Why automate? Why now? Automation is critical to digital transformation, essential for reducing the attack surface and mandatory to ensure continuous compliance.
In this Slideshare presentation, you will learn:
* How to securely speed up the network change process
* Best practices to getting started with automation
* Guidelines to meet the goal of Zero-Touch Automation
We will review the use cases to begin automating network security operations and explain why it’s mandatory to focus on policy-based change automation
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
5 Clear Signs You Need Security Policy Automation
1. June 27, 2018
5 Clear Signs You Need
Security Policy Automation
Hadas Lahav | Product Management lead for automation
Maya Malevich | Director of Product Marketing, Tufin
4. Agenda
• The five signs
• Security policy automation
• How to get started: Use Cases
• Benefits
• Next steps
5. Number 1: Change processes are slow and manual
• Unable to complete tasks on time
• Spend too much time on mundane tasks
• Unable to focus on what matters most
• Team is inefficient and not meeting SLAs
• You are understaffed and find it very hard to
hire new people
6. Number 2: Cloud First Initiatives
1. Zero visibility into cloud workloads
2. Network is unable to adapt and change with the
environment, or at the same pace
3. You have not idea how to ensure changes are
made according to security policy
7. Number 3: Business is hopping around you
1. The business is asking you to move faster but you
are worried about a breach
2. Unable to meet business requirements/SLA
3. Competition is doing better – releasing more
features, faster
4. You have a Shadow IT problem
8. Number 4: The hole is getting deeper
1. You have different business units submitting
change requests, very frequently
2. Your rulebase is a mess
• Shadowed rules
• Redundant rules
• Unused rules
• Overly permissive
3. You can’t respond to security threats confidently
4. Errors and misconfigurations are common
5. Need to redo at least 20% of change requests
9. Number 5: You can’t prove compliance
1. Unable to meet internal/external compliance
standards
1. Failed an audit
2. Paid a big fine
2. Analyzing configurations has grown beyond the
capacity of human computation
3. You can’t measure what you can’t see
10. The need: A real life example
10
600 Requests/Changes modelled and assessed
during 2017/18
18% (108) were rejected as not required
13% (65) required amending as partially
implemented
Of which 8% (38) failed the implementation
check
Lack of visibility of the Network Estate
Multiple Vendors / outsource partners
No single source of the truth
Fault Finding
3 sets of outsource partners on calls trying to identify
issues performing traces
Limited Pre-change technical assessment
Manual assessment done by technical people
No Post Change validation and accountability
Passed to requestor to check things work
They discovered problems . . .
11. So Why Don’t we Automate?
● Cultural resistance/fear
● Lack of visibility
● It’s too hard/ too complex
● Have tried automating with scripts and failed
● Don’t know how to get started
15. Enterprise Networks are Fragmented
Private Cloud
Firewalls from different vendors
1000s of routers and switches
Public Cloud
Microservices/
Containers
16. Not just fragmented infrastructure - Fragmented processes
Different teams handle different
parts of the network
18. Security Policy
• The network of the future will be software-defined and
automated
• Security cannot be managed at scale without a
centralized policy
19. Best Practices
1. Start small: Organizations are choosing to focus first on the easier
areas of automation as they begin their automation journey
2. Automate on security policy changes: ESG Research shows only 1% of those
surveyed found automation to be not at all important
19
Critical, 34%
Very important, 52%
Somewhat important,
13%
Not at all important,
1%
21. Group Modification
Typical Scenario
• Constant changes to user and firewall groups that are poorly documented
• Manual change processes on multi vendor firewalls
Problem: Manual Processes
• Too long time to deploy
• Increase maintenance workload
• Leads to human errors
Automated Group Object Modification to create and maintain groups
simply and accurately
22. Group Modification
22
1
Create a new group or update an existing group by submitting a Group
Modification ticket in SecureChange
2
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
• Ensure full auditability via a dedicated report and ticket history
23. Typical Scenario
• Security policies degrade over time, resulting in rules which are fully shadowed or disabled,
or rules with no hits
Problem
• Poorly maintained rulebase
• Unused rules may increase the attack surface
• Increases the complexity of firewall maintenance
Automated Rule Decommissioning with complete change
documentation
Typical Use-Case 2: Rule Decommissioning
24. 1
Identify obsolete & risky rules by searching the Policy Browser, and add
them to a ticket
Rule Decommissioning
24
2
Select action and workflow, and submit the ticket in SecureChange3
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
4
Ensure full auditability via a dedicated report and ticket history
25. Typical Scenario
• Servers no longer in use but rules have not been removed from network
Problem
• Unused servers which are still defined in firewall policies weaken security posture and increase
maintenance complexity
• IT teams find it difficult to assess the impact of server removal on firewall policies in a complex
network environment
Automated Server Decommissioning to identify unused servers
• Automatically analyze and understand impact of removal
• Decommission servers and automatically update relevant rule pathways
Typical Use-Case 2: Server Decommissioning
26. Server Decommissioning
26
1
Open a Server Decommission ticket and perform impact analysis to
understand where the server is being used
2
Design and Provision changes automatically using SecureChange
Designer tool
on Palo Alto, Cisco ASA, Fortinet and Check Point devices
• Ensure full auditability via a dedicated report and ticket history
28. Skill Shortage and Automation
73%
Source: Life and Times of Security Professionals, ESG and ISAA, Nov 2017
of survey respondents agree that new
types of security automation
technologies will have a positive impact
on cybersecurity workload
TIME ERRORS
35. Move Fast and Secure Things: Continuous Security
• Security automation across DevOps lifecycle
• Integration with CI/CD tools
• Orchestrate 3rd party security services
Dev Ops
• Visibility of all microservice connections
• Identify and protect vulnerable containers
• Policy-based response to threats
36. 36
Managing Your Security Policy . . . Everywhere
A continuum from the macro to the micro
Traditional
Networks
Cisco, Check Point
Palo Alto, Fortinet, F5
Private Cloud
NSX, Cisco ACI
Public Cloud
AWS, Azure
Microservices
Containers, VMs,
microservices
37. Tufin Value
Maximum Agility
& Security
with Network
Security Policy
Orchestration
Reduce complexity of managing hybrid
networks
Ensure continuous compliance with
security standards
Implement security changes in minutes
instead of days
38. And back to the story: the Real Results
38
• Removed
• 389 Network Objects
• 2000+ redundant rules deleted from the host providers firewalls
• 152 Security Rules
• 6 Services
• 20135 Device Configurations
• Results
• Visibility
• 365 Days Unused rules - 1372 of 2119
• 30 Days Unused rules - 1544 of 2119
• Confidence to remove rules without impacting service
• Reduce the threat landscape
• Improvement in the firewall service
39. Remember . . .
The network will always be complex and fragmented
Traditional networks, private cloud, public cloud, containers
Multi-vendor technologies
Distributed teams
The network of the future will be software-defined and automated
Security cannot be managed at scale without a centralized policy
39
40. ecurity
June 27, 2018
5 Clear Signs You Need
Security Policy Automation
Hadas Lahav | Product Management lead for automation
Maya Malevich | Director of Product Marketing, Tufin
Thank You
43. Cloud
92% of enterprises use public cloud
today
38%
Source: RightScale State of the Cloud Report 2018
of enterprises state that Public
Cloud is a top priority for 2018
81%
of enterprises see security as a
top cloud challenge