one is, does your solution replace my existing vendors management system?

Tim Woods:
Another good question, we’re really trying to augment the native vendor management solutions, we’re trying to fill in. I’m not trying to replace, so to answer the question squarely, I’m not trying to replace the native vendor management tools, but what I am trying to do is augment what they provide, where they may do a really good job of purposing, maybe they don’t do as good job as managing when it gets into compliance, when it gets into holistic visibility across your entire enterprise, very few enterprises have a pure single vendor environment, and so we want to be able to give you that single pane of glass that gives you insight across all your key security metrics, regardless of what the platform below it is.

Tim Woods:
Again, today we support close to 30 different vendors, 50 different permutations of vendor devices, trying to give you that single pane of glass that gives you that real time view into your security posture. So no, not trying to replace the native platforms, but I am trying to augment those. There is some overlap from time to time, there’s definitely some overlap, but again, we’re doing it across a very wide range of vendors.

David:
Okay. This one here is, where have you seen migration efforts fail?

Tim Woods:
Good question. Where we see migration efforts fail. I’ve mainly seen it fail at the beginning, where the processes were not keenly defined. So again, where one individual tried to take it on, and it was basically a side project in addition to what their normal duties or responsibilities were as well, and so it got into this kind of, I’m never going to get to the end of the tunnel type of thing. That’s where I’ve mainly seen it fail, where we didn’t enlist collaboratively management, we didn’t enlist historical owners, we didn’t enlist the business side, we didn’t enlist the help of the entire team. It’s really, really hard to do.

Tim Woods:
Again, it depends on number of firewalls, sheer size of the policy, scope of the business, as far as the importance and the firewalls that you’re trying to tackle, most of the firewalls that we have, we can’t afford for them to be out for even a minute, anytime that we lose, we have an impact to the business that cause the business money and or loss of confidence with our customers and things of that nature. So, it’s one of these things where it has to be a collaborative effort. It has to be a leveraged effort where you’re rallying around both people process and technology. So that’s where I’ve seen it fail the most is where it’s just the process, the clearly defined goals and outcomes and collaboratively involving everybody, just wasn’t well thought out on the front end.

David:
Okay, let’s dive into this one. How can I customize what others see in the reports and dashboards?

Tim Woods:
So we have very granular role-based administration within the tools. So if you don’t want someone to see something, but yet you want to give them access, maybe it could even be a business owner, you want to extend visibility of the information of the metrics to a business unit, that’s definitely possible, very granular role-based administration, multi-tenant capabilities as well, very popular in the MSP space. Also you can dynamically generate reports or schedule reports and things like that. Again, maybe you don’t want to give somebody access to it, to the web portion of it or to the web interface. Maybe you just want them to have a report mailed to them or something like that.

Tim Woods:
One of the reasons we’re popular in the MSP space is because we do have multi-tenant capability, but also we have a very robust API, RESTful API architecture, so that we can actually extract data. A lot of the MSPs take data out of our tool and then put that in their own customer portals and white label it. So you don’t even know that the information that you’re looking at is coming from FireMon. So, hopefully that clears up a little bit, but yeah, very granular role-based administration giving you access to only what someone needs to see on a need to know basis.

David:
Okay. Probably can take another one or two questions. This one here is, is there a list I can use to look up vendors that you do support and which vendors you support for migrations from and to?

Tim Woods:
Yeah, we pretty much support all the vendors as far as cleanup goes. If there’s a particular vendor … and we do have a list, we need to update, that’s part of my responsibility. We’re actually in the process of updating all the different vendors that we support when I call out 30. But anyway, you see my email there, tim.woods@firemon.com, if there’s a specific vendor that you’re interested in, just reach out to me. Guys, I’m widely accessible, happy to talk to you about anything in addition to security, life and the pursuit of happiness, whatever. Hit me up, I’d love to engage with you, talk about the challenges that you’re faced with, things that you’re seeing on the horizon, general security information you have, but definitely would give you information on the vendors that we support.

Tim Woods:
We have what we call device packs strategy for our vendor support. So, our core code doesn’t change, we write these device packs and then that device pack is actually uploaded into the system, and it inherits all the functionality of the core system, which is cool. So we can actually add device support outside the main code stream, if that makes sense.

David:
Okay. Well, I think that’s about all the time we have today. Again, please take a look at that resource section for some more information. Another reminder is, if you stepped away or missed any part of today’s presentation, you’ll get an email in a day or so with the link to view this on demand so you can take a look at your convenience over this presentation, but thanks to Tim and to FireMon for creating this content. I think everyone learned a lot today. So, we will look for any questions that came in and if we didn’t answer those, we will have a chance to follow up after today. So, thank you everyone for attending today’s webinar, we’ll look for you next time for another Spiceworks sponsor webinar, take care all. Thank you.

Tim Woods:
Thanks everyone.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO