Why automate? Why now? Automation is critical to digital transformation, essential for reducing the attack surface and mandatory to ensure continuous compliance. In this Slideshare presentation, you will learn: * How to securely speed up the network change process * Best practices to getting started with automation * Guidelines to meet the goal of Zero-Touch Automation We will review the use cases to begin automating network security operations and explain why it’s mandatory to focus on policy-based change automation

1. June 27, 2018
5 Clear Signs You Need
Security Policy Automation
Hadas Lahav | Product Management lead for automation
Maya Malevich | Director of Product Marketing, Tufin

2. History of Automation
500-900 AD
1335
1913
1943
Future ?
Today

3. Sometimes we miss the signs . . .

4. Agenda
• The five signs
• Security policy automation
• How to get started: Use Cases
• Benefits
• Next steps

5. Number 1: Change processes are slow and manual
• Unable to complete tasks on time
• Spend too much time on mundane tasks
• Unable to focus on what matters most
• Team is inefficient and not meeting SLAs
• You are understaffed and find it very hard to
hire new people

6. Number 2: Cloud First Initiatives
1. Zero visibility into cloud workloads
2. Network is unable to adapt and change with the
environment, or at the same pace
3. You have not idea how to ensure changes are
made according to security policy

7. Number 3: Business is hopping around you
1. The business is asking you to move faster but you
are worried about a breach
2. Unable to meet business requirements/SLA
3. Competition is doing better – releasing more
features, faster
4. You have a Shadow IT problem

8. Number 4: The hole is getting deeper
1. You have different business units submitting
change requests, very frequently
2. Your rulebase is a mess
• Shadowed rules
• Redundant rules
• Unused rules
• Overly permissive
3. You can’t respond to security threats confidently
4. Errors and misconfigurations are common
5. Need to redo at least 20% of change requests

9. Number 5: You can’t prove compliance
1. Unable to meet internal/external compliance
standards
1. Failed an audit
2. Paid a big fine
2. Analyzing configurations has grown beyond the
capacity of human computation
3. You can’t measure what you can’t see

10. The need: A real life example
10
600 Requests/Changes modelled and assessed
during 2017/18
 18% (108) were rejected as not required
 13% (65) required amending as partially
implemented
 Of which 8% (38) failed the implementation
check
 Lack of visibility of the Network Estate
 Multiple Vendors / outsource partners
 No single source of the truth
 Fault Finding
 3 sets of outsource partners on calls trying to identify
issues performing traces
 Limited Pre-change technical assessment
 Manual assessment done by technical people
 No Post Change validation and accountability
 Passed to requestor to check things work
They discovered problems . . .

11. So Why Don’t we Automate?
● Cultural resistance/fear
● Lack of visibility
● It’s too hard/ too complex
● Have tried automating with scripts and failed
● Don’t know how to get started

12. John F Kennedy
automation does not need
to be our enemy…

13. The Call for Security Automation
PRODUCTIVITY
AGILITY
SECURITY

14. Why Automate Now?
Why Security Policy?

15. Enterprise Networks are Fragmented
Private Cloud
Firewalls from different vendors
1000s of routers and switches
Public Cloud
Microservices/
Containers

16. Not just fragmented infrastructure - Fragmented processes
Different teams handle different
parts of the network

17. The network will become even more complex and fragmented

18. Security Policy
• The network of the future will be software-defined and
automated
• Security cannot be managed at scale without a
centralized policy

19. Best Practices
1. Start small: Organizations are choosing to focus first on the easier
areas of automation as they begin their automation journey
2. Automate on security policy changes: ESG Research shows only 1% of those
surveyed found automation to be not at all important
19
Critical, 34%
Very important, 52%
Somewhat important,
13%
Not at all important,
1%

20. USE CASES

21. Group Modification
Typical Scenario
• Constant changes to user and firewall groups that are poorly documented
• Manual change processes on multi vendor firewalls
Problem: Manual Processes
• Too long time to deploy
• Increase maintenance workload
• Leads to human errors
Automated Group Object Modification to create and maintain groups
simply and accurately

22. Group Modification
22
1
Create a new group or update an existing group by submitting a Group
Modification ticket in SecureChange
2
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
• Ensure full auditability via a dedicated report and ticket history

23. Typical Scenario
• Security policies degrade over time, resulting in rules which are fully shadowed or disabled,
or rules with no hits
Problem
• Poorly maintained rulebase
• Unused rules may increase the attack surface
• Increases the complexity of firewall maintenance
Automated Rule Decommissioning with complete change
documentation
Typical Use-Case 2: Rule Decommissioning

24. 1
Identify obsolete & risky rules by searching the Policy Browser, and add
them to a ticket
Rule Decommissioning
24
2
Select action and workflow, and submit the ticket in SecureChange3
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
4
Ensure full auditability via a dedicated report and ticket history

25. Typical Scenario
• Servers no longer in use but rules have not been removed from network
Problem
• Unused servers which are still defined in firewall policies weaken security posture and increase
maintenance complexity
• IT teams find it difficult to assess the impact of server removal on firewall policies in a complex
network environment
Automated Server Decommissioning to identify unused servers
• Automatically analyze and understand impact of removal
• Decommission servers and automatically update relevant rule pathways
Typical Use-Case 2: Server Decommissioning

26. Server Decommissioning
26
1
Open a Server Decommission ticket and perform impact analysis to
understand where the server is being used
2
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
• Ensure full auditability via a dedicated report and ticket history

27. Problems Solved by
Security Policy Automation

28. Skill Shortage and Automation
73%
Source: Life and Times of Security Professionals, ESG and ISAA, Nov 2017
of survey respondents agree that new
types of security automation
technologies will have a positive impact
on cybersecurity workload
TIME ERRORS

29. Compliance
● Compliance is a key driver in
security budget
● Meet compliance mandates
COMPLIANCE

30. Eliminate Mistakes and Misconfigurations
Automation of security tasks & processes
efficient
fast
error-free
Secured!
+
+
=

31. Security Policy Automation Benefits
31
AUTOMATION
• Implement changes in minutes instead of days
• Strengthen security and reduce the attack surface
• Reduce complexity for multi-vendor environments
• Improve audit readiness and achieve continuous
compliance

32. We are the Security Policy Company

33. Network Security Policy Automation and Orchestration
Security Policy Management
Maturity Model
Slow
Risky
Business Agility
Security
Visibility
Cleanup
Analysis & Design
Application driven
Zero touch

34. Security Policy Orchestration Across the Next Generation Network

35. Move Fast and Secure Things: Continuous Security
• Security automation across DevOps lifecycle
• Integration with CI/CD tools
• Orchestrate 3rd party security services
Dev Ops
• Visibility of all microservice connections
• Identify and protect vulnerable containers
• Policy-based response to threats

36. 36
Managing Your Security Policy . . . Everywhere
A continuum from the macro to the micro
Traditional
Networks
Cisco, Check Point
Palo Alto, Fortinet, F5
Private Cloud
NSX, Cisco ACI
Public Cloud
AWS, Azure
Microservices
Containers, VMs,
microservices

37. Tufin Value
Maximum Agility
& Security
with Network
Security Policy
Orchestration
Reduce complexity of managing hybrid
networks
Ensure continuous compliance with
security standards
Implement security changes in minutes
instead of days

38. And back to the story: the Real Results
38
• Removed
• 389 Network Objects
• 2000+ redundant rules deleted from the host providers firewalls
• 152 Security Rules
• 6 Services
• 20135 Device Configurations
• Results
• Visibility
• 365 Days Unused rules - 1372 of 2119
• 30 Days Unused rules - 1544 of 2119
• Confidence to remove rules without impacting service
• Reduce the threat landscape
• Improvement in the firewall service

39. Remember . . .
The network will always be complex and fragmented
Traditional networks, private cloud, public cloud, containers
Multi-vendor technologies
Distributed teams
The network of the future will be software-defined and automated
Security cannot be managed at scale without a centralized policy
39

40. ecurity
June 27, 2018
5 Clear Signs You Need
Security Policy Automation
Hadas Lahav | Product Management lead for automation
Maya Malevich | Director of Product Marketing, Tufin
Thank You

41. Mechanical Clock
500-900 AD
1335

42. Computer
500-900 AD
1335
1913
1943

43. Cloud
92% of enterprises use public cloud
today
38%
Source: RightScale State of the Cloud Report 2018
of enterprises state that Public
Cloud is a top priority for 2018
81%
of enterprises see security as a
top cloud challenge