2
The Complex Maze of Network Security Policies
Challenge #1
30%
Manual,
Time-Consuming
Processes
Source: State of Network Security, AlgoSec, 2012
3
The Complex Maze of Network Security Policies
Challenge #1
30%
Manual,
Time-Consuming
Processes
Source: State of Network Security, AlgoSec, 2012
Challenge #2
22%
Lack of Visibility into
Security Policies
4
The Complex Maze of Network Security Policies
Challenge #1
30%
Manual,
Time-Consuming
Processes
Source: State of Network Security, AlgoSec, 2012
Challenge #2
22%
Lack of Visibility into
Security Policies
Challenge #3
16%
Poor Change
Management
Processes
Complexity Increases Misconfiguration Risk
Firewall risk survey
Risk versus complexity
42%
Small is Beautiful
Firewalls are Misconfigured
6
Source: Firewall Configuration Errors Revisited, Avishai Wool
Fast & Furious Firewall Changes… Can You Keep Up?
• 20-30% of changes are unneeded
• 5% implemented incorrectly
7
8
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
Data breach System outage Failing an audit None of the above
An Out-of-Process Change Has Lead to…
8
Source: State of Network Security, AlgoSec, 2012
More than 50% of respondents said out-of-
band changes cause a system outage
9
New Technologies Add to the Complexity
• Virtualization of the Data Center
• Next-Generation Firewalls
Why Next-Generation Firewalls?
Traditional firewalls cannot tell the
difference between different…
and
10
11
We have a centralized-
management solution and/or
process
We have to manage NGFW policies separately from
traditional firewall policies
The additional controls of NGFWs
create additional policies that must
be managed
The added policy granularity requires more info to gather
for audits
Better Security… At a Price
76% of respondents said NGFWs increase
burden of managing firewall policies
11
Source: State of Network Security, AlgoSec, 2012
Whitelisting More secure
BUT…
More work
NGFW Policy Considerations
Blacklisting Less overhead & disruption
BUT…
Less Secure
12
VS.
Whitelisting More secure
BUT…
More work
NGFW Policy Considerations
Blacklisting Less overhead & disruption
BUT…
Less Secure
13
VS. Or Both!
The AlgoSec Security Management Suite (SMS)
14
• 60% reduction in change management costs
• 80% reduction in firewall auditing costs
• Improved security posture
• Improved troubleshooting and network availability
• Improved organizational alignment and accountability
Business Impact
16
Complex, Highly Segmented Network Environment
• Network has Evolved Over 20 Years
• Third-party domains
• Business-to-business connections
• More than 1,000 policy enforcement points
• Mergers and Acquisitions
• Aggressive consolidation
• Firewall Estate Growing in Size and Complexity
• Demonstrate firewall rules are still valid and authorized
• Ensure new rules are not allowed unless approved and authorized
• Technology landscape has shift
• Web-everything – lack of consistency
17
How Has BT Overcome these Challenges?
• Identified and Prioritized Criteria for Off-the-Shelf, Automated
Firewall Policy Management Solution
• Total Cost of Ownership
• Roadmap of features aligned to technology strategy
• Engagement - Willingness to Partner with BT
• Improved Network Security Visibility and Control
• Track down rogue connectivity or connectivity that was not understood
• Gain an immediate view of high-risk situations
• Reduce cycle-time and error rates
• Improve rule base implementation process
• Simplify audits through automatically generated compliance reports
• ‘Checks and Balances’ to demonstrate control
18
Lessons Learned and Recommendations
• Gain Control - complexity leads to weakness and cost
• Stale Process drives poor behavior
• Consider the culture of the company
• Easy to grow the rule base – much harder to shrink it
• Human error is a significant risk and cost
• Risk and compliance reporting to focus attention
• Leverage value from the toolset
• Utilize automation and control to improve security, not just cut cost
• 2012 State of Network Security – Report http://www.algosec.com/en/resources/network_security_2012
• Firewall Configuration Errors Revisited (Research by Prof. Avishai Wool) http://arxiv.org/abs/0911.1240
• Firewall Management ROI Calculator http://www.algosec.com/resources/roi_calculator/
• Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval
Q&A and Additional Resources
20
Security Management. Made Smarter.
www.AlgoSec.com
Connect with AlgoSec on: