Insert intro slide for some housekeeping notes prior to presentation
Tweet out slide deck
Here are the 6 fundamental areas to address on your shift from reactive to proactive network management.
Today we’re going to focus on a plan to reduce security risks.
How many of you know what your weak links are?
As you know, it only takes one small oversight, like a configuration error, to open your network up to attacks.
As business models, technologies and regulations change, organizations are asking questions like:
What‘s our security risk of moving to the cloud? With more devices accessing our network, how can we effectively control user access levels? We have so many fragmented point-solutions for security….how can we reduce this complexity? It seems like there’s a shortage of security talent in the market. How can we keep up with these constant security changes?
During this Smart Talk session, we’ll touch on these areas and discuss some of the critical considerations for reducing risk in your network.
Identify risk in your network Prioritize risk based on your business Remediate risk Validate the removal of risk
An organization’s security posture should never be considered static. Over time, security strategies, products and policies must evolve to keep up with changing business models and modern threats.
This is why understanding the current state of your security posture is critical. Knowing how well your security strategy is working and what your vulnerabilities are will help you create a strategy map to get to your desired end state.
When it’s time to validate your security posture, you should always assess risk based on your business needs.
From network devices assessments to collaboration security, there’s a wide array of assessments that can you help you pinpoint areas for improvement.
For example, you could run a Perimeter Security Assessment to identify vulnerabilities that allow inappropriate access to your internal IT infrastructure from the outside OR a you could run a Wireless Security Assessment to identify points of exposure, including unauthorized access points, weak access control, and wireless data leakage.
Here’s what a typical security posture assessment looks like.
Review An assessment begins by conducting a detailed review of your security goals and requirements.
Probe Based on this information, security experts probe your infrastructure from the interior and perimeter, survey and map your wireless network, and attempt to engineer their way into your facility by simulating modern attacks. This is all done is a safe and controlled manner.
Analyze Any discovered vulnerabilities are then analyzed and compared to industry best practices and security intelligence to remove false positives and determine which critical assets and data are exposed.
Recommend The results are then prioritized and delivered to you in an actionable report with recommendations for remediation.
Recently, a large insurance company came to us because they knew their current network access controls could be putting the company at risk. It didn’t matter if you were an insurance agent or the CIO, everyone had the same physical and logical access to the network. The only thing differentiating users access levels were privileges set at the application layer. They had previously attempted to address this issue, but failed to implement a solution that didn’t impact their user experience and business operations. However, with new compliance regulations and changing business models, they knew it was time for a different approach.
Our first step was to run a Security Design Assessment to identify their risks. The assessment uncovered: A flat network with very little access control Little to no segmentation of critical assets No visibility into current compliance status
Now let’s take a look at the second phase in the vulnerability lifecycle; Prioritizing Risk.
When risks are identified, they need to be prioritized based on your environment. Just because Cisco or the common vulnerability scoring systems say something is low or high, it doesn’t necessarily mean that risk value is tied to your organization. You may find that your organization has different circumstances that change the value of that particular risk. Something that’s marked medium, may be a top concern for your environment.
Key Message: Establishing your risk framework helps you identify solutions that address your highest risks.
Going back to they insurance company…the question they needed to answer was, which vulnerabilities put our organization at the greatest risk?
For their environment, access control was the highest risk so deploying a better identity management solution became their priority.
Other risks… No true segmentation of data Non-Compliance
Now that we’ve identified and prioritized risk, it’s time to develop a strategy to improve your security posture.
This will become your roadmap to addressing deficiencies with solutions that align to your specific business requirements.
Optional – Things to consider while creating your security strategy: Change to security infrastructure must have little to no impact on business operations Business flexibility – ability to add new applications and services while still complying with policies and regulations Security solutions must provide superior protection while reducing complexity
For the insurance company, this meant mapping out a more segmented and controlled approach to users access and critical data assets. This allowed them to setup isolated environments using an access management solution and VLANs. Now their agents only have access to what they need, without the risk of compromising the business. This same segmentation model was applied to their critical data to keep it isolated from other business units.
All changes must be validated to ensure risk removal. For the insurance company this meant validating their network access controls and their data segmentation policies. This validation not only affirms the improvement in their security posture, but also helps them maintain compliance and regulatory standards.
Outcome: By assessing the current state of their security infrastructure, the insurance company gained the insight required to understand and improve their security posture. They identified their vulnerabilities, prioritized risks based on their environment, created a security strategy aligned with their business goals, and then validated the removal of the risk.