Best Practices for Network
Security Management Gidi Cohen
CEO and Founder
Skybox Security
McAfee Focus
October 1, 2013
www.skyboxsecurity.com
© 2013 Skybox Security Inc. 2
Agenda
Skybox Security Introduction
Challenges for Network Security Today
– More critical, more complex
Practical Steps to Optimize Network Security
Management Process
– The macro view - manage the enterprise network
– The micro view - manage every device
– Powerful analytics incorporating risk and
vulnerabilities to identify attacks
– Change management at the core
© 2013 Skybox Security Inc. 3
Skybox Security Overview
Protect the Network and the Business
Visibility and Intelligence to decipher complicated
network security interactions
Eliminate Attack Vectors to protect business
services and data
Automate and Optimize complex security
management processes
Powerful Risk Analytics for Cyber Security
“Skybox…considers risk to systems by taking into consideration the
network topology and prioritizes vulnerabilities for remediation.”
–How to Assess Risk and Monitor Compliance for Network Security Policies
Gartner (2013)
© 2013 Skybox Security Inc. 4
High Performing Organizations
Choose Skybox Security
Service
Providers
Energy &
Utilities
Government
& Defense
Others
Financial
Services
© 2013 Skybox Security Inc. 5
Network Security:
Mission Impossible?
© 2013 Skybox Security Inc. 6
Your Mission: Continuously Maintain Network
Security Controls in a Complex Environment
500 network devices
7 different vendor
languages to deal with
25,000 FW rules
1,000 IPS signatures
55,000 nodes
65 daily network changes
Infrastructure spanning
three continents
No room for error
© 2013 Skybox Security Inc. 7
While Meeting Challenging Expectations
Maintain Compliance
Keep Out Attackers
Enable New Services
Optimize Performance
Troubleshoot Efficiently
© 2013 Skybox Security Inc. 9
Traditional Tech – More Hinder than Help?
Firewalls Constant Changes
IPS Is it effective?
Ping, Traceroute
Inefficient?
Vulnerability Data How old?
Network Topology Visualize?
Pen Test Large Scale?
© 2013 Skybox Security Inc. 10
Time to Rethink Security
© 2013 Skybox Security Inc. 11
Rule 1: Network Security Management
Requires a Macro View
Normalize all infrastructure data from multiple vendors
– Configs
– Hosts
– Assets
Enhance network visibility
– Model Topology
– Map to hosts
– Detect missing info
Update continuously
‘What if’ analysis
© 2013 Skybox Security Inc. 12
Highly Scalable Access Path Analysis
Access Analyzer takes
into consideration:
- Routing
- NAT
- Firewall rules (ACL)
- VPN
© 2013 Skybox Security Inc. 13
Rule 2: Daily Device Management Requires
a Micro View
Rule, access policy and
config compliance,
Take into account
network complexities –
segments/zones,
routing,
vendors,routers/switches
/IPS, FWs
Optimize to streamline
rule-set
© 2013 Skybox Security Inc. 14
NGFW Application Policy Management
Skybox Survey (2012):
46% enable BYOD and external social apps
• Enable automated
policy compliance
• View access policy
violations by
application
• Block or limit access
checks by
applications
• Network modeling of
users and
applications
© 2013 Skybox Security Inc. 15
Rule 3: Attack Simulation to Identify Attack
Vectors
© 2012 Skybox Security
Probable attack vector to Finance servers asset
group “Multi-step” attack,
crossing several network zones
Connectivity Path
Attack
Vector
How to Block
Potential
Attack?
© 2013 Skybox Security Inc. 16
Incorporate Vulnerability and Risks
Firewalls are not just
firewalls
IPS
Anti-malware
Application control
Today you need to
understand risk,
vulnerabilities, IPS
signatures, applications,
and availability needs
© 2013 Skybox Security Inc. 17
Verify Effective IPS Coverage
Skybox Survey (2012)
62% plan to use IPS in active protection mode
• Review and report on
configuration of recent
threats
• Understand overall
signature coverage
• Activate only necessary
signatures, maximize
performance and
prioritize vulnerabilities
© 2013 Skybox Security Inc. 18
Plan Contextual and Actionable Remediation
Install security patch on server
Change firewall access
rule
Activate signature on
IPS
© 2013 Skybox Security Inc. 19
Rule 4: Change Management Process is Key
Monitor changes
Troubleshoot access
Follow standard
processes
Handle exceptions
Reconcile changes
Benefits:
– Continuously monitor
change and minimize
risks
– Link and automate
security processes
Pre & Post Change Control
Capture
Assess
Design Implement
Verify
© 2013 Skybox Security Inc. 20
Combined Effect: Verify Network Security
Controls on a Continuous Basis
Network change
exposes vulnerabilities • CVE 2013-203
• CVE 2013-490
New
attack
scenario
blocked
by IPS
Unauthorized access
path from Partner to
Internal zone
Will change cause
compliance or
availability risks?
Firewall is allowing
access to risky
services
© 2013 Skybox Security Inc. 23
Skybox Security Integration with McAfee
Continuous monitoring of vulnerabilities
Risk-based prioritization
Risk metrics and reports
Remediation planning
Threat impact analysis
Continuous monitoring for compliance
Change management
Configuration management
Network visibility
Skybox Network Security Management
Skybox Vulnerability and Threat Management
Firewall
Assurance
Network
Assurance
Change
Manager
Risk
Control
Threat
Manager
McAfee Firewall Enterprise
McAfee Stonesoft McAfee Vulnerability
Management
© 2013 Skybox Security Inc. 24
Network Visibility
Predictive Risk
Analytics
Extensive Integration
Complete Platform
Unique Technology Delivers Business Value
Network path
analysis,
multi-step
attack
simulation,
KPI metrics
Over 70
network
devices and
management
tools
Non-
disruptive
network
topology
modeling, &
simulation
Consolidate
security
management
solutions
© 2013 Skybox Security Inc. 25
Summary: Best Practices Checklist
1: Macro view - Consistent, comprehensive, up-to-
date view of network topology at all times
2. Micro view - Have detailed device level view for
granular control
3: Powerful Analytics, Attack simulation
– Leverage analytical tools to quickly find attack
vectors and troubleshoot access
– Be responsive to changing risks – take
vulnerability and threat data into account
4: Verify changes in advance
© 2013 Skybox Security Inc. 26
Questions & Answers
26
POST-CONFERENCE, ACCESS PRESENTATIONS AT:
• www.mcafee.com/focus13
• Password: presentations13
STAY CONNECTED. JOIN THE PLACE: www.mcafeetheplace.com
LEARN MORE AT:
• [insert links if you have any or highlight other sessions]
RATE THIS SESSION!
From the FOCUS App select session # [inserted by FOCUS staff]
© 2013 Skybox Security Inc. 27
Thank you
www.skyboxsecurity.com