Network security has become a top priority for enterprises to safeguard their sensitive data, protect against cyber threats, and ensure compliance with industry regulations. And rightfully so; with today’s rapidly evolving digital landscape, network security is of utmost importance, with 74% of all breaches involving human element (DBIR Verizon, 2023) tools like Network Security Policy Management (NSPM) solutions drastically reduce these odds.  

An efficient NSPM solution is essential to ensure the smooth functioning of an organization’s network while mitigating risks effectively. While some enterprises may be tempted to build their own in-house security policy management system, opting for a specialized and proven solution, like FireMon, offers numerous advantages. 

1. Lack of expertise and experience creates opportunities for mistakes: Established NSPM vendors, like FireMon, have spent years honing their solutions and gaining valuable experience in the field of network security. They understand the complexities and nuances of managing security policies effectively, and their solutions are designed to meet the unique challenges faced by modern enterprises. Building in-house NSPM solution requires considerable expertise, research, and ongoing maintenance, which can be both time-consuming and costly. 

2. Unable to react quickly to changes in the environment: Time-tested NSPM solutions come equipped with a comprehensive feature set that caters to the diverse needs of enterprises. These features may include policy analysis, risk assessment, compliance reporting, change management, and automation tools. Developing a feature-rich in-house solution that matches the capabilities of proven vendors would demand significant resources and time and might not be feasible for all enterprises.

3. Time and cost inefficiency: Building an NSPM solution from scratch demands extensive resources, including hiring specialized personnel and ongoing development efforts. The process can be time-consuming and divert focus from core business activities. In contrast, purchasing an NSPM solution allows enterprises to quickly deploy a ready-to-use system, saving valuable time and reducing costs associated with development, testing, and maintenance.

4. Inability to scale: As enterprises grow and their network infrastructure expands, the demands on their NSPM solution increase. NSPM vendors design their solutions with scalability in mind, accommodating the evolving needs of enterprises seamlessly. Building an in-house solution that can scale effectively may prove challenging, leading to potential inefficiencies and increased expenses.

5. Inadequate updates and support: Network security is an ever-changing landscape, with new threats emerging regularly. Trusted NSPM vendors provide regular updates to their solutions for new vendor devices, software versions, and features, ensuring that enterprises are equipped with the latest security defenses. Additionally, reputable vendors offer ongoing support and assistance, helping enterprises address issues promptly and efficiently. Developing and maintaining an in-house system with the same level of continuous updates and support can be daunting and resource intensive.

6. Lack of integration and compatibility: Enterprises typically use a range of security tools and devices to protect their network. NSPM solutions are designed to integrate seamlessly with various security infrastructure components, providing a unified and cohesive security management environment. Developing an in-house solution that aligns with existing tools and devices can be complex and may lead to compatibility issues. 

7. Unproven security and reliability: Proven NSPM solutions undergo rigorous testing and validation processes to ensure they meet industry standards for security and reliability. Vendors prioritize data protection and deploy robust security measures to safeguard sensitive information. Building an in-house solution that adheres to the same high standards might be challenging, and any lapses in security could have severe consequences for the enterprise.

8. Time consuming training and development: The talent you have today might not be the talent you have tomorrow, this means there is significant uplift and effort of continuously training new teams that have never seen the system before. Building a robust and secure NSPM solution demands expertise in network security, software development, and policy management. If the enterprise lacks these skills, it can lead to vulnerabilities and ineffective security controls. 

While building an in-house network security policy management solution might seem appealing to some enterprises, the benefits of opting for a trusted and specialized solution far outweigh the drawbacks. NSPM vendors offer expertise, a comprehensive feature set, scalability, continuous updates, integration support, and robust security measures. By opting for a proven NSPM solution, enterprises can focus on their core business objectives while ensuring their network remains secure, compliant, and protected against emerging cyber threats.  

FireMon provides expertise, efficiency, scalability, continuous support, and compliance features that empower enterprises to bolster their network security posture effectively. By choosing FireMon, enterprises can focus on their core business objectives while confidently safeguarding their network from the ever-evolving cyber threats. 

As the world becomes increasingly digitized, cybercrime has become one of the most significant threats that organizations face. Environments are expanding at a rapid pace and cybercriminals are always looking for new ways to exploit vulnerabilities in computer systems and networks, making security hygiene a high priority for preventing attacks. In this blog post, we will explore why asset visibility is essential to good cybersecurity hygiene. 

Asset visibility is the ability to see everything connected to a network, from servers and workstations to Shadow IT and IoT devices. It involves collecting data about each device, including what it is, where it is, and what it is interconnected with.  

When protecting your organization from cybercrime, the first step is to fully understand your environment and all that needs to be secured. You cannot protect what you cannot see. It sounds simple enough, but mergers and acquisitions, divestitures, and even onboarding remote new hires can significantly and rapidly expand your security team’s responsibilities. If you are not equipped to properly identify, manage, and secure your new assets, they become an immediate liability. 

Asset visibility is critical for several reasons: 

1. Identify Unknown Assets: Without asset visibility, it’s impossible to know what assets exist on your network or whether they are secure. This lack of visibility leaves you open to vulnerabilities that weaken your security posture. By identifying all assets, you can identify vulnerabilities proactively and take steps to mitigate them. 
2. Improve Attack Response Time: When you have full visibility into your assets, you can detect and respond to attacks faster. In the event of a security incident, you can quickly determine which devices are affected and take remedial action before the attack spreads. 
3. Ensure Compliance: Many industries have strict compliance requirements that organizations must meet to avoid penalties and fines. Asset visibility enables you to monitor and manage assets across your network, helping ensure compliance with regulations like HIPAA and PCI-DSS. 
4. Strengthen Your Security Posture: Asset visibility provides insights into your network’s security posture. You can identify unapproved devices and applications, unauthorized accounts, and unusual network activity, which can all be indicators of a potential attack. 
5. Continuous Monitoring: Knowing the status of a device or network last week, or even yesterday, isn’t good enough. Continual asset discovery ensures that you have the latest up-to-date information on all assets. 

In conclusion, asset visibility is crucial to good cybersecurity hygiene. It enables you to identify unknown assets, improve response times, ensure compliance, achieve continuous monitoring, and strengthen your security posture. Without asset visibility, your organization is at risk of cyberattacks that could lead to data breaches, reputational damage, and financial losses. Therefore, it’s essential to invest in tools and processes that provide asset visibility and continuously monitor your network for potential threats. 

FireMon’s Asset Manager, formerly Lumeta, is a real-time network visibility solution that monitors an organization’s entire environment for anomalies, potential threats, and compliance violations. It continuously scans and discovers the entire network infrastructure for every device and connection including firewalls, routers, end points, and cloud devices. Other asset discovery tools require a person to initiate asset discovery searches, wasting precious time and leaving assets vulnerable. Asset Manager has been around for over 22 years and is used by many Fortune 500 companies. It is largely recognized for its consistency, scalability, and reliability. On average, Asset Manager finds 30-70% more assets than our competitors, which are potentially thousands of unprotected devices waiting to become an attack vector for cybercriminals. 

Contact us to find out more about FireMon’s Asset Management solution. 

Cyber safety is not just for CISOs or techies anymore. Technology touches all of us nearly every single day, from baby nurseries to nursing homes. It is so important that everyone understands the basics of safe cyber activity. October is Cybersecurity Awareness Month and FireMon is here to provide tips in an easy-to-understand format for even the youngest of readers. So, please share with your friends and family and stay safe out there!

As kids, most of us innately understood the importance of passwords. Want to get into my club? What’s the password? Want to sit with me? What’s the password? Young kids often use their favorite animal or color: easy to guess. But as children get older, the passwords become more obscure and change often. Stronger passwords equal more exclusivity. Unfortunately, as we get even older, stronger passwords seem to require too much effort.

According to Verizon’s Data Breach Investigations Report (DBIR) 2022, poor password practices have been one of the leading causes of data breaches since 2009.  You may find it annoying – constantly signing into different accounts separately – but if you do nothing else, please make your passwords strong.

Massive corporate incidents often make headlines, like the TJ Maxx, Target, Marriott, and Equifax breaches. However, the many smaller attacks on individuals resulting in stolen credit card data, identity theft, or social media hacks rarely reach the masses. Bad guys love to take advantage of the low hanging fruit, which is often the average consumer.  Their easiest target: passwords. Stolen credentials (aka stolen passwords/login information) accounted for 80% of breaches in 2021.

It is tempting to use the same simple password for all of your logins. It is painless and easy to remember. “Forgot my password” can be a frustrating time-suck. I get it. REALLY. But for the sake of your card data, social media access, and personal identity, please do not be the low hanging fruit.

Five Tips to help you Minimize your Credential Exposure

1. Beef up your passwords. They should be both strong and unique. You’ve heard it before: at least 12 characters and have a combination of upper and lowercase letters, numbers and special characters such as #, $, &, and %. The most secure sites MAKE you make your passwords strong. Try to incorporate those rules everywhere.

2. Don’t ever reuse passwords. Especially across your personal and business applications. Once the threat is in one account, they are sure to try to access more. Let’s say the attacker hacks into your email. Once in, they will have access to links to your bank, credit cards, and other important sites. Do not make it easy for them by having the same password for all.

3. Don’t ever give out your passwords. This sounds simple enough, but hackers find ways to entice you into sharing your information. Phishing is a popular method. The attacker tricks you into thinking they are from a legitimate person or organization but are only capturing your data. Always double check that you are on the correct URL before providing any sensitive information.

4. Use a password manager. They create and store unique passwords for each site and often auto populate the password on saved devices. Password managers tend to make life easier because you don’t have to remember them! Tools like 1Password and Google Password Manager are popular options.

5. Set up multi-factor authentication (MFA). MFA inherently enhances the security of your credentials by adding 2+ layers of protection. MFA is not always practical but is one of the best ways to ensure your credentials are not hacked. Without the additional verification, even a correct user ID and password will not allow access to your accounts. MFA requires at least 2 of the following for logging in:Something you know – a password

1. 1. Something you know – a password
   2. Something you have – a token, authenticator app, smartphone or laptop
   3. Something you are – biometric data, like faceID or fingerprint

The Internet is an incredible place. Enjoy and scroll responsibly!

Save time and resources while eliminating the risks caused by misconfigurations

Good policy hygiene relegates access to only what is necessary to meet the needs of the business: nothing more and nothing less. As discussed in a recent blog, poor policy hygiene creates vulnerable paths the bad actors can use to gain access. Centralizing your change management across all of your resources is key to preventing misconfigurations that can lead to costly breaches and outages. In this blog, we will discuss how FireMon meets these needs.

FireMon centralizes all of your security policy enforcement data into a single pane, a rule repository, and allows you to manage policies across all of your devices from ground to cloud. It integrates seamlessly with 100s of vendors, including Splunk, AWS, Swimlane, and Qualys, to consolidate policy management and visibility. With FireMon, you have one place to investigate a policy, which drastically increases the efficiency of your team.

When changes are made to your policy environment you should immediately ask, “Did I expect this change? Did I analyze the change for impact: security posture, compliance posture, business operations? Are we granting only what is necessary to meet the needs of the business?” Typically, access that’s granted is greater than what is necessary, which gives way to overly permissive rules. It is imperative these policies are managed to maintain a strong security posture. With FireMon’s change management workflow capabilities, you learn the full implications of every policy change prior to implementation and proactive “what-if” impact analysis recommendations prevent disruptions in service and security to keep your network running smoothly.

FireMon Change Management Key Features

Real-Time Change Monitoring

Real-time change monitoring is crucial to stay ahead of problems before they start. FireMon monitors policy changes across the entire environment, on any device: on premises or in the cloud. If a policy is changed, you’ll know about it—and our custom alerts mean you’ll find out about it in the way you want.

Efficient Change Workflows

Our workflows take the complicated, messy, and time-consuming processes of new rule creation and changes to existing policies then streamlines them both. FireMon evaluates each request for its impact across the environment. It identifies all the firewalls and other devices in its path to create a recommendation for how the rule should be created, what objects can be reused, and how to enforce it. All this is performed through a workflow process that dramatically reduces the time it takes to deploy rules and do it accurately.

Policy Change Automation

FireMon can fully automate the deployment of a policy change with our automation tools. Once a rule is ready to go, the changes can be made manually or the FireMon platform can deploy them automatically to the affected devices immediately or schedule them during approved change windows. Once sent, the changes can be fully implemented in a matter of minutes.

Additional features include:

Change Detection & Reporting

Isolate, document and, when necessary, alert on every ongoing change implemented throughout your existing firewall policies.

Change Comparison Views

Review every proposed rule change against your existing firewall policies to ensure consistency and prevent redundancy.

Text-Comparison

Evaluate every proposed text edit against your existing firewall policies to ensure consistency and prevent redundancy.

What-If Analysis

Perform proactive what-if impact analysis of any proposed changes to your existing firewall policies, prior to implementation.

Revision History

Create detailed documentation of all changes to your existing firewall policies to track, search and understand revisions.

Rule History

Aggregate detailed documentation of all rules applied within your existing firewall policies to maintain a comprehensive repository.

Rule Recommendations

Leverage full visibility across all of your existing firewall policies to inform ongoing change and ensure effective implementation.

Systems Integration

Utilize standards-based (BPMN 2.0) integration with your existing firewall policy workflow (e.g. ticketing) management processes.

Change Process Workflow

Employ fully customizable workflow process automation for all ongoing changes made to your existing firewall policies.

Change Auditing

Audit every change made to your existing firewall policies with full search and historical event logs.

Changing firewall rules and security policies isn’t a glamorous task, but the consequences of getting it wrong can be quite severe. FireMon is designed to make change management simple, accurate, and timely.

How decision support tools improve both speed and accuracy for your security operations teams.

It has been said that cybersecurity is an asymmetric game where the attackers have the advantage. An attacker must only be right once; while the defender must be right all the time. One simple mistake can lead to devastating consequences including data breaches, business disruptions, service outages, and ransomware infections.

But getting security “right” is hard. In a very small environment of a single system or network, such as your home network, it may seem simple to get it right. Block all inbound access and patch a few systems? Done.

Unfortunately, security challenges grow exponentially as the complexity of the network expands. Every new device, user, and service requiring connectivity to other resources increases complexity of the environment proportional to n-squared.

If you are a large enterprise managing 100,000 or more resources, the complexity will be obvious. However, did you realize that you are responsible for managing over 10 billion possible connections? And it is even more complex than that when you recognize that each system exposes more than one service (check out Metcalfe’s Law if you want to read more.) As my good friend Rich Mogull says, “simple doesn’t scale”.

Let’s put this idea of complexity into the context of network security policy management. Consider a company managing 300 firewalls with 300 rules on each firewall. For this exercise we’ll assume that each rule represents a few class C networks in the source and destination with a few services between them (i.e. HTTPS, SQL, SSH).

In this environment, the security team is responsible for managing:

• 300 firewalls
• 90,000 firewall rules
• 810,000 logical firewall rules (source object, destination object, service)
• 1,433,272,320,000 (1.4billion) connections (IP address, IP address, service)

This “simple” environment with 300 firewalls with 300 rules on each firewall requires a security operations team to manage over 1.4 billion connections. Getting this right is impossible without some form of automated analysis.

Complexity isn’t the only challenge. Security is required to support the business and the business changes fast. New applications are being brought online, new partners are being connected, old services are deprecated, and it all needs to be supported now. An acceptable response time is different for each company and can range from minutes to months, but rarely is it ever fast enough. Getting it right and doing it fast are often at odds, but it is the mandate of security professionals.

And if all that isn’t bad enough, you can’t just throw more people at the problem. There’s always pressure to keep the cap on hiring new folks. Even if you were given the green light to staff up, you’d be hard pressed to find qualified resources without paying a fortune in today’s job market.

So how do you meet these challenges that are growing exponentially with resources that at best are only growing linearly?

The answer is to empower your team with decision support tools. Using our earlier example of firewalls, let’s look at some specific challenges and how better tools improve security outcomes of reduced risk, continuous compliance, and reduced time to accurately deploy policy changes.

Reduce Risk

Every rule in a firewall policy that allows traffic to pass introduces risk to the organization. Much of this is an acceptable and necessary risk to enable the business to function. For example, an email server that isn’t allowed to send or receive SMTP traffic isn’t very useful. However, a shocking number of rules in production firewalls are not necessary and many allow unnecessary or unnecessarily high-risk access.

With our example of 1.4 billion connections to manage, how do we distinguish between those that are useful and necessary, from those that are useless and unnecessary? A network security policy management solution can provide the decision support necessary to assess all 1.4 billion connections and identify those that need to be removed.

• Find redundant rules: Redundant rules add unnecessary complexity to a policy. They serve no purpose as they duplicate an existing rule, but they add complexity that can easily lead to mistakes. These are low hanging fruit that can be removed with no risk.
• Find shadowed rules: A less obvious case than a fully redundant rule is one that is “shadowed” by another rule. This rule adds no value and simply adds complexity to the policy. Remove these rules.
• Find unused rules: With proper monitoring of log traffic, it is possible to detect rules that exist in a policy that are not being used(no traffic matches the rule). These rules not only add complexity to the policy, they add risk. These must be reviewed first before a decision is made to remove them as a critical process, such as a disaster recovery system, may rely on them but don’t generate any traffic unless being tested.
• Find unused objects in a rule: In our example rule with 3 source networks, 3 destination networks, and 3 services, it is very common for some of these to be unnecessary. Using similar techniques to identifying unused rules, it’s possible to identify unused objects in a rule. Each unused object represents unnecessary risk and should be removed.
• Find risky services: Some access just shouldn’t be allowed. For example, system management performed over unencrypted protocols can expose sensitive data and credentials. For this reason, services like telnet should not be permitted in most cases. Find all rules that permit the use of high-risk services and remove the access. If necessary, work with the systems teams to modify how these systems are accessed prior to modifying the policy to avoid system interruptions.
• Find rules that violate zone policies: In all cases, firewalls are configured to separate network segments. In most cases, security policies can be defined to describe what is considered acceptable traffic between different zones. Examples can include what access is allowed between HR and Finance, or environments hosting PII data and a user network. Evaluating firewall rules against these zone policies identifies rules violating these policies that need to be reviewed and remediated.

Enforce Compliance

Most organizations are required to adhere to one or more internal or external compliance frameworks. Even if there isn’t a requirement, it’s still useful to validate the effectiveness of an organization’s security policies and processes against these frameworks. The complexity of these environments makes these evaluations challenging and in some cases not even possible using manual review processes. Not only does automation make it possible, it makes it achievable to enforce continuous compliance by identifying failures in near-real time. It also prevents mistakes from being made when integrated into a comprehensive firewall policy change management process.

Manage Change

Even if everything is perfect in our example network with all 1.4B connections working exactly as the business needs, a single change can introduce risks that can lead to devastating results. Change is inevitable and the security teams must be able to respond quickly and accurately. Whether that is a change due to business requirements or an external threat that must be mitigated, it can easily introduce new risks or even service outages. Knowing how to best implement the change without introducing unnecessary risk is a daunting task that is best suited to automated decision support tools. Examples of use cases include:

• Evaluate risk and compliance of a change request: Some change requests just shouldn’t be implemented. How do you evaluate the potential impact of these changes? Does it expose access to a system that is known to have a vulnerability? Does it violate a zone access policy? The manual processes to review these requests can take weeks and in some cases even months. With every hour that goes by, the business gets more and more frustrated leading to “emergency requests” that bypass the processes and security controls designed to prevent high-risk changes. Automated pre-change assessment tools identify high-risk rules in real time and offer the option to kick them back to the requestors, or pass them to an exception handling process.
• Evaluate how to implement the change: Firewall vendors have done a great job in making it very easy to implement changes to existing rules. However, determining what changes to make and which firewall to change can be extremely difficult in an enterprise environment. In our existing 1.4 billion connections, there may already be all the access necessary for a new rule request, but we may not know it. There also may be an existing rule that only needs a simple modification instead of creating a new rule that might be redundant. Identifying which policies and devices need to be modified and where in the policy to make the change can take hours to determine. This entire process can be automated with the right decision support tool to empower security operations teams to make the right change faster.

Security is hard and the stakes are high. Give your teams the tools they need to do their job.

To learn more about how FireMon can provide the decision support your team needs please visit our Security Policy Solution page.

Experts from FireMon and Zscaler discuss why you should consider SASE and what to know when you make the migration

The world has gone hybrid. Some assets are on-premise and some are in the cloud. And they all need management. That wasn’t an easy task even before COVID – and now that workforces are remote and workloads have exploded in volume, the challenge of providing secure access is only greater.

The common hub-and-spoke model of security can’t provide effective security in a dynamic hybrid environment. Secure Access Service Edge, or SASE (pronounced ‘sassy’) is a distributed model that answers the security challenges businesses face today. While SASE is still in the early stages of adoption, Gartner forecasts its market will reach almost $11 billion in the next four years.

SASE conglomerates WAN and network security services like CASB and Zero Trust into a single cloud-delivered service. Its capabilities are based on entity identity, real-time context, security and compliance policies, and continuous assessment of risk and trust during each session. Entities may be individuals, groups of people, devices, services, applications, IoT devices, or edge computing locations.

SASE reduces threats by letting the policy follow the user. “As workforces and workloads move from the branch office locations or homes or coffee shops, SASE makes the whole security stack available as an edge location – close to the user,” said Naresh Kumar, Director of Product Management at Zscaler. “And because you’re getting security close to the edge, the end user experience is not impacted. That’s a critical piece of SASE.”

Top 3 drivers for SASE adoption

“The biggest challenge we’ve seen from a security perspective is how to secure everyone during this sudden shift to work-from-anywhere,” said Kumar. “Branch offices, SaaS, remote workforces… security needs to be applied to all them consistently.”

“The next is whether IT has enough resources outside the perimeter they were formerly owning and managing to get the desired level of protection. With the new phase of SaaS, there’s a need for additional context around managing company devices and personal devices, such as data privacy issues.”

The third challenge, said Kumar, is the most important — how to ensure corporate policies are normalized and the business has complete visibility across its hybrid environment. Tim Woods, Vice President of Technology Alliances at FireMon added, “That’s not an easy task when you consider all the different areas that that must be managed from a security perspective. But regardless of how we connect our people to the required resources, we still need to maintain a consistent policy visibility. It’s very important we have visibility and awareness of change across that hybrid model from top to bottom.”

How to address these challenges with SASE

“Centralize security controls across all entities”

Visibility is hindered by what Woods referred to as security/responsibility fragmentation. “When there’s a lack of centralized policy control — too many chefs in the kitchen, so to speak —  you begin to see a negative impact on consistency, and inconsistency creates security gaps.”

“If you’re dealing with different security facts for your users sitting in branch offices or at headquarters versus your remote users using a VPN, you will never be able to achieve consistency,” said Kumar. “And consistency is a key tenet of SASE. It’s essential to performance and scale.”

Kumar said the number of security tools companies are currently using is part of the problem. “Right now, security and networking teams have to swivel between a lot of different screens to understand what’s happening. Every entity, like a branch office or a user, is handled in a different way.” But visibility can only be achieved when it’s handled in a centralized manner. That includes the ability to manage policies across a heterogeneous environment like a hybrid cloud.

“When I hear heterogeneity, I think complexity,” said Woods. “And this is where not only centralized visibility, but centralized quality control become paramount. It’s not just for our own people, it’s for any access we allow into our extended hybrid infrastructure.” Visibility and quality control must be applied to connections from partners, temporary contractors, subsidiaries, merges and acquisitions, etc., just as it is applied to the business’s own connections. “We need to consider those remote connections and the potential risk they bring with them,” said Woods. Otherwise, the business is at the mercy of whatever security controls those connections’ third-party providers have chosen to stand up – or failed to stand up.

“All too often, we’ve seen breaches occur as the result of a bad actor gaining access to a third-party connection,” said Woods. “Bad actors are constantly seeking out that path of least resistance. And when they find it, they definitely will exploit it. So being able to wrap those third-party connections into your cloud security plan can ensure you have that equal footing — equal security controls — across all entities.”

“You’re only as good as your last change”

“I cannot tell you how many times I’ve heard from the customers that they don’t feel like they have a good perspective over the entirety of their real estate,” said Woods. “They don’t know where they’re secure and where their security gaps exist. They don’t know how many tools they have or how many platforms. They don’t know how to share information across platforms or enrich data to raise the total value of their combined security solutions.”

Businesses that lack these capabilities also lack the ability to scale, and certainly cannot scale on demand. Woods said, “The cloud landscape is like shifting sand. It changes very quickly. It’s a scary reality when you consider that the resources we place in the cloud could quickly become internet-facing through a simple misconfiguration. This really underscores the need for an agile security policy management model. I like to say that you’re only as good as your last change.”

Woods said that before a change is implemented, the business should already know the answers to these questions:

• Will this change break compliance?
• Will it introduce unacceptable risk?
• Will it expose the infrastructure to a known vulnerability that wasn’t previously exposed, such as one caused by a policy conflict?
• Does it provide overly-permissive access from a policy perspective?
• Does it break business continuity?
• Will it impact anything critical to business operations?

“Am I going to run around and troubleshoot to figure all that out,” asked Woods, “or can I be proactive and know enough in advance to say, hey, we can’t allow this change because we’ve already assessed it and we know it will have a negative impact on our business continuity.’”

“Don’t bring old rules into new systems”

When discussing migration, Kumar said, “It’s not a good idea to bring the same policies from your appliances into the cloud. Then you’re just moving the problem from one place to another. Cloud migration is an opportunity to identify which rules are really securing your things. Because over time, rules pile up and sometimes those rules aren’t even hit anymore. They’re just out there, doing nothing but slowing down your performance and maybe even creating vulnerabilities.”

“Policy bloat is a real problem,” Woods said. “It’s all of the stuff that gets built up in the policies over time that doesn’t need to be there, whether it’s unused rules, redundant rules, shadowed rules, duplicate rules or technical mistakes, stagnant rules, rules that have just went to sleep. And if you’re not vigilant in staying on top of them, bad things can happen — like inadvertent access. Trying to analyze policy behavior becomes a mess. So any time you want to migrate a policy, my recommendation is to always make sure you have a good, clean policy to start with. It needs to make sense for the environment you’re moving to.

SASE helps businesses “be faster than change”

The five factors that work against network security policy agility are:

1. Lack of visibility/insight
2. Lack of compatibility/integration
3. Changes in the environment
4. Inability to scale
5. Expanding attack surface

SASE helps organizations break away from these restrictions by enabling consistent and proactive compliance combined with centralized and simplified visibility and policy management. Businesses can keep track of everything happening in the network. The result, said Woods, is “positive business outcomes that result from having a proactive posture and monitoring for changes. Businesses need to be ‘faster than change,’ meaning I want to be able to analyze change before it gets implemented. If you’re not evaluating changes, you’re going to be caught off-guard. Sooner or later, you’ll miss something critical. Anywhere we can reduce complexity, we’ll inherently bring about better security and compliance.”

With Halloween around the corner, here’s a real-world firewall policy horror story. (For effect, feel free to imagine this in a scary, raspy cautionary voice… or Morgan Freeman if you prefer.)

As a Sales Engineer, I spend a lot of days doing demos of our products, talking to Security Engineers, Compliance Folks, DevOps Managers, and CISOs about firewall and network security. Sometimes the stories of the folks in the trenches are unbelievable and sometimes downright scary. Here’s a recent tale from a customer that will keep every firewall engineer up at night.

Scenario:
The company had recently adopted a “zero trust” philosophy and had invested significant time to move closer to that goal. Over the last year they focused on cleaning up their firewall policies by writing rules specific to the business need – nothing more – just the specific IPs and networks that needed access. They were making progress when one of their engineers made a horrifying discovery, a dreaded “Any – Any – Any – Accept” rule buried in the middle of the policy.

They scrambled to figure out why this rule existed. They eventually uncovered that a junior network engineer, just trying to get something to work, had created this rule. This one rule circumvented all the progress they had made toward their zero trust goal and exposed the network to tremendous risk.

Clearly the rule had to be removed. But this rule had been in the policy – undetected – for at least 6 months and was certainly allowing business critical traffic. In fact, log traffic indicated this was an extremely busy rule. Of course, it was likely allowing more than just business critical traffic, it was likely permitting malicious traffic as well. They needed to remediate this problem quickly.

First, they had meetings with network folks and guessed at what some of the traffic might be, brainstorming critical applications and traffic that those familiar with the network knew might be using that rule. But ultimately, they decided they just needed to bite the bullet, remove the rule and see who screams.

So, they notified the managers across all the business units of this mistake. With embarrassment, they said that there was going to be a “hotline” set up with operators standing by, and ultimately had to have people testing out all the business-critical functions to make sure that their products, their applications, whatever they needed access to do their jobs and allow their customers/partners/vendors/ to do business with them would only be down until they could set things up. Yes, things did go down, and yes, they were set up to try to create new rules to remediate the issues, but what a nightmare.

—

Maybe you don’t have a nightmare scenario like I described above, but FireMon can still make your job easier by helping clean up your firewall policies. Here are a few ways in which FireMon could prevent the above scenario. And, if you ever discover a scary overly permissive rule in your policy, be sure to check out #6 below for a pain-free solution to the problem.

1) Compliance Alerting & Reporting:
We would have immediately notified the team if a rule went live that was overly permissive like this. You can basically “set the dial” on how permissive you want rules, such as “Rules allowing access to more than 60,000 destinations” or “Rules with Sources larger than a /16 network”.

2) Change Alerting:
This rule would be listed in our normalized view – no matter what the firewall vendor – and plainly seen that it was added. So it couldn’t be “snuck in”. Some engineers and managers get policy change reports emailed to them automatically every time a change is made – or even just a 30-day snapshot of everything that changed.

3) With our Automation tool, FireMon Policy Planner, in place – it would have stopped the risky rule in it’s tracks – before it even got pushed. Using our “pre-change analysis” the rule would have been identified and flagged before it was pushed to production to allow even a packet of traffic through it. That’s why compliance folks love that we don’t just recommend rules for creation based on need, but like a sandboxed environment, we run our compliance algorithms before we can automatically push the rules. Some clients get Policy Planner JUST for this features – and utilize our APIs to access it.

4) Also with Change Alerting, the team would know for sure who made what changes and when. So in this case, since it was a junior engineer, a manager or leader could have quickly filtered/sorted the changes that that user had made over the last week, or at least monthly, so that they would see what type of changes this user had made. This is also something the compliance team could have looked at, or even the user.

5) From a documentation perspective, FireMon can be the single source of truth for things like “who requested this, who’s the application owner, when was this rule last reviewed, etc”. So, by filtering and sorting rules with rule documentation, this would have been identified more quickly too.

6) I saved the best for last. If you do have an overly-permissive rule – such as if your predecessors had a different, more “open/flexible style of rule creation” policy than you do – we have an easy way to clean up these rules. Using Traffic Flow Analysis our tool will look at each and every IP address that flows through the rule, breaking down an any/any/any into specific flows. You can export these flows and create specific rules based upon them.

A routine maintenance error severs Facebook’s data centers from the Internet for over 6 hours

On October 4, Facebook users suffered a complete outage affecting all apps including WhatsApp, Instagram, and Messenger for over 6 hours. Nearly 2.9 billion users were not only inconvenienced, but many also lost a crucial means of communication in regions where WhatsApp is the primary method for text messaging and voice calls.

It was quickly discovered that the culprit was a faulty configuration change on Facebook’s backbone routers that manage traffic between their data centers. A simple misconfiguration was propagated across their entire network that affected not only their users, but also impacted their own tools and systems, hindering Facebook’s ability to diagnose and solve the problem.

A more detailed account of the problem was later published by Facebook explaining the causes and how a routine maintenance task resulted in a complete and total service blackout. An incorrect command was sent to check capacity that inadvertently disabled Facebook’s border gateway protocol (BGP) routers, effectively severing its datacenters from the internet. Adding to the problem was a bug in an audit tool that should have caught the mistake, but didn’t, allowing it to be deployed live across their entire environment.

With the BGP routers offline, Facebook wasn’t broadcasting the routes to DNS servers on their network. DNS servers are crucial internet components that act as phonebooks, taking a domain name like facebook.com and translating it into an IP address. Facebook’s network has its own DNS servers that maintain the IP addresses for all its domains that are shared globally across the Internet. When a user tried to access any of Facebook’s domains during the outage, they were met with errors that there was no destination address to direct them to.

Misconfigurations are a Top Reason for Outages

It’s long been known that human error is a top cause of network and service outages. Complex environments amplify the likelihood that mistakes will be made and their effects will be more far-reaching. Through the next several years, Gartner says that misconfiguration errors will be responsible for 99% of all firewall security breaches.

In a case like Facebook, the BGP routers were the critical point of failure to an otherwise healthy network. A small change to their configuration managed to sever their connections to the internet for hours.

Security Policy Misconfigurations Can Be Worse

Although disruptive, it’s unlikely that any security event will result from Facebook’s recent outage. However, that’s not always the case. Time and again small changes have led to unintended security vulnerabilities, exposing organizations to the threat of attacks should they be found and exploited.

Network security policy misconfigurations not only can lead to wide-scale outages, but also are one of the easiest ways to accidentally pave the way for devastating security breaches. The Capital One breach in 2019 was directly attributed to a misconfigured firewall that left one of their cloud servers vulnerable, allowing the hacker to access sensitive data for over 100 million customers.

Identify, Eliminate and Protect with FireMon

FireMon gives you visibility into high-risk policies and vulnerabilities lurking in your infrastructure and prevents you from creating new ones before policies are deployed. Real-time search, on-going security assessments, and automatic policy violation detection give you the tools you need to manage network security policies across your entire environment from on-premises data centers to the cloud.

Misconfigurations are inevitable, but FireMon minimizes the chance that they’ll compromise your network security.

Global Independent Study of 500 Senior Level Respondents Provides Clear Picture for the Future of Network Security

This is part 4 of a 6-part series addressing The Future of Network Security findings. 

Endpoint numbers have been exploding for years due to cloud traffic, BYOD, and IoT. Now the need to manage entirely remote workforces has added to the strain. Businesses have been trying to secure their increasingly complex networks by implementing a whole menu of products intended to enforce zero trust and least-privilege, such as VPNs, CASB, SWG, and NGFWs. But these attempts to secure the enterprise add further complexity and, as every security professional knows, complexity spawns vulnerability. A more unified approach to zero trust security is needed, and today IT leaders are looking to secure access service edge (SASE) to secure their dynamic attack surfaces.

25% of businesses have already implemented SASE, according to IT executives who responded to an independent survey sponsored by FireMon: The Future of Network Security, and another 2/3 said they will be implementing SASE within the next 2 years.

The Run-Up to SASE

Businesses that expected their VPNs to securely enable remote workforce productivity were disappointed last year. VPNs tend to scale poorly, and productivity takes a hit when high demand erodes availability and performance.

Software-defined wide area networking (SD-WAN) has been growing at a rate of 40% year over year, but SD-WAN is a networking solution. It is effective at optimizing network traffic in today’s constantly morphing environments and can manage network connections with an intent-based policy model – but as a security solution, it has limitations.

Zero Trust Architecture (ZTA) is becoming the de facto security strategy in enterprises today. ZTA works by protecting individual assets inside the network and setting policies at a granular level. The result is strong security, but all those policies need to be managed. SASE solves that problem by placing security where it needs to be – at the endpoints that ZTA created.

Factors Driving SASE Adoption

IT leaders said they are implementing SASE because they need to replace legacy VPNs with Zero Trust Network Access (ZTNA), securely serve mobile workforces, and reduce the overall cost and complexity of managing security and infrastructures.

6 Top Drivers for SASE Adoption
Replacing legacy VPN with Zero Trust Network Access	Reducing cost/ complexity	Enabling an increasingly mobile / distributed workforce	Improving user experience	Securing access to cloud and SaaS applications	Reducing the number of point security solutions
58%	55%	53%	53%	42%	40%

Network-centric network security wasn’t built to handle mobile workforces, data scattered across the hybrid cloud, or SaaS services connecting and disconnecting continuously. Attempts to shoehorn network-centric approaches to a cloud environment result in complicated policies which, in turn, lead to policy conflicts and misconfigurations.

With SASE, the policy follows the user. Rather than creating policies around resources, policies are tied to the entities that are accessing the resources, such as a user accessing an app or a device accessing a service.

COMPONENTS OF SASE SASE isn’t a single technology, but rather a bundle of technologies that connect software-defined perimeter (SDP) clients and service edges, whether those service edges are public, private, or hybrid clouds, on-prem datacenters, mobile users, or any other facility, device, or user.
SD-WAN	ZTNA	CASB	ISWG	NFGW
Strengths
Scalable Dynamic load balancing Automatic failover Efficient WAN utilization	Secure remote access without depending on corporate networks Granular access control Supports least-privilege approach	Visibility Threat protection Data security Compliance	Visibility Detects and prevents emerging threats Integrates with existing security ecosystem	Protects apps Examines packet-based threats
Limitations as a standalone offering
Only protects cloud-based apps No on-site security capability Susceptible to performance issues May result in jitter and packet loss	Does not prevent insider attacks Does not protect apps Does not secure access from closed networks like ERP and SAP	No protection between cloud services Requires constant policy tuning as information flows change Intellectual property and other unstructured data is not easily recognized	Most effective in environments where remote traffic is backhauled to a central location Expensive and hard to manage in environments in remote access Can add latency	Can result in insecure Stream-based scanning can miss malicious traffic Malicious traffic can slip through in fragmented packets

Integrating SASE with Traditional Network Security

Most organizations have already implemented some combination of CASB, NGFW, and SWG, and SD-WAN implementation is rising rapidly. Pulling cloud and remote access into the infrastructure is a logical progression. By choosing a SASE platform rather than buying its components individually, enterprises will save on the costs of implementation, as well as ongoing management expenses and inefficiencies.

At this point in time, SASE is most frequently adopted to replace MPLS, it also supports remote access, cloud connectivity, and other capabilities that are necessary to conduct business in 2021. SASE can be implemented in phases, which allows organizations to reduce the pain of replacing security assets that have not yet fully depreciated. SASE can be deployed in phases, which eases migration pains, and it can be deployed either across the entire estate or only across parts of it. If some locations are still using legacy firewalls, they can be connected to SASE via IPsec tunnels and excess traffic can be sent to the SASE cloud for processing by using firewall bursting.

SASE relieves costs in several ways. Most obviously, the cost of maintaining many different security products is reduced to the cost of operating SASE through one vendor. Security man-hours are also reduced because the SASE vendor is responsible for upgrading the infrastructure to protect against emerging threats.

Managing Policy across SASE and Traditional Architecture

Vendors are rushing to meet the demand for SASE. Some of the offerings are not true SASE solutions, but a mix of VM-based datacenter solutions bundled with cloud technologies, and then relabeled as SASE. This approach still relies on backhauling from the cloud to the vendor before allowing users to access their applications. The productivity hit is significant. They also use a single-tenant architecture and network-based access policies, but true SASE is based on user access. Trying to use a network-based approach results in complex policies that don’t scale.

SASE provides centralized, cloud-based policy management with distributed enforcement points close endpoints. This localized placement of enforcement points reduces latency and results in a better user experience than traditional security processes.

The security team also gets a better experience because they only have to manage one global security policy, and they can do so through a single console. This benefit doesn’t just relieve pressure on security staff, it also leads to better security of the enterprise as a whole – access to normalized data in near real-time is the foundation for achieving comprehensive visibility.

How Does FireMon Help?

With FireMon you can visualize, normalize and manage policies across SASE platforms, SD-WAN, and FWaaS. FireMon can help you integrate new technologies with minimum effort and disruption. These technologies include: Zscaler, CloudGenix and Cisco Viptela.

Learn more today.

Global Independent Study of 500 Senior Level Respondents Provides Clear Picture for the Future of Network Security

This is part 3 of a 6-part series addressing The Future of Network Security findings. 

If traditional network defenses are visualized as castles and moats, Zero Trust Architectures (ZTAs) can be visualized more like a museum. Anyone can enter. They can sit on the benches and use the water fountains, but the treasures are individually secured with their own alarms and protective barriers. Employees have access only to the resources they need to do their jobs. There is no implicit trust. Instead, there is least privileged access. The person in charge of dinosaur bones can’t handle the gold chalices, and the person in charge of chalices can’t get close to the bones.

While Zero Trust Architectures (ZTAs) won’t replace traditional defenses overnight, their focus on restricting access and protecting individual resources is resonating with IT security leaders.  In The Future of Network Security, an independent study sponsored by FireMon, 17% of the 500 IT leaders who responded said they have begun implementing ZTAs as part of their network security strategy.  Another 69% plan to implement ZTA by 2023.

69% plan to implement ZTA by 2023

5 Top Drivers of Zero Trust Architecture

Zero Trust Architecture was rapidly being adopted before COVID-19, and interest only accelerated as the pandemic raged. Suddenly, the need to provide secure remote access at scale was critical, especially as hackers leaped into the void and the frequency of data breaches and ransomware attacks shot up.

5 Top Drivers for Zero Trust Architecture
Greater need for secure remote access due to COVID-19	26%
Reduce cybersecurity risk	25%
Streamline trusted user access to corporate applications	18%
Support transition to cloud architectures	18%
Manage risk from third-party software, BYOD, and shadow IT	14%

Zero Trust Architecture mitigates one of the greatest cybersecurity challenges businesses face today – the challenge of preventing lateral movement by unauthorized users.

The most common method attackers use to gain access to a network is through the use of stolen credentials, typically acquired through some sort of social engineering, such as a phishing attack or a malicious website. Once access has been achieved, an attacker will work to gain increased privileges, and then use those privileges to search for valuable assets, install back doors, and gain knowledge about the network that can be used to plot a future attack.

Stolen credentials gained through social engineering will always be the Achilles heel of a security strategy because human error is evergreen – so since unauthorized access can’t be completely stopped, it must be mitigated. ZTA addresses that reality by protecting the assets inside the network individually by setting policies at a granular level, using context to detect anomalous activity, and preventing compromised accounts from accessing resources.

Measuring Your Zero Trust Level
Zero Trust Contributors	Zero Trust Inhibitors
Use of applications Use of Users and User Groups Use of URL filters Use of data classification filters	Overly permissive rule sets Unused rules Hidden and shadowed rules Compliance assessment failures

Defining Zero Trust

Zero Trust Architecture is not a product. Rather, it is a concept built on people, workloads, devices, networks, and data.

People
Zero Trust ensures that only authorized users gain access to the right apps and services.

User-centric technologies
JML/RBAC design
Two-factor authentication
Risk-based authentication
Privileged user management
Biometric-based authentication
Account segregation
Identity verification
Browser isolation technology

Workloads
Zero Trust identifies and categorizes workloads and to subjects them to the appropriate security controls.

Workload-centric technologies
cloud workload security
container security configuration
VM security configuration
runtime container security
web application firewalls
cloud security gateways
connectivity inventory
workload asset management

Devices
Zero Trust monitors endpoints to ensure their identities are trusted and the correct security policies are applied to them.

Device-centric technologies
Device asset management
Endpoint security suites
Device posture checking
Endpoint detection and response
Mobile security suites

Networks
Zero Trust applies strict access controls to networks through the use of network asset visibility.

Network-centric technologies
Network transmissions protocol security
Network device configuration management
Network security policy management
Vulnerability management
Software-based microsegmentation
Network segmentation, virtual and physical

Data
Zero Trust protects data at rest, in transit, or in use through the application of consistent data security policies.

Data-centric technologies
Data encryption
Data classification
Data asset classification
Data leakage prevention
File integrity monitoring

The Fundamentals of Zero Trust: Visibility and Orchestration

The ZTA system needs visibility in order to apply policies and control access properly. To acquire this visibility, three capabilities are necessary: open APIs, scalable data ingest, and customizable reporting.

3 Essential Capabilities for ZTA Success
Open APIs	Scalable Data Ingest	Customizable Reporting
The use of open APIs will enable the organization to extract data from the entire network. This supports visibility by providing a way to capture insights from any connected system.	As systems are connected via APIs, the volume of data entering the network balloons. Scalable data ingest allows data ingestion in real-time, which is another pillar of visibility.	With so much data, there needs to be a way to understand it. And while all networks are unique, ZTA networks are especially so — every partition is a micro-network with its own workloads, devices, users, and resources. Customizable reports enable you to make fast assessments.

Orchestrate the Management of Zero Trust Architecture

Traditional change management approaches won’t work with ZTA. There are too many contingencies to handle –and that means too many unintended consequences to account for. Instead, orchestration is used to automatically tell enforcement points how to behave.

That behavior isn’t really about following rules. It’s more about intent. Intent can be managed with a network security policy management solution that orchestrates activities between people, workloads, devices, networks, and data. These activities enrich an analytics loop that in turn helps the orchestration perform better as more intelligence is acquired.

Security teams can set a single global policy that applies to all network resources, no matter what the composition of the network is at any given moment. Intent-based security maps the overall security goal to specific rules, checks the design against all possible contingencies, scores the risk, and pushes it to the enforcement point. The results of the policy are monitored, ideally in real-time, and the network is commanded to adapt to changes.

The entire rule lifecycle must be automated for ZTA to be effective. Organizations already recognize the need for automation in the security policy management process – 98 report they’ve already automated their security policy management to some degree, and almost 80% plan to implement security orchestration and automation within two years.

When the Network is Everywhere, So are the Policies

Zero Trust Architecture creates so many endpoints that it would be impossible to manage them all manually. Rule sprawl and complexity are a natural consequence of Zero Trust Architecture, but they can be controlled with network security policy management. NSPM automates and orchestrates the processes that support visibility, analytics, and policy enforcement in a Zero Trust environment.

 

The Value of Zero Trust
Visibility	Orchestration	Integration Analytics	Compliance	Risk Analysis
Unified visibility across a heterogeneous infrastructure	Leverage existing IT infrastructure, PEPs, and workflows. Flexible APIs will simplify integration	Query policy across heterogeneous infrastructure, leverage access path analysis to pinpoint risky connections	Ensure continuous compliance, conduct pre-change assessments, and notify security and compliance teams when violations occur	Provides insights into risk across the environment and provides recommended remediations

3 Principals for Implementing Zero Trust

• Leverage existing infrastructures and processes that support Zero Trust, such as CASB, SD-WAN, NGFWs, FWaaS, and SWGs.
• Policy is the heart of a Zero Trust Architecture, so acquire the ability to visualize, normalize, manage, and monitor rules across the entire network, including all endpoints.
• Use a network security policy management solution to gain visibility, integration, orchestration, compliance, analytics, and risk analysis.

Zero Trust is now essential

Since 2018, FireMon has been recognized by Forrester as a Zero Trust platform.

According to Forrester, to be a Zero Trust platform, vendors must:

• Offer market-leading capabilities in at least three Zero Trust components
• Create unique technical advantages to solution integration
• Develop and support robust APIs and a partner ecosystem

FireMon delivers the necessary scalability, and real-time visibility to support Zero Trust – all driven by robust APIs and airtight integrations.