SECURITY CHANGE MANAGEMENT: AGILITY VS. CONTROL

Anner Kushnir, VP Technology, AlgoSec

AGENDA

• Introduction

• The Balancing Act

• “Have Your Cake and Eat It”

• Security Policy Automation – Solution Requirements

• Deployment Considerations

• Summary

2

RUN FASTER!

• Constant demand for higher business agility• Deliver in minutes/hours, not weeks/months

• Change is the only constant

• Technology enablers• Continuous Integration/Deployment, DevOps

• Virtualization

• Cloud, Software Defined Networking (SDN)

3

PROTECT YOUR NETWORK BETTER!

4

• Attacks and breaches are constantly on the rise, more sophisticated

• Security must be stronger and tighter

• If not:• Service outages

• Critical data leakage

• Audits will fail

• Your name in the news

CYBER ATTACK STATISTICS

“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center (ITRC) and CyberScout

“Of the 1,000 IT leaders polled for Invincea’s 2016 Cyberthreat Defense Report,

three-quarters reported that their networks had been breached in the last year,

and 62 percent said they expect to suffer a successful cyberattack at some

point this year”

“More than 4,000 ransomware attacks have occurred

every day since the beginning of 2016 (300% increase

compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)

• Security is left behind, less strict, less control, processes not followed

• Audits may fail

• Boardroom unhappy

• Your name on the news

• Full automation

• DevOps and App developers are happy

THE BALANCING ACT

6

Business Agility

• Security processes are fully retained (clear policy, approvals, full documentation)

• Control

• DevOps is “90% automatic”

• Business cannot run fast

• Security is a painful bottleneck

THE BALANCING ACT

7

Security

THE BALANCING ACT - REALITY

8

Trying to find the perfect balance:

• Both agility and security are affected

• Constant tension between Security and Apps teams

BUT WHAT IF YOU COULD…

9

HAVE YOUR CAKE AND EAT IT?

RESPONSIBLE AUTOMATION

• Automate, automate, automate• Zero-touch (when possible)

• Unified, single change process

• Security checks and balances baked into the automated process

• Escalation process• Human intervention (only) when needed

• Full documentation

• Statistics & SLAs

SECURITY POLICY AUTOMATION –SOLUTION REQUIREMENTS

AUTOMATION

Automate every step along the change process

• Enables zero-touch changes within minutes – business agility

• Saves time even when human intervention is required

• Avoid typos and mistakes

• Full and accurate documentation (for audit, undo change)

AUTOMATION – FIND RELEVANT SECURITY DEVICES

• Find which security devices are in the path, and are currently blocking the requested traffic• Firewall policies, Router ACLs, SDN segmentation, cloud security groups

AUTOMATION – RISK CHECK

• Define allowed connectivity between zones• Whatever is not pre-approved – should raise a risk

AUTOMATION – PLAN CHANGE

• Vendor-specific decisions – choose policy, zones, ACLs, objects

• Implement in an optimal way (avoid rule/object duplications)

• Enforce naming conventions and best practices

AUTOMATION – PUSH CHANGE TO DEVICE

• Push change to device management (via APIs) or directly to the device (CLI), as available

AUTOMATION – VALIDATE CHANGE

• Verify change was implemented successfully and requested traffic is now allowed

CONSISTENT UNIFIED CHANGE PROCESS

• Hybrid environment• Virtual / Physical

• Multiple Vendors

• On-prem, Cloud, SDN

• All changes go through a single process• Risk checks and exception handling

• Avoid inconsistent/contradicting configurations

• All changes are fully documented, audit trail

ACI

DETECT OUT-OF-BAND CHANGES

• Verify all changes go through the process!

• Alert in case of out-of-band changes

• Monitor entire security infrastructure

DOCUMENTATION AND LOGGING

• Full audit trail• Including human approvals

• Compliance and audits

• Troubleshooting

• Ability to undo changes

SLA

• Track SLA• Issue alerts on SLA breaches

• Periodic reports

STATISTICS

• Retain full statistics

• Allows further fine-tuning of the automation process

Change Requests

Zero touch Human Intervention

0

10

20

30

40

50

Jan Feb Mar Apr May Jun Jul

Average change processing time (hours)

DEPLOYMENT CONSIDERATIONS

DEFINING PRE-APPROVED SECURITY POLICY

• “More of the same”

• Low risk

• Specific environments, business applications, firewalls, requestors

• Compliance with organizational policy

• Compliance with regulatory standards

GAIN TRUST IN THE AUTOMATED SOLUTION

• Start with more control

• Gradually increase degree of automation

• Share quantitative data with all stake-holders

• Monitor and fine-tune

FINE TUNING

• Study statistics• What percentage of changes

required human intervention?

• Why?

• How many SLA breaches?

• Consider widening pre-approved policy, if needed

Change Requests

Zero touch Human Intervention

SUMMARY

SUMMARY

28

• The Balancing Act – Agility vs. Control

• How to Design a Security Policy Automation Solution• Built-in checks and balances

• Unified consistent process

• Deployment Best Practices

MORE RESOURCES

29

THANK YOU!

Questions: marketing@algosec.com