SCdemocast: Continuous Security for the Hybrid Enterprise

On-Demand

Video Transcript

Teri Robinson:
Hello, everyone. My name is Teri Robinson and I’m the Executive Editor at SC Media. Welcome to our webcast, Continuous Security For The Hybrid Enterprise. Sponsored by FireMon. The cloud is notable business advantage, but it does bring numerous security concerns, including a lack of visibility across cloud or between on-premises and cloud environments, monitoring security controls, and changes within cloud and multi-cloud environments, and maintaining compliance by monitoring cloud traffic for suspicious and non-compliant behavior.

Teri Robinson:
It becomes increasingly complex in hybrid environments because now you’re managing security for on-premise cloud virtual container environments, and more. The time commitment can feel staggering. But it doesn’t have to. Today, we’re going to show you the path to more effective cloud security and hybrid enterprises through a mix of vulnerability management. And see how an attacker could exploit and prioritize your patches. Continuous compliance, so you can define your own cloud security controls and reduce the time spent on audit prep by making your cloud continuously audit ready, and adherent to the intentions and goals of the enterprise. And automation and orchestration, and just behavior details from your cloud.

Teri Robinson:
Then command security controls to cloud systems from a single console. The idea is instant, worry reducing cloud control. Our speaker today is Tim Woods. He’s the Vice President of Technology Alliances at FireMon. He brings more than 20 years of security experience to his role as the company’s Technical Alliance Lead. His global engagements have given him great insights across virtually every market sector and enterprises of all sizes. Tim believes his most important role is education and raising awareness. He says that fighting complacency in security should be everyone’s top priority if we are to win the war on cybercrime. He is well-versed in this industry, as you can tell. And I’d like to welcome him here today. Hi, Tim.

Tim Woods:
Teri, thank you very much. Happy to be here.

Teri Robinson:
Great.

Tim Woods:
Today, we are going to talk to… There’s a lot of things to talk about there in a short amount of time. First off, I want to thank the audience for their time today. I clearly recognize that everyone here attending today is doing so at the expense of something else. I just want to say sincerely for myself and on behalf of FireMon, thank you for attending our session today. And I’m hopeful that you will get something good out of this. We’re not going to have enough time to cover everything that we have today, but hopefully it will give you a good taste of how FireMon can help you with the challenges that you’re faced with today.

Tim Woods:
FireMon was born out of solving challenges, real-world challenges for our customer base. And we’ve been around almost 14 years now. So a lot deep maturation in the security arena in helping companies to face their security challenges head on. Without further ado, let’s just go ahead and jump into it. The world we know, the world as we know it today is changing rapidly from cloud computing, virtualization, containerization, internet of things, internet of things inside the business. I was reading an article today on, I do a lot of reading on Alexa for business. And one of the biggest fears with the IOT devices of course, is the security of the operating systems themselves.

Tim Woods:
Speaking of Alexa, my Alexa just started talking as I was in the middle of that. But I was going to cloud security conference last week in New York. I was this week, actually, at the beginning of this week, I was in a cloud security conference in California. And it was interesting for me to hear the audience from… They had a couple of panel sessions and the audience asking questions. Everyone’s really keenly interested on how to adopt cloud, how to leverage the advantages, of course, that cloud gives you. But more importantly, how to do it securely. People are also frightened that they’re going to get into the cloud and that they’re going to put some of their assets, resources, and applications in jeopardy. Which can happen. And we’ve seen it has happened. And so people are rightfully concerned about that. And they’re trying to try to learn more about it.

Tim Woods:
One thing is for certain, that the speed of business, adopting these things and leveraging things is not slowing down. If anything, it is continuing to increase. And will continue to increase as well. In fact, the speed of business has increased past our ability to secure it on a consistent basis. And so what do I mean by that? What I mean by that is some of our traditional methodologies and some of the native management tools that we’re attempting to use today, they’re just not scaling as we enter into this new cloud adopted hybrid society. We have our ow-premise, I’ll call it our brownfield. And we’re moving some of those brownfield applications into the cloud. We have new cloud developments. We have the acceleration of dev ops taking place. And we’re putting new applications into the cloud. And we’re doing so to not only remain competitive, but to seek competitive advantage in the marketplace.

Tim Woods:
Business has always trumped security. When it comes to deploying applications, it’s going to help us grow our businesses. And things of that nature. And another unique trend, another thing that’s taking place here also, as we deploy these assets, and resources, and applications in the cloud is the fact that sometimes not our traditional IT security teams are the one managing those assets, managing the security around those assets. We find new cloud teams responsible for the security of those applications and assets popping up. I see dev ops taking responsibility for it. I see the actual application business owners taking responsibility for those applications.

Tim Woods:
Sometimes those individuals aren’t as well versed in the security aspects of those things. And so we see not necessarily hacking, but we see a lot of exposures taking place in the marketplace today. Meaning, that we’re putting things in the cloud and maybe we are leaving things not configured in the best posture. And we’re exposing some of those data. Some of those have been highly publicized and have reached some high profile exposures, due to some of the leaks at what we’ll call just data exposures. I hesitate to call them hacking. But in fact, some of the nefarious individuals out there that are looking, they’re actively looking for these things. They’re looking for holes in the firewall. They’re looking for data exposures. They’re trying to find that house with the door open. They’re trying to find that car that has the keys in it, with the windows rolled down and the engine running.

Tim Woods:
And they’re out there. And that’s what we have to make sure that we’re taking a proactive stance against. Insufficient due diligence just can’t… We can’t allow it to take place as we’re putting these things into the cloud. And we’re not talking about small data exposures either. We’re talking about some of these exposures, well-publicized, have led to millions of records being exposed. Millions and millions of records being exposed. And so very, very large data exposures. The other thing that we’re dealing with is this rise in complexity. And the slide that I have that I’m showing you here basically is showing just the sheer volume of rules that the traditional IT security folks are having to manage today. Anything that has an ACL on it. Whether that’s a switch, a router, a load balance, or a firewall, whatever it happens to be. Predominantly firewalls/ but everything has these rules. And we’re seeing these rules just go to never before seeing heights. And unfortunately, the resources necessary to manage this unbridled growth in rules is not growing at the same pace.

Tim Woods:
And so we’re introducing this growing complexity gap. And here’s what we know for sure. And I’ve said this to anyone that’s heard me speak before, has heard me say this, as complexity goes up, the probability of human error creeping into the equation is also going to go up. And so we’re having to deal with that. And so where we can put a focus on that complexity, where we can reduce that unnecessary complexity, we can also have a positive impact on our security posture. And so managing that, keeping that at the forefront, keeping that in our visor and in our windshield is very important as well. Understanding how we’re going to manage this growing complexity that we’re faced with on a day in day out basis. And so, as we continue to go forward here, we see that the reality is for businesses today in the hybrid, we’ll call it the hybrid enterprise world. Because the hybrid enterprise, it’s not going away anytime soon. I hesitate to say that it’s going to remain forever, but it’s definitely going to be around for a long time.

Tim Woods:
And our focus at FireMon is to give you security vision around the on-prem aspects of your business, along with the cloud implementations that you’re forging ahead with to gain competitive advantage in the marketplace and, or to accelerate business models as well. But the reality is that we have to take both of these into consideration. We have to build platforms that are collaborative. We have to build platforms that regardless of who is taking ownership, regardless of who is taking responsibility for securing these assets, resources, and applications that we’re deploying in the cloud, we need to make sure that from a security perspective, from our compliance intent, from our business intent, from our security intent, that we’re collaborating with one another to make sure that our security policies are unified, as it’s applied to securing the data that we’re responsible for, and the trust that our customers are placing within us.

Tim Woods:
And so I’m going to give you an example. I’m going to do something a little different today. I’m actually going to try to, technology permitting here today, we’re going to try to jump into an actual demonstration of the FireMon platform. And I’m going to show you, give you a couple of examples of exactly what I’m talking about. And some of the things that Teri talked about in the introduction as well. But we think there’s three things here that are critical to any good security implementation. As we’re talking about not only security in the hybrid enterprise, but security on-premise and security in the cloud as well. And it’s these three critical areas that I want to take a second just to talk about individually. And the first of course is the risk landscape. And we all know that that risk landscape is growing.

Tim Woods:
And as we deploy into the cloud, of course, that risk landscape continues to grow even further as well. And one of the things I’m going to show you today is I’m going to show you how we can take a dynamic depiction of a typology that we’ve automatically generated an overlay vulnerability scan data onto that, and then do some really interesting things with a risk threat vectoring. Where we can say, “Hey, if a bad actor came in a well-known threat entry point, how far could that bad actor get?” Based on my knowledge of your firewall policies, your compensating controls, based on my knowledge of your route intelligence, based on my knowledge of what we’ve imported from the vulnerability scan companies. What we know what vulnerabilities actually exist? What could actually potentially be exploited? And so we want to take a look at that as well. But the other thing I want to mention here, it’s not just the vulnerabilities that are laying out there.

Tim Woods:
It’s the hygiene of those things that’s protecting our perimeters, and our walls, and the firewalls and anything that basically has an ACL on it. And so over time, those things, we become… Trying to find the right word here. Maybe a little complacent or lackadaisical in keeping the best hygiene applied to those policies. But we find, what FireMon finds over time, on the average for a legacy firewall, we’ll find anywhere from 30, 40, upwards of 50% rules on a firewall that’s not being used. And usually when I’m speaking to people live, if I’m in front of people, I have heads in the audience going up and down, up and down, agreeing with me on that point. And so those types of things too can introduce unnecessary complexity, but it can introduce unnecessary risk. And I attribute that to part of the risk landscape too.

Tim Woods:
I don’t want to have overly permissive rules on my firewalls. I don’t want to have rules on my firewalls that I’m not using. I want to get rid of those things. I don’t want to have inadvertent access. In addition to having a good risk profiler and being able to run these risk-based threat scenarios, I also want to make sure that I’m applying the best hygiene to my firewall policy so that I can reduce the greatest amount of risk that I possibly can. Next up in part of this trilogy, we’ll call it, is the compliance piece of it. There was a day compliance was really viewed as kind of a check mark, check box, must have, got to do it type of thing. But today people really embrace compliance to try to make themselves better. They use it. It’s not a silver bullet.

Tim Woods:
There’s no compliance initiatives out there that are a silver bullet. FISMA, PCI, even the newest GDPR. I love GDPR, by the way. I love the language of GDPR when it talks about security by design and default. Because that shows that you’re putting security at the forefront. Everything that we do, we have to put security first. To think about, when I’m deploying that application, I have to think about security. When I’m thinking about the operating system that I’m putting that application on from a dev ops perspective, I have to think about the security aspect of that. And GDPR is driving that. I think that’s really forward thinking as it applies to security, and the new world, and the acceleration of the business models that we see today. And I’m excited about that. And I think compliance, while I know it’s not a silver bullet, it can represent the guard rails to our security policies.

Tim Woods:
And so if done right, if embraced correctly, compliance can actually technically, help us technically enforce our written security policies. Whether that’s security operating procedures, whether that’s your application port guides, that almost every company has. But being able to interpret our security intent into the compliance standards and having a foundation, having a platform, having a solution that can interpret that security policy, and then help us technically enforce it, regardless of whether we’re private cloud, multi-cloud, hybrid cloud, deploying software as a service, or infrastructure as a service, or platform as a service. Those are all shared models. We all take ownership. Yes, as we go into the cloud, the cloud provider assumed some of the responsibility for the security controls and some of the configuration controls that they give you. But they’re all a shared model.

Tim Woods:
And we have to accept that responsibility for securing those things. And making sure that we’re compliant. And making sure that our compliance initiatives are in spec and stay in spec over time as well. We don’t only need a good compliance engine that can help us technically enforce our written policy, but it needs to be real-time and it needs to be continual. All right. That’s kind of number two. And again, I can’t say enough good things about a good… When you embrace compliance and when you can build off of it. I’ve seen just some wonderful… Here recently, I’ve seen some wonderful compliance implementations where they’ve taken some of the applicable compliance regulatory initiatives for their particular business, and then they’ve modified those to suit for their unique environment. And there’s some really good things that have come out of it as a result.

Tim Woods:
And then the third thing here is I have to have that central pane of glass, I need that central view. And I hear people talk about predictive analytics and things like that. I was just reading a paper on predictive analytics. And I love it. I love what they’re doing in that arena and stuff. But what I want is real-time analytics. I want a security platform, a security management platform that gives me real time statistics. So that whenever I’m looking at this, I know exactly what my security posture looks like at any given point in place and time. And I want to bring all that together across my heterogeneous environments. Very few environments that have a, what we’ll call a single vendor solution, deployed across their security infrastructure. But moreover, it’s a combination of many different vendor products that span from the desktop, to the server layer, to the network layer, to the database arena, all the way up into the cloud. And so we need to have good visibility across our entire, across our entire security infrastructure, whether it’s on-premise or in the cloud.

Tim Woods:
And so that central orchestration is critically important as well. And so we’re already… God, just that quick. That’s how quick the time goes here. We’re already running short on time. And I want to make sure that I give you guys a sneak peek at the tool here. We’re just going to go ahead and jump into it. But if there was any parting takeaway here, I would just say, and if you want to remember anything about FireMon. FireMon provides a platform that gives us continuous security monitor, real-time visibility. And we bring those three items together from looking at the security risk landscape, from looking at compliance and giving you that central pane of glass, that centralized plane of glass for you to be able to see these things. And so let’s see right quick, if I can share my screen.

Tim Woods:
And I’m hopeful here that you guys should see a dashboard now. And Teri, do you… Let’s see, ready to share. Do we know if the audience can see my desktop, my screen now? Looking for confirmation, maybe from one of my moderators.

Teri Robinson:
Can’t see anything yet, I think.

Tim Woods:
All right. Let me just go back very quickly here. I’ll stop the one and I’ll start it over. It’s okay. It’s all right. We’re all right. Leave the slides. Come back to this. Full screen share. Start it. We’re going to do our Chrome tab. We’re going to do the enterprise overview dashboard, and now we’re going to share that bad boy. How about now?

Teri Robinson:
I can’t see it.

Tim Woods:
Just give it one second.

Teri Robinson:
There.

Tim Woods:
There it is.

Teri Robinson:
There you go.

Tim Woods:
There it is. Now we’re going. Now we’re cooking with security. All right. Sorry, guys. And I’d practiced that several times too. I’ll rush through this pretty quick. Because I want to leave just a few minutes for questions at the end here as well. What you’re looking at here, this is our dashboard kind of giving you a holistic view of the environment. And this is my test environment. So I’ve got some pretty ugly things in here going on, from a security perspective, in order to test the efficiency of it. But you can see right from the top, I can see the number of devices that I’m monitoring. What’s my most recent revisions. I can see what my security concern index looks like from a baseline perspective. If I was to jump into my policy, from the very top, I even get more key performance security information here, where I’m looking at how many… I talked about that security risk landscape. How many redundant rules do I have?

Tim Woods:
How many unused rules do I have? Un-referenced objects? Things of that nature. And then I can scroll down into this and I can get further. Look at these, this complexity by device. How open are the policies across my enforcement points? And usually if something has… If it gets into the red or to the yellow, it means that I probably have some overly permissive rules in there that I need to go investigate. And we have functionality called Traffic Flow Analysis that we can go in and we can look at that overly permissive access, and tighten it down to just those things that we know are actually needed and are actually being used. So we can help with that as well. Let me go back into here real quick. We’ll go back to the enterprise view. If I wanted to look at here’s… Let’s see. From my dashboard, rules contributing to control failures. Most severe control failures.

Tim Woods:
Here’s a particular, my most active firewall here. If I drilled in on that, I can get detailed. So from a holistic view, I get this nice overview from the security metrics dashboard view. But then very quickly I can drill down onto any piece of information in there. So I can go from the very top, to find that needle in the haystack, almost instantaneously when I need to. And so I drilled into this Palo Alto here. I can see that I have 26 rules with control failures. Well, I’d sure like to know what those rules are. So again, I can just click on those and then those rules become exposed very quickly. And then I can see here, well, these are unused. So maybe I’ll come back and worry about those later. But I see this rule four here, that it has five critical control failures.

Tim Woods:
And so I would like to know what those critical control failures are. And so very quickly I can drill into that and I can see what those control failures are. Any destination with an action of accept. Really, really bad no-no. source with an action and accept. Another big no-no. So things like that very quickly, I can get down to actionable intelligence that I can create a solid remediation plan around. Let me show you something else here, I think is of interest. We’ve talking about a risk threat vectoring. I’m going to jump into our risk analyzation view. I’m going to show you a map. This map here actually was generated based off of the configuration data that we retrieved from the enforcement points that we’re monitoring. Also, the route intelligence that we bring in. And we generate this map dynamically for you.

Tim Woods:
And then I can come down here and you can see everything that I have red here. I’ll zoom back out again. Everything that is red basically tells me these are areas of the network that I have known vulnerabilities on. And so I can actually say, “Well, I’d like to simulate an attack from this entry point here.” And very quickly I can see that, hey, there’s the potential here for some bad stuff to go on. But we also make a metered recommendation to say, “Hey, where can I reduce the greatest amount of risk in the least amount of time?” In other words, FireMon, what’s your recommendation for where I should focus my patching efforts? And so we give you that. We even give you a simulated way to apply the patches and then see what the resulting impact would be to my security posture.

Tim Woods:
And so I applied those eight patches that it was recommending. And we can see that some of the red lines went away. Meaning that, hey, no longer can they get to those open vulnerabilities and pivot or root pivot off of that to go somewhere else in my network. And then I can even further patch. Say, patch this one, recalculate it, and I can see what the impact here to my security rating goes to very quickly. Guys, I’m sorry. I know that was a lot of information in a very short of amount of time, but we’ve already run out of time today. And I want to leave just a minute here for some questions. Teri, I’m going to turn it back over to you and see if we have any questions from our audience right quick.

Teri Robinson:
Okay, great. Yeah. Thank you so much, Tim. That was great. And we are going to open it up to some questions. Okay. Can I control who has access to view certain policies?

Tim Woods:
You can. FireMon, actually, if I’m interpreting the question right from the asker. The FireMon, as a platform, we have very granular role-based administration. And also even multi-tenant capability. So you can control who has a need to know to see what policies and which pieces of information. And that it extends into the workflow piece as well. From the workflow orchestration piece, or the rule re-certification piece, ticket operations and all that. That granular role-based administration flows throughout the entire solution.

Teri Robinson:
Okay. We’ve had issues with rules that were too open. Can FireMon address that?

Tim Woods:
Absolutely. And so that’s exactly what I was pointing to earlier there. Is finding what rules that are to open, those are what I would call an overly permissive rule. And those creep into the policies way too frequently. Because businesses needing access to a particular application, and maybe they haven’t given us all the information that we need to create the best rule possible or the best access rule possible. And so sometimes we put some overly permissive statements as we build that access rule out. With the good intention of going back to clean it up later or tighten it up later. But then as we all know, I really sympathize with the IT security administrators out there, because I know they have 15… At any given time, they have 15 priority ones on their plate. And so once the access is in there and it’s working, a lot of times those overly permissive rules are gone and forgotten until somebody exploits one of them. And then they rear their ugly head.

Teri Robinson:
Okay. Why not apply all vulnerabilities?

Tim Woods:
Why not apply all vulnerabilities? You could do that as well. Obviously, what we’re trying to do is we recognize from a risk perspective, if I understand the question correctly. We could definitely say, “Hey, let’s go patch everything.” And that would be Nirvana. That would be ideal. But what we find is in the environment that due to the lack of resources, we don’t have the ability to patch everything all the time. It’s a lot of work, patching an environment. Because you have to schedule outages, you have to schedule maintenance windows, you have to schedule down times. Depending on, as you’re applying these patches, you want to make sure that you’re not impacting the business operations at a given point in time.

Tim Woods:
And so what we’re trying to do is give you a meter of recommendation to say, “Where can I, if I only have a limited amount of resources and a limited amount of time, how can I make the most efficient use of my resources?” So where can I get the biggest return on my resource investment? Where can I reduce the greatest amount of risk and get the biggest return on my resource investment? We’re trying to look at it and balance it from a risk resource efficiency perspective.

Teri Robinson:
Okay. Well, that’s going to have to be it for this session. Just a reminder, today’s session will be available for download tomorrow at scmagazine.com, under events. Thank you, Tim, for being with us today. And thanks to all of you for tuning in.

Tim Woods:
Thanks, everyone. Appreciate your time.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO