It comes as no surprise to security practitioners that managing security is becoming more and more demanding. Organizations are facing more threats, greater complexity and increased demand for both security and application connectivity. While many companies are deploying the latest and greatest technologies to fight back against cyber attacks, they often neglect their security policy management basics.
In his years of interactions with companies across pretty much every geography and industry vertical, Nimmy Reichenberg, vice president of strategy at AlgoSec, has found that going back to the basics is key when managing an effective security policy and a crucial first step in making your organization more responsive, agile, compliant and secure. In this slideshow, Reichenberg has identified seven common pitfalls organizations face and tips for how to deal with them.
Security Management: Back to Basics
Click through for seven common security policy management pitfalls and tips for how to deal with them, as identified by Nimmy Reichenberg, vice president of strategy at AlgoSec.
Think About the Process First
Even a great technology solution cannot fix a bad process, but it can force you to think about how your process should work. Generally, security teams have a process for adding rules, but very few have a process for removing or recertifying rules, changing objects, and removing IP addresses. Bring your teams together and think about how and when you update or remove rules and objects, and develop a repetitive process for managing these critical and ongoing tasks that you will use every single time.
Look Through a Single Pane of Glass
When different teams with different goals use different tools and procedures, conflicts and errors occur. The teams tasked with security, operations and applications already have different cultures and reporting structures that they follow. If they also have different degrees of visibility across the network, they are unlikely to agree on overarching goals, ultimately making the entire organization less secure and agile. If everyone is working with the same tools and procedures, they will see the same picture and be able to recognize — and agree on — the current status, risks and opportunities.
Take an Application-Centric Approach
The number one trigger for a policy change is a change to a business application, so you need to think about security from the application perspective. Visually map application flows (using a network topology map) so you can see how data flows across the network, what’s not working and where traffic is blocked. If you focus on the application first and figure out how traffic needs to flow, you can easily understand what each application needs in terms of connectivity to function and deliver its business benefits, while ensuring security.
Proactively Assess Risk
Once you know what changes are needed, perform a “what-if” analysis to make sure that your changes do not add any risk, violate PCI compliance requirements, conflict with your network segmentation strategy, or introduce any new vulnerabilities. With this strategy, you can mitigate risks before policies are implemented and catch major issues before they occur.
Validate and Reconcile
Assuming all of your security policy changes are in place, you need to be able to verify that they were actually implemented or see, at a glance, what kept them from being implemented. On the flip side, you also need to be able to quickly identify any out-of-process changes or “cowboy changes” that were snuck in without going through the proper approval process. Relying on manually documented processes will not capture all your out-of-process or dropped changes. Reining in the cowboys will also make it much easier to find potentially risky changes.
Automate Everything You Can
Automation will streamline your processes, enable you to quickly change designs, identify rules that can be reused, seamlessly push out policies, conduct risk analysis and auditing quickly, instantly create documentation and validate and reconcile, all in real time. There will always be some tasks that require human intervention, but you will have a more secure system if you keep the people on your team focused on the jobs that need analysis and investigation, rather than mundane tasks that can be automated.
Don’t Forget Security Basics
With the advanced threats and well publicized breaches of today, it’s natural for the media and analyst community to disproportionately cover the latest shiny toys. You know, those cloud-based, crowd-sourced, next-generation, advanced kill’em all flux-capacitor powered solutions. But you can greatly improve your security posture by not forgetting – and even emphasizing – the security basics that are often overlooked, such as:
- Updating to the latest antivirus
- Identifying and patching vulnerabilities
- Hardening systems
- Solid processes for configuring policies across firewalls and routers
- Removing administrator privileges from endpoints
- Security awareness programs
- And the list goes on…