Upload
algosec
View
211
Download
0
Embed Size (px)
Citation preview
SECURITY CHANGE MANAGEMENT: AGILITY VS. CONTROL
Anner Kushnir, VP Technology, AlgoSec
AGENDA
• Introduction
• The Balancing Act
• “Have Your Cake and Eat It”
• Security Policy Automation – Solution Requirements
• Deployment Considerations
• Summary
2
RUN FASTER!
• Constant demand for higher business agility• Deliver in minutes/hours, not weeks/months
• Change is the only constant
• Technology enablers• Continuous Integration/Deployment, DevOps
• Virtualization
• Cloud, Software Defined Networking (SDN)
3
PROTECT YOUR NETWORK BETTER!
4
• Attacks and breaches are constantly on the rise, more sophisticated
• Security must be stronger and tighter
• If not:• Service outages
• Critical data leakage
• Audits will fail
• Your name in the news
CYBER ATTACK STATISTICS
“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center (ITRC) and CyberScout
“Of the 1,000 IT leaders polled for Invincea’s 2016 Cyberthreat Defense Report,
three-quarters reported that their networks had been breached in the last year,
and 62 percent said they expect to suffer a successful cyberattack at some
point this year”
“More than 4,000 ransomware attacks have occurred
every day since the beginning of 2016 (300% increase
compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)
• Security is left behind, less strict, less control, processes not followed
• Audits may fail
• Boardroom unhappy
• Your name on the news
• Full automation
• DevOps and App developers are happy
THE BALANCING ACT
6
Business Agility
• Security processes are fully retained (clear policy, approvals, full documentation)
• Control
• DevOps is “90% automatic”
• Business cannot run fast
• Security is a painful bottleneck
THE BALANCING ACT
7
Security
THE BALANCING ACT - REALITY
8
Trying to find the perfect balance:
• Both agility and security are affected
• Constant tension between Security and Apps teams
BUT WHAT IF YOU COULD…
9
HAVE YOUR CAKE AND EAT IT?
RESPONSIBLE AUTOMATION
• Automate, automate, automate• Zero-touch (when possible)
• Unified, single change process
• Security checks and balances baked into the automated process
• Escalation process• Human intervention (only) when needed
• Full documentation
• Statistics & SLAs
SECURITY POLICY AUTOMATION –SOLUTION REQUIREMENTS
AUTOMATION
Automate every step along the change process
• Enables zero-touch changes within minutes – business agility
• Saves time even when human intervention is required
• Avoid typos and mistakes
• Full and accurate documentation (for audit, undo change)
AUTOMATION – FIND RELEVANT SECURITY DEVICES
• Find which security devices are in the path, and are currently blocking the requested traffic• Firewall policies, Router ACLs, SDN segmentation, cloud security groups
AUTOMATION – RISK CHECK
• Define allowed connectivity between zones• Whatever is not pre-approved – should raise a risk
AUTOMATION – PLAN CHANGE
• Vendor-specific decisions – choose policy, zones, ACLs, objects
• Implement in an optimal way (avoid rule/object duplications)
• Enforce naming conventions and best practices
AUTOMATION – PUSH CHANGE TO DEVICE
• Push change to device management (via APIs) or directly to the device (CLI), as available
AUTOMATION – VALIDATE CHANGE
• Verify change was implemented successfully and requested traffic is now allowed
CONSISTENT UNIFIED CHANGE PROCESS
• Hybrid environment• Virtual / Physical
• Multiple Vendors
• On-prem, Cloud, SDN
• All changes go through a single process• Risk checks and exception handling
• Avoid inconsistent/contradicting configurations
• All changes are fully documented, audit trail
ACI
DETECT OUT-OF-BAND CHANGES
• Verify all changes go through the process!
• Alert in case of out-of-band changes
• Monitor entire security infrastructure
DOCUMENTATION AND LOGGING
• Full audit trail• Including human approvals
• Compliance and audits
• Troubleshooting
• Ability to undo changes
SLA
• Track SLA• Issue alerts on SLA breaches
• Periodic reports
STATISTICS
• Retain full statistics
• Allows further fine-tuning of the automation process
Change Requests
Zero touch Human Intervention
0
10
20
30
40
50
Jan Feb Mar Apr May Jun Jul
Average change processing time (hours)
DEPLOYMENT CONSIDERATIONS
DEFINING PRE-APPROVED SECURITY POLICY
• “More of the same”
• Low risk
• Specific environments, business applications, firewalls, requestors
• Compliance with organizational policy
• Compliance with regulatory standards
GAIN TRUST IN THE AUTOMATED SOLUTION
• Start with more control
• Gradually increase degree of automation
• Share quantitative data with all stake-holders
• Monitor and fine-tune
FINE TUNING
• Study statistics• What percentage of changes
required human intervention?
• Why?
• How many SLA breaches?
• Consider widening pre-approved policy, if needed
Change Requests
Zero touch Human Intervention
SUMMARY
SUMMARY
28
• The Balancing Act – Agility vs. Control
• How to Design a Security Policy Automation Solution• Built-in checks and balances
• Unified consistent process
• Deployment Best Practices
MORE RESOURCES
29