This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Today’s IT security teams are faced with rapidly mutating threats at every possible point of entry – from the perimeter to the desktop; from mobile to the cloud. Fueled by the fast evolution of the threat landscape and changes in network and security architectures, network security management is far more challenging and complex than just a few years ago.
Security teams must support internal and external compliance mandates, enable new services, optimize performance, ensure availability, and support the ability to troubleshoot efficiently on demand—with no room for error. That’s a lot to balance when managing network security.
Here are four essential best practices for network security management:
#1 Network Security Management Requires a Macro View. Organizations need a holistic view of their network. With disparate vendor devices and hosts, security teams need a normalized, comprehensive view of the network, including: routing rules, access rules, NAT, VPN, etc.; hosts, including all products (and versions), services, vulnerabilities, and patches; and assets, including asset groupings and classifications.
With a comprehensive view of the network, security teams can view hosts in the network, as well as configurations, classifications and other pertinent information. A network map or model is both a useful visualization tool and a diagnostic tool, providing analysis that is only possible when considering an overall view. For example, security and compliance teams can use this macro view to see how data would move between points on the network.
Additionally, it highlights information that is missing, such as hosts, access control list (ACL) data, and more.
Sophisticated analytics can be conducted quickly and accurately in a model-based environment, without disrupting the live network. Access path analysis helps to validate changes and can troubleshoot outages or connectivity issues, enhancing visibility and improving security processes. “What-if” analysis indicates both accessible and blocked destinations for designated data.
#2 Daily Device Management Requires a Micro View. Although the macro view is needed to see how all the pieces of the network fit together, network administrators must also be able to drill down into the details for a particular device, easily accessing information on rules, access policies, and configuration compliance. And this information must be considered within the framework of the broader network, including context such as segments or zones, routing, routers, switches, intrusion prevention systems (IPS), and firewalls.
Information must be provided in a digestible fashion. The network components that impact the device will undoubtedly come from various vendors, creating data of different vendor languages that must be deciphered, correlated, and optimized to allow administrators to streamline rule sets. For example, administrators need to be able to block or limit access by application and view violations of these access policies.
Daily or weekly reviews of all devices on the network is unattainable with a manual process, and reviewing device configurations less frequently puts network security and compliance at risk. Automating policy compliance helps ensure compliance and consistency, and preserves IT resources.
Ideally, a network modeling tool that provides a macro view should also allow administrators to drill down into a micro view of each device, providing information on users, applications, vulnerabilities, and more. This allows administrators to see the broader network view and then focus in on particular devices for management.
#3 Simulate Attacks for Context-Aware Risk Assessments. Merely knowing the network vulnerabilities and their criticality is insufficient for understanding the true level of risk to an organization. Today’s attacks often incorporate multiple steps that cross several different network zones, and an isolated view of any of these steps could appear innocuous.
Attack simulation technology automatically looks at the holistic network – business assets, known threats and vulnerabilities – and identifies what would happen if the conditions were combined. Attack simulation can also evaluate potential options to block an attack, providing intelligence for decision support. Understanding the likelihood of an attack and its potential impact against valuable targets is the key to assessing which vulnerabilities and threats post the most risk.
Attack simulation technology looks at network context, asset criticality, business metrics, and existing security controls when determining the impact of a potential attack. For example, if an asset runs an application that is crucial to maintaining the business and requires continuous availability, a medium-level vulnerability that threatens to disable this asset might be a high-level risk to this particular business.
The impact of deploying a particular security control must also be considered. Keeping an IPS continually on active mode can impact network performance. Attack simulation tools enable security teams to target use of their IPS protection, activating only necessary signatures, maximizing performance, and prioritizing vulnerabilities.
#4 Secure Change Management Is Critical. Once a network is in compliance, a secure change management process is needed to maintain continuous compliance and validate that planned changes do not introduce new risk. Secure change management incorporates risk assessment in an orchestrated, standardized process; flags changes outside of this structure, allows administrators to reconcile flagged changes, and troubleshoots where needed. Secure change management verifies that changes were implemented as intended, identifies when a change has unintended consequences, and highlights unapproved changes.
For example, a change management process can flag when a network change will expose vulnerabilities, when a firewall change opens access to risky services, or when there is an unauthorized access path from a partner to an internal zone. More importantly, to maintain network security, change management processes can be used to determine the impact of a proposed change before implementing the change.
Implementing these four best practices for network security management can reduce risk across the network. With visibility on both the network and device level, tremendous amounts of data are translated into intelligence that deciphers complicated network security transactions into manageable, actionable information. With this insight, attack simulation can then prioritize vulnerabilities and eliminate the attack vectors that are most critical to the organization, protecting business services and data. Finally, change management can automate and optimize security processes to improve security and reduce the security management workload.
Skybox Security, Inc. is a provider of automated, non-intrusive tools that detect, prioritize, and drive remediation of critical risks such as exposed vulnerabilities and firewall configuration errors.