Risk and Compliance Monitoring
As corporate policies evolve and compliance standards change, you need to review how you are enforcing traffic on the firewalls and optimize the rule bases. Hackers like the fact that firewall teams never remove rules -- this is how many compromises occur. Metrics can be used to check how often a rule is applied and clean up all those that are redundant: rules that have been replaced by new rules, rules for services no longer used that you were not informed about, and all those temporary exceptions that were added to get projects, acquisitions, mergers and so on finished.
Other useful metrics for risk and compliance monitoring are the ones that can easily be seen trending toward zero or 100 percent. Examples include the number of shadowed rules-ones that are blocked by another rule; the percentage of unused and therefore wasted rules; and the percentage of rules that actually violate company policy. By continuously monitoring these metrics over time, you can see how effective the team actually is. Which goes back to the adage that a good metric is one that tells you something meaningful. If your score is getting better, then you know you're doing something right.
Good metrics are transferable across industry and companies-they enable you to make changes that make a difference. Combining these various test results provides each firewall gateway with a security score that provides a comprehensive, cross-vendor, organizational grade. This provides a clear understanding of the nature and level of overall network security risk and granular, actionable data needed to manage it accordingly. Although be warned: I have seen instances of teams that, having discovered the "satisfaction" of numbers moving in the right direction, became fixated on the wrong goal. If you're concentrating your efforts on making the metrics look good, then you're not focusing on making strong rules.
(Tufin Technologies is exhibiting at Infosecurity Europe 2010 on April 27-29 in its new venue of Earls Court, London. Visit Tufin on stand J90. For further information, please visit: www.infosec.co.uk.)