The policies that are meant to protect us are becoming a threat vector themselves. As network complexity explodes and as enterprises incorporate SASE, MPLS, virtual firewalls, and network security groups into their hybrid infrastructure, policies proliferate – and the threat landscape expands in lockstep.
Yet even as technological advances hit the market at a head-spinning pace, security and compliance teams continue to rely on manual configuration. Does it make sense that the same security teams that command artificial intelligence, machine learning, and other innovative technologies in their daily work are still using email and spreadsheets to communicate change requests?
Tim Woods, Vice President of Technology Alliances at FireMon, recently spoke about how enterprises can maintain their speed of business without creating additional risk. “We have too many policies in too many places,” said Woods. Combine that with rising rates of change requests, and it’s clear why enterprises have trouble staying on top of their policy management. “If a business still includes manual processes in its change request process, it’s never going to be able to move fast enough. We need to be faster than change,” Woods said. “A change request shouldn’t take a week or two. It should just happen. It should be automated.”
5 Root Causes of Firewall Breaches
Firewall breaches can be traced back to one or more of five root causes, said Woods, citing:
Overly permissive rules
Overly permissive rules can be exploited by bad actors. “When it comes to rule statements, the most dangerous word is any,” said Woods.
Inadvertent access is created when a resource is decommissioned, but its associated rules are not removed from the policy that was controlling access to it. “If that IP address gets reused, all of a sudden we’re providing access to something we never intended to provide access to,” said Woods, “and that can create unintended consequences.”
Known but unpatched vulnerabilities
Known but unpatched vulnerabilities within the network can provide unauthorized or unexpected access. “Too often we don’t correlate known vulnerabilities with our compensating controls,” said Woods, “and when we don’t correlate the two, we’re raising risk. Anytime we’re poking holes in our perimeters, the risk goes up. We have to try not to increase risk as we open up our environments.”
Bad actors can discover firewall misconfigurations using automated penetration scanning. “The bad guys are using automation, and they’re using it every single day,” said Woods. “This has been proven by people opening up honeypots and exposing data on the internet, and then timing how long it takes for somebody to try to exploit it.”
Shadowed rules are a gift to bad actors. “The problem is that they don’t look alike and they’re never right next to each other,” said Woods “Policies today are not just 500 or 600 rules. We see 40,000 and 100,000 rules in policies — that’s not uncommon at all. So trying to find these contradictory rules is a huge task. If you’re trying to do it manually, you’re just not going to find these things.” Then, when manually trying to understand the behavior of a policy, a shadowed rule is easily misinterpreted. “You can think you’re doing something that you’re not doing – and you can end up creating new vulnerabilities.”
Choosing Your Path to Automation
Deciding to automate happens naturally. Enterprises often decide to automate when a triggering event occurs. That event is usually a security incident, but it may also be a big change to an existing service or application or the rollout of a new service or application.
Deciding what to automate can be murkier. But Woods said the decision shouldn’t be complicated. “Anywhere you can eliminate costly misconfigurations — and let’s be clear, misconfiguration is just another word for human error – that’s where you want to automate. Look for opportunities to make people more efficient and consistent, and embrace that. Fund that. That’s where your ROI is going to happen.”
Traditional approaches to handling change requests force enterprises to slow down to say secure. “I still see people using email and spreadsheets in order to track, initiate, request, and respond to changes,” said Woods. “What I would say to you if you’re using email and spreadsheets is this: as you grow, they will not scale. Get rid of them. Automate your change requests first, and you’ll make the biggest impact on the business and see the biggest ROI on your automation investment.”
Is your security a business roadblock or a business enabler?
Enterprises can use automation to templatize changes, thereby bypassing some of the tasks that would otherwise throttle the speed of business. Woods said, “Talking to our enterprise customers has taught us that 40 to 60 percent of changes can actually be templatized and put on a fast track.”
It’s not enough to reactively detect a bad change. And it’s not always possible to analyze a change outside of the context of the policy, or to assess a change from the perspective of compliance or best practice. “You need to be able to analyze a proposed change or a proposed change request proactively, and it has to be in the context of the destination policy,” said Woods.
Even tasks that require a traditional approach can be accelerated. “As security professionals, we don’t want to be roadblocks. We want to be enablers,” said Woods, “and we can actually do this — but only if the enterprise can leverage some of the core functionality into a policy management system along the process workflow.”
Misconfiguration is another word for human error
Woods pointed to a real customer example of an enterprise that was struggling to get the results they expected from their automation initiative. They decided to try FireMon’s orchestration API, and FireMon built its assessment engine and dynamic assessment into the customer’s workflow provisioning. As a result, “this customer saw real-world ROI that allowed them to reduce the amount of time required to provision their application,” said Woods. “They’d been tracking the percentage of their changes that had to be backed out or that were negatively impacting their business, and we were able to meaningfully reduce those errors. This was a really big deal for this company.”
The key to getting the greatest value from an automation solution, said Woods, is choosing one with the most powerful and best-supported API. “If you want to raise the total value of your combined security solutions, you have to be able to exchange and enrich data from all the platforms you have in place. Having a strong commitment to an API structure enables you to do that,” said Woods.
Enable innovation with automation
The value enterprises seek to gain from automation lies in the ability to manage change rapidly, consistently, and flawlessly. Woods said three capabilities must be in place to serve that goal: they are visibility, scalability, and agility.
“We hear it time and time again, we see it pop to the very top of the ‘most challenging’ list — and that is the challenge of visibility,” said Woods. “We have to make sure we can detect change when change happens. You cannot protect what you don’t know about. You cannot adequately secure things you cannot see. You cannot put appropriate security controls around assets when you don’t know where they reside, how long they persist, and so on. Automation can find new assets and make sure their policies are what they should be – and the results can be accessible in normalized format through a unified console.”
Hybrid environments are dynamic, so scalability has to be easy and it has to work in both directions. “You can have the best technology, but if it doesn’t scale to the size of your environment, it will not be embraced. It will not be adopted. You need to be able to scale to the size of the environment.” Automation helps you manage the rule base by monitoring, collecting, and analyzing data in real-time from large enterprise infrastructures without noticeable degradation of performance. “As the network expands with more devices and features to meet business demands, the ability of security teams to protect their infrastructures should remain consistent.”
And because change happens very quickly in today’s hybrid estate environment, Woods said, “You need to be able to adjust to change very quickly. You need robust support for the devices you’re trying to normalize and protect and understand, and to achieve that, you need a robust API. Otherwise, you won’t be able to react quickly – that commitment to an API architecture is mandatory to supporting business innovation and firmly putting the security and compliance teams where we should be — in the role of business enablers.”