This is the first post in a new paper I’m writing. The entire paper is also posted on GitHub for direct feedback and suggestions. As an experiment, I prefer feedback on GitHub, but will also take it here, as usual.
The Demise of Network Security Has Been Greatly Exaggerated
DLP, IPS, NGFW, WAF. Chief Information Security Officers today suffer no shortage of network security tools to protect their environments, but most CISOs we talk with struggle to implement and maintain an effective network security program. They tell us it isn’t a lack of technologies or even necessarily resources (not that there are ever enough), but the inherent difficulties in defending a large, amorphous, business-critical asset with tendrils throughout the organization. It’s never as simple as magazine articles and conference presentations make it out to be.
Managing network security at scale is not easy, but the organizations that do it the best tend to follow a predictable, repeatable pattern. This paper distills those lessons into a pragmatic process designed for larger organizations and those with more complicated networks (such as medium-sized businesses with multiple locations). We won’t make the false claim that our process is magical or easy, but it’s certainly easier than many alternatives. Even if you only pick out a few tidbits, it should help you refine and operate your network security more efficiently.
The network is the aspect of our infrastructure that ties everything else together. The more we can do to efficiently and effectively secure it, the better.
Why Network Security Is So Darn Difficult
Networks and endpoints are the two most fundamental pieces of our IT infrastructure, yet despite decades of advancements they still consume a disproportionate amount of our security resources. First the good news – we are far more resilient to network attacks than even five years ago. The days of Internet-wide worms knocking down enterprises while script kiddies deface websites are mostly in the past. But every CISO knows establishing and maintaining network security is a constant challenge, even if they can’t always articulate why. We have narrowed down a handful of root causes, which this Pragmatic process is designed to address:
- Security and operations are divided. IT Operations is responsible for and manages the network, servers, endpoints, and applications, and information security is responsible for defending everything. Basically, security protects the enterprise from the outside – lacking insight into what is being protected, where it is, and how everything connects together. In many cases security doesn’t even know how all the pieces of the network are connected, but is still expected to manage firewall rules to protect it. Many of our recommendations are designed to bridge this divide without throwing away traditional organizational boundaries.
- Networks are dynamic and complex. Not only are new assets constantly joining and leaving the network, but its structure is never static, especially for larger organizations.
- Organic growth. All networks grow over time. Perhaps it’s a new office, extending a WiFi network, or an extra switch or router in the datacenter. Not all of these have major security implications but they add up over time.
- Mergers and acquisitions require blending resources, technologies, and different configurations.
- New technologies with different network requirements are constantly added, from a new remote access portal to an entire private cloud.
- We mix and match various security tools, often with overlapping functionality. This is sometimes a result of different branches of the company operating partially or completely autonomously, and other times results from turnover, project requirements, or keeping auditors happy.
- Needs change over time. Many organizations today are working on consolidating network perimeters, compartmentalizing internal networks, adding application awareness, expanding egress monitoring and filtering for breach and infection defenses, or adapting the network for cloud computing and eventually SDN. Network and network security technologies evolve to meet new business needs and evolving threats.
Our networks are large and complex, sometimes even when our organizations aren’t. They change constantly, as do the assets connected to them. Security doesn’t manage this infrastructure, but is tasked with protecting it. Network Security Management is about improving both security and efficiency to keep up.
From Blocking and Tackling to Integrated Defense
Our primary goal is to adopt processes that are flexible enough to account for an ever-changing network environment, while avoiding the constant firefighting that is so inefficient. The key isn’t any particular technology or security trick, but better integrating defenses into day-to-day management of the enterprise. What makes it pragmatic? The fact that the process is designed to work in the real world, without gutting or stumbling over organizational and bureaucratic divisions.
We get it – even if you are the CEO, there are limits to change. We have collected the best practices we have seen work in the real world, lining them up in a practical and achievable process that accounts for real-world restrictions. Our next sections will dig into the process. As we said earlier, pick and choose those which work for you.