SlideShare una empresa de Scribd logo

The Firewall Policy Hangover: Alleviating Security Management Migraines

AlgoSec
AlgoSec

The Firewall Policy Hangover: Alleviating Security Management Migraines provides a brief history of the evolution of firewalls, examines how complexity leads to misconfiguration risk and concludes with a discussion on firewall policy management best practices and real-life lessons learned. Additionally, this presentation shares research from “The State of Network Security 2012” that examines: • the challenges of managing network security policies • the impact of changing business requirements • the benefits and limitations of emerging firewall technology

Tecnología
1 de 21
Descargar para leer sin conexión
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Source: State of Network Security, AlgoSec, 2012 2
The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Challenge #2 22% Lack of Visibility into Security Policies Source: State of Network Security, AlgoSec, 2012 3
The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Challenge #2 Challenge #3 22% 16% Lack of Visibility into Poor Change Security Policies Management Processes Source: State of Network Security, AlgoSec, 2012 4
The Complex Maze of Network Security Policies 5
Complexity Increases Misconfiguration Risk Firewall risk survey Small is Beautiful Risk versus complexity Firewalls are Misconfigured 42% Source: Firewall Configuration Errors Revisited, Avishai Wool 6
Fast & Furious Firewall Changes… Can You Keep Up? • 20-30% of changes are unneeded • 5% implemented incorrectly 7
An Out-of-Process Change Has Lead to… More than 50% of respondents said out-of- band changes cause a system outage 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Data breach System outage Failing an audit None of the above Source: State of Network Security, AlgoSec, 2012 8 8
New Technologies Add to the Complexity • Virtualization of the Data Center • Next-Generation Firewalls 9
Why Next-Generation Firewalls? Traditional firewalls cannot tell the difference between different… and 10
Better Security… At a Price 76% of respondents said NGFWs increase burden of managing firewall policies The added policy We have a granularity requires centralized- more info to gather management for audits solution and/or process The additional controls of NGFWs We have to manage create additional NGFW policies policies that must separately from be managed traditional firewall policies Source: State of Network Security, AlgoSec, 2012 11 11
NGFW Policy Considerations Whitelisting Blacklisting More secure Less overhead & disruption BUT… BUT… VS. More work Less Secure 12
NGFW Policy Considerations Whitelisting Blacklisting More secure Less overhead & disruption BUT… Or Both! VS. BUT… More work Less Secure 13
The AlgoSec Security Management Suite (SMS) Business Impact • 60% reduction in change management costs • 80% reduction in firewall auditing costs • Improved security posture • Improved troubleshooting and network availability • Improved organizational alignment and accountability 14
Best Practices to Alleviate the Firewall Policy Management Migraine
Complex, Highly Segmented Network Environment • Network has Evolved Over 20 Years • Third-party domains • Business-to-business connections • More than 1,000 policy enforcement points • Mergers and Acquisitions • Aggressive consolidation • Firewall Estate Growing in Size and Complexity • Demonstrate firewall rules are still valid and authorized • Ensure new rules are not allowed unless approved and authorized • Technology landscape has shift • Web-everything – lack of consistency 16
How Has BT Overcome these Challenges? • Identified and Prioritized Criteria for Off-the-Shelf, Automated Firewall Policy Management Solution • Total Cost of Ownership • Roadmap of features aligned to technology strategy • Engagement - Willingness to Partner with BT • Improved Network Security Visibility and Control • Track down rogue connectivity or connectivity that was not understood • Gain an immediate view of high-risk situations • Reduce cycle-time and error rates • Improve rule base implementation process • Simplify audits through automatically generated compliance reports • ‘Checks and Balances’ to demonstrate control 17
Lessons Learned and Recommendations • Gain Control - complexity leads to weakness and cost • Stale Process drives poor behavior • Consider the culture of the company • Easy to grow the rule base – much harder to shrink it • Human error is a significant risk and cost • Risk and compliance reporting to focus attention • Leverage value from the toolset • Utilize automation and control to improve security, not just cut cost 18
Summary
Q&A and Additional Resources • 2012 State of Network Security – Report http://www.algosec.com/en/resources/network_security_2012 • Firewall Configuration Errors Revisited (Research by Prof. Avishai Wool) http://arxiv.org/abs/0911.1240 • Firewall Management ROI Calculator http://www.algosec.com/resources/roi_calculator/ • Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval 20
Security Management. Made Smarter. www.AlgoSec.com Connect with AlgoSec on:

Recomendados

Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and Beyond
ICF CIRCUIT
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
Amazon Web Services
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
AhmedRKhan
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
Sqs and loose coupling
Sqs and loose couplingSqs and loose coupling
Sqs and loose coupling
Sandip Chaudhari
 
Cloud versus On Premise
Cloud versus On PremiseCloud versus On Premise
Cloud versus On Premise
Co-Operative Systems
 
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & SnowmobileData Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Amazon Web Services
 

Recomendados

Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and Beyond
ICF CIRCUIT
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
Amazon Web Services
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
AhmedRKhan
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
Sqs and loose coupling
Sqs and loose couplingSqs and loose coupling
Sqs and loose coupling
Sandip Chaudhari
 
Cloud versus On Premise
Cloud versus On PremiseCloud versus On Premise
Cloud versus On Premise
Co-Operative Systems
 
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & SnowmobileData Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Amazon Web Services
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Amazon Web Services
 
AWS Snowball
AWS SnowballAWS Snowball
AWS Snowball
zekeLabs Technologies
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
AlgoSec
 
Aws kms in 10 minutes
Aws kms in 10 minutesAws kms in 10 minutes
Aws kms in 10 minutes
Rajendran Senapathi
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
David McGeough
 
Why you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceWhy you should replace your d do s hardware appliance
Why you should replace your d do s hardware appliance
Cloudflare
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
Larry Austin
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
Amazon Web Services
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
Sam Bowne
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
Software Defined WAN – SD-WAN
Software Defined WAN – SD-WANSoftware Defined WAN – SD-WAN
Software Defined WAN – SD-WAN
MarketingArrowECS_CZ
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
Srikrupa Srivatsan
 
cloud-migrations.pptx
cloud-migrations.pptxcloud-migrations.pptx
cloud-migrations.pptx
John Mulhall
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
9 Security Best Practices
9 Security Best Practices9 Security Best Practices
9 Security Best Practices
Amazon Web Services
 
Kubernetes Security for AppSec Professionals
Kubernetes Security for AppSec ProfessionalsKubernetes Security for AppSec Professionals
Kubernetes Security for AppSec Professionals
Dharshin De Silva
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?
honeywellgf
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 

Más contenido relacionado

La actualidad más candente

Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Amazon Web Services
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 

La actualidad más candente (20)

Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
 
AWS Snowball
AWS SnowballAWS Snowball
AWS Snowball
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
 
Aws kms in 10 minutes
Aws kms in 10 minutesAws kms in 10 minutes
Aws kms in 10 minutes
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
 
Why you should replace your d do s hardware appliance
Why you should replace your d do s hardware applianceWhy you should replace your d do s hardware appliance
Why you should replace your d do s hardware appliance
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
Software Defined WAN – SD-WAN
Software Defined WAN – SD-WANSoftware Defined WAN – SD-WAN
Software Defined WAN – SD-WAN
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 
cloud-migrations.pptx
cloud-migrations.pptxcloud-migrations.pptx
cloud-migrations.pptx
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
9 Security Best Practices
9 Security Best Practices9 Security Best Practices
9 Security Best Practices
 
Kubernetes Security for AppSec Professionals
Kubernetes Security for AppSec ProfessionalsKubernetes Security for AppSec Professionals
Kubernetes Security for AppSec Professionals
 

Destacado

Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
Symantec
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri Lanka
Evan Pathiratne
 

Destacado (20)

Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Digital strategy - security
Digital strategy - securityDigital strategy - security
Digital strategy - security
 
Funny miss la sen hand sketching
Funny miss la sen hand sketchingFunny miss la sen hand sketching
Funny miss la sen hand sketching
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and function
 
Cyber Security: Protecting Today's Mission Critical Public Safety Networks
Cyber Security: Protecting Today's Mission Critical Public Safety NetworksCyber Security: Protecting Today's Mission Critical Public Safety Networks
Cyber Security: Protecting Today's Mission Critical Public Safety Networks
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
 
Internet and Society: Internet Use And Digital Divide
Internet and Society: Internet Use And Digital DivideInternet and Society: Internet Use And Digital Divide
Internet and Society: Internet Use And Digital Divide
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri Lanka
 
Cyber Security Awareness Program
Cyber Security Awareness ProgramCyber Security Awareness Program
Cyber Security Awareness Program
 
Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
 
NACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New OrleansNACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New Orleans
 
Prensentasi indosat
Prensentasi indosatPrensentasi indosat
Prensentasi indosat
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 

Similar a The Firewall Policy Hangover: Alleviating Security Management Migraines

3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
SBWebinars
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
Revealing the State of Network Configuration Management & Automation in the E...
Revealing the State of Network Configuration Management & Automation in the E...Revealing the State of Network Configuration Management & Automation in the E...
Revealing the State of Network Configuration Management & Automation in the E...
Itential
 
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
Enterprise Management Associates
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
Yury Chemerkin
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
Erik Ginalick
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docxSheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
edgar6wallace88877
 
Sondaggio smart meter
Sondaggio smart meterSondaggio smart meter
Sondaggio smart meter
canaleenergia
 

Similar a The Firewall Policy Hangover: Alleviating Security Management Migraines (20)

3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
 
Revealing the State of Network Configuration Management & Automation in the E...
Revealing the State of Network Configuration Management & Automation in the E...Revealing the State of Network Configuration Management & Automation in the E...
Revealing the State of Network Configuration Management & Automation in the E...
 
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
 
Cloud native patterns antipatterns
Cloud native patterns antipatternsCloud native patterns antipatterns
Cloud native patterns antipatterns
 
VMworld 2014: The Goldilocks Zone
VMworld 2014: The Goldilocks ZoneVMworld 2014: The Goldilocks Zone
VMworld 2014: The Goldilocks Zone
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
VMware Cloud Infrastructure and Management on NetApp
VMware Cloud Infrastructure and Management on NetAppVMware Cloud Infrastructure and Management on NetApp
VMware Cloud Infrastructure and Management on NetApp
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Taking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changesTaking the fire drill out of making firewall changes
Taking the fire drill out of making firewall changes
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
 
Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Democratize Observability with Software Defined Packet Brokers
Democratize Observability with Software Defined Packet BrokersDemocratize Observability with Software Defined Packet Brokers
Democratize Observability with Software Defined Packet Brokers
 
5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation5 Clear Signs You Need Security Policy Automation
5 Clear Signs You Need Security Policy Automation
 
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docxSheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
Sheet1Country ACountry BProduct 110 Reds9 GreensProduct 22 Reds2.2.docx
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Sondaggio smart meter
Sondaggio smart meterSondaggio smart meter
Sondaggio smart meter
 

Más de AlgoSec

The state of the cloud csa survey webinar
The state of the cloud csa survey webinarThe state of the cloud csa survey webinar
The state of the cloud csa survey webinar
AlgoSec
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
Cloud migrations made simpler safe secure and successful migrations
Cloud migrations made simpler safe secure and successful migrationsCloud migrations made simpler safe secure and successful migrations
Cloud migrations made simpler safe secure and successful migrations
AlgoSec
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
AlgoSec
 
Build and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinarBuild and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinar
AlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
AlgoSec
 
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
AlgoSec
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time
AlgoSec
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
AlgoSec
 
2019 08-13 selecting the right security policy management solution
2019 08-13 selecting the right security policy management solution2019 08-13 selecting the right security policy management solution
2019 08-13 selecting the right security policy management solution
AlgoSec
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
AlgoSec
 

Más de AlgoSec (20)

best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
The state of the cloud csa survey webinar
The state of the cloud csa survey webinarThe state of the cloud csa survey webinar
The state of the cloud csa survey webinar
 
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware
 
Cloud migrations made simpler safe secure and successful migrations
Cloud migrations made simpler safe secure and successful migrationsCloud migrations made simpler safe secure and successful migrations
Cloud migrations made simpler safe secure and successful migrations
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
Build and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinarBuild and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinar
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
 
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
 
2020 04-07 webinar slides -turning network security alerts into action change...
2020 04-07 webinar slides -turning network security alerts into action change...2020 04-07 webinar slides -turning network security alerts into action change...
2020 04-07 webinar slides -turning network security alerts into action change...
 
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
 
2019 08-13 selecting the right security policy management solution
2019 08-13 selecting the right security policy management solution2019 08-13 selecting the right security policy management solution
2019 08-13 selecting the right security policy management solution
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

The Firewall Policy Hangover: Alleviating Security Management Migraines

  • 1. The Firewall Policy Hangover: Alleviating Security Management Migraines
  • 2. The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Source: State of Network Security, AlgoSec, 2012 2
  • 3. The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Challenge #2 22% Lack of Visibility into Security Policies Source: State of Network Security, AlgoSec, 2012 3
  • 4. The Complex Maze of Network Security Policies Challenge #1 30% Manual, Time-Consuming Processes Challenge #2 Challenge #3 22% 16% Lack of Visibility into Poor Change Security Policies Management Processes Source: State of Network Security, AlgoSec, 2012 4
  • 5. The Complex Maze of Network Security Policies 5
  • 6. Complexity Increases Misconfiguration Risk Firewall risk survey Small is Beautiful Risk versus complexity Firewalls are Misconfigured 42% Source: Firewall Configuration Errors Revisited, Avishai Wool 6
  • 7. Fast & Furious Firewall Changes… Can You Keep Up? • 20-30% of changes are unneeded • 5% implemented incorrectly 7
  • 8. An Out-of-Process Change Has Lead to… More than 50% of respondents said out-of- band changes cause a system outage 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Data breach System outage Failing an audit None of the above Source: State of Network Security, AlgoSec, 2012 8 8
  • 9. New Technologies Add to the Complexity • Virtualization of the Data Center • Next-Generation Firewalls 9
  • 10. Why Next-Generation Firewalls? Traditional firewalls cannot tell the difference between different… and 10
  • 11. Better Security… At a Price 76% of respondents said NGFWs increase burden of managing firewall policies The added policy We have a granularity requires centralized- more info to gather management for audits solution and/or process The additional controls of NGFWs We have to manage create additional NGFW policies policies that must separately from be managed traditional firewall policies Source: State of Network Security, AlgoSec, 2012 11 11
  • 12. NGFW Policy Considerations Whitelisting Blacklisting More secure Less overhead & disruption BUT… BUT… VS. More work Less Secure 12
  • 13. NGFW Policy Considerations Whitelisting Blacklisting More secure Less overhead & disruption BUT… Or Both! VS. BUT… More work Less Secure 13
  • 14. The AlgoSec Security Management Suite (SMS) Business Impact • 60% reduction in change management costs • 80% reduction in firewall auditing costs • Improved security posture • Improved troubleshooting and network availability • Improved organizational alignment and accountability 14
  • 15. Best Practices to Alleviate the Firewall Policy Management Migraine
  • 16. Complex, Highly Segmented Network Environment • Network has Evolved Over 20 Years • Third-party domains • Business-to-business connections • More than 1,000 policy enforcement points • Mergers and Acquisitions • Aggressive consolidation • Firewall Estate Growing in Size and Complexity • Demonstrate firewall rules are still valid and authorized • Ensure new rules are not allowed unless approved and authorized • Technology landscape has shift • Web-everything – lack of consistency 16
  • 17. How Has BT Overcome these Challenges? • Identified and Prioritized Criteria for Off-the-Shelf, Automated Firewall Policy Management Solution • Total Cost of Ownership • Roadmap of features aligned to technology strategy • Engagement - Willingness to Partner with BT • Improved Network Security Visibility and Control • Track down rogue connectivity or connectivity that was not understood • Gain an immediate view of high-risk situations • Reduce cycle-time and error rates • Improve rule base implementation process • Simplify audits through automatically generated compliance reports • ‘Checks and Balances’ to demonstrate control 17
  • 18. Lessons Learned and Recommendations • Gain Control - complexity leads to weakness and cost • Stale Process drives poor behavior • Consider the culture of the company • Easy to grow the rule base – much harder to shrink it • Human error is a significant risk and cost • Risk and compliance reporting to focus attention • Leverage value from the toolset • Utilize automation and control to improve security, not just cut cost 18
  • 20. Q&A and Additional Resources • 2012 State of Network Security – Report http://www.algosec.com/en/resources/network_security_2012 • Firewall Configuration Errors Revisited (Research by Prof. Avishai Wool) http://arxiv.org/abs/0911.1240 • Firewall Management ROI Calculator http://www.algosec.com/resources/roi_calculator/ • Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval 20
  • 21. Security Management. Made Smarter. www.AlgoSec.com Connect with AlgoSec on: