Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

firemon

Tracking how fast a security incident is discovered and contained is the most important metric but not often used

In a Firemon sponsored Ponemon study respondents were asked to rate the importance of specific metrics in communicating the state of security risk to senior executives and IT management.

The following metrics are considered to be most important in achieving more effective communications. 

  • Metrics on compliance with security standards and frameworks. Metrics most often used are length of time to implement security patches and the reduction in audit findings, especially repeat findings.
  • Metrics on the management of security threat. Metrics most often used are reduction in the number of known vulnerabilities and percentage of endpoints free of malware and viruses. 
  • Metrics on the minimization of disruption to business & IT operations. Metrics most often used is reduction in unplanned system downtime. 
  • Metrics on staff and employee competence. Metrics most often used is number of end users receiving appropriate training. 
  • Metrics on efficient management of resources and spending. Metrics most often used is reduction in the cost of security management activities. 
  • Time-dependent metrics on the discovery and containment of compromises and breaches. Metrics most often used are mean time to fix, to identify and know root causes. 
  • Metrics on the minimization of third-party security risks. Metrics most often used is the number of third parties that attest to meeting compliance and security standards.

 The full study can be found here.

Advertisements

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? A Ponemon Study.

The Firemon sponsored study by Ponemen surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields. All respondents are involved in IT security management activities in their organizations. They also are involved in assessing or managing the impact of change on their organization’s IT security operations. The following are the themes of this study:

  • Tale of two security departments
  • The importance of metrics to driving more informed decisions
  • Practices to achieve effective security change management
  • The right metrics for managing change

What is security change management?

Ponemon defines this in the study as “security change management as a formal approach to assessing, prioritizing and managing transitions in personnel, technologies, policies and organizational structures to achieve a desired state of IT security. The security risk landscape is defined as rapidly mutating threats at every point of entry from the perimeter to the desktop; from mobile to the cloud. The fast evolution of the threat landscape and changes in network and security architectures creates a challenging and complex security ecosystem.

The key findings of the study

The security posture perception gap puts organizations at risk. 13% of respondents would rate the security posture of their organization as very strong. Whereas, 33% of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.

Why can’t communication be better? 71% of respondents say communication occurs at too low a level or only when a security incident has already occurred (63% of respondents). 51% admit to filtering negative facts before talking to senior executives.

Agility is key to managing change. However, when asked to rate their organization’s agility in managing the impact of change on IT security operations, only 16% of respondents say their organizations have a very high level of agility and 25% say it is very low.

Metrics that reveal the impact of change are most valuable. According to 74% of respondents, security metrics that measure the impact of disruptive technologies on security posture are important. 62% of respondents say metrics fail to provide this important information.

Real-time analysis for managing change is essential. When asked about the importance of real-time analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

Organizations are not using more advanced procedures to understand the impact of change on their organization’s security posture. 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture. 15% are using automated risk impact assessments, 13% say they are using continuous compliance monitoring and 11% rely on internal or external audits.

Senior executives are believed to have a more positive outlook on the effectiveness of their IT security function. While respondents rate their organization’s security posture as just about average, they believe their CEOs and board members have a much more positive perception, and would rate their organization’s security posture as above average. 13% of respondents would rate the security posture as strong. Whereas, 33% of respondents say their CEO and Board believes their organization has a very strong security posture. This perception gap signals that security practitioners are not given an opportunity and/or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats. Likewise, respondents believe key stakeholders also consider the organization’s security posture as being above average. 26% of respondents say this group rates their organization’s security posture as very strong. These include business partners, vendors, regulators, and competitors.

Lack of communication seems to be at the root of the C-suite and IT security disconnect. Too little and too late characterizes communication to senior executives about the state of security risk. 29% of respondents say they do not communicate to senior executives about risks and 31% say such communication only occurs when a serious security risk is revealed. As a result, they admit the state of communication about security risks is not effective. 6% of respondents say they are highly effective in communicating all relevant facts to management.

Why can’t communication be better? The main complaints are that communication occurs at too low a level or when a security incident has already occurred. Other problems stem from the existence of silos that keep information from being communicated throughout the organization. Respondents also recognize that the technical nature of the information could be frustrating for senior executives. Very often, the whole story is not revealed because negative facts are filtered before being disclosed to senior executives and the CEO.

What are the implications of senior executives and IT security not having the same understanding of the organization’s security effectiveness? According to the findings, an important capability such as having the agility to manage the impact of change on IT security operations could be affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organization’s overall agility in managing the impact of change on IT security operations, respondents say it is fairly low. 16% of respondents say their organizations have a very high level of agility and 25% say it is very low. This is also the case when asked to rate their organization’s effectiveness in managing the impact of change on IT security operations. 17% say their organizations are very effective and 30% say their organizations are very ineffective.

The top three barriers to achieving effective security change management activities are

  1. insufficient resources or budget
  2. lack of effective security technology solutions
  3. lack of skilled or expert personnel

When asked about the importance of real time-analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

  • 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture
  • 15% are using automated risk impact assessments
  • 13% say they are using continuous compliance monitoring
  • 11% rely on internal or external audits

Those technologies most often fully deployed to facilitate the management of changes that impact an organization’s security risk profile are:

  • Incident detection and alerting (including SIEM)
  • Vulnerability risk management
  • Network traffic monitoring
  • Security configuration management follow
  • Technologies that are often only partially deployed are log monitoring (46% of respondents) and file integrity monitoring (35% of respondents).
  • Minimally or not deployed at all are: big data analytics (64% of respondents), automated policy management (45% of respondents), and sandboxing (44% of respondents).

Current metrics in use do not communicate the true state of security efforts. When asked if the metrics that are in use today adequately convey the true state of security efforts deployed by their organization, 43% of respondents say they do not and 11% are unsure. The biggest reasons for the failure to accurately measure the state of security are more pressing issues take precedence, communication with management only occurs when there is an actual incident, the information is too technical to be understood by nontechnical management, and a lack of resources to develop or refine metrics.

What are the strengths and weaknesses of the security function? Respondents were asked rate their organizations’ ability to accomplish seven specific factors that may impact the security posture. The findings reveal that most respondents say their organizations are best at managing security threats, hiring and retaining competent security staff and employees and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimizing third-party security risks.

What events are most likely to disrupt the organization’s infrastructure and ability to manage security threats? The expansion of mobile platforms and migration to the cloud are the most likely to affect the security posture. Use of employee-owned devices (BYOD) and the implementation of a next generation firewall have moderate impact. Events that are considered to have a low impact are the move or consolidation of data center resources, implementation of virtualized computing and storage, a security audit failure, and reorganizing and downsizing the enterprise and IT function. Who is accountable for managing the risk created by the introduction of such changes as mobile platforms and the clouds? According to respondents, most responsible for managing the impact of these changes is the CIO or CTO followed by no one has overall responsibility.

Metrics must be aligned with business goals. 83% of respondents say it is important to have security metrics fully aligned with business objectives. However, most organizations represented in this study do not seem to be achieving this goal. In fact, 69% say security metrics sometimes conflict with the organization’s business goals.

  • 74% agree that security metrics that show the impact of disruptive technologies on security posture are important
  • 62% of respondents say metrics fail to provide information about the impact of change
  • 54% agree that metrics do not help understand the vulnerabilities to criminal
  • 46% of respondents say they do not help assess or manage risks caused by the migration to the cloud
  • 56% agree that metrics can help justify investment in people, processes and technologies
  • 57% of respondents agree the CEO and board do care about the metrics used to measure security posture

What is the metrics that matter gap? Respondents were asked to rate the metrics most important in communicating relevant facts about the state of security risks to senior executives and IT management. The top metrics in terms of their importance are discovery and containment of compromises and breaches and management of resources and spending. However, the actual average use of metrics in these categories average only 43% and 37% of organizations represented in this research. The biggest gaps in importance vs. use are with metrics that track disruption to business & IT operations (36% gap), management of resources and spending (35% gap), and discovery and containment of compromises and breaches (31% gap). The smallest gaps between importance and use are with third-party risks (7%) and staff and employee competence (2%).

Tracking how fast a security incident is discovered and contained is the most important metric but not often used.

Practices to achieve effective security change management. In this section, we look at the different practices of organizations that were self-reported to have a high security posture and those that have a low security posture. The findings reveal that there is a difference in the technologies deployed, perceptions about barriers to managing the impact of change to the security infrastructure, effectiveness in communication with senior management, and frequency of communications.

Firemon’s report can be found here.

Could you save 50% on the cost of your Firewall Change Requests?

Tufin, a “Security LifeCycle Management solutions company” claim that with effective Firewall change management a business could reduce the cost of its Firewall management by 50%.

Tufin use research from Frost and Sullivan to support their claim.

Frost & Sullivan reports that “The process of implementing a change request to a firewall is a combination of many tasks that are in most cases manual, unclear and time-consuming. [Tufin] SecureChange TM Workflow automates the request process, substantially reducing the overall IT costs associated with change requests by half annually.”

What is undeniable is the need for effective change management processes and controls for Firewalls if a Firewall, or any other security solution, is to remain efficient and secure.

Firewall change management is a mandated requirement in several legislative and compliance standards, for example the Payment Card Industry Data Security Standard (PCIDSS) has a list of specific controls that should be in place and should be provable, a sample list from the standard is below:

1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following:

1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.

1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.

1.1.2.b Verify that the diagram is kept current.

1.1.3.a Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.

1.1.3.b Verify that the current network diagram is consistent with the firewall configuration standards

1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components.

1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.

1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service.

1.1.6.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.

1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months.

1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows:

1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.

1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.

1.2.3 Verify that there are perimeter firewalls installed between any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

1.3 Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—to determine that there is no direct access between the Internet and system components in the internal cardholder network segment

1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.)

1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s network, have personal firewall software installed and active.

1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by users of mobile and/or employee-owned computers.

6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:

  •  Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
  •  Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

The day to day operation of a business can mean “quick changes” are made to firewalls and other security solutions and are not be recorded but could significantly impact on the businesses security level and the organisation’s ability to maintain compliance.

A spreadsheet could be an answer but configuration changes often involve several tasks, for example testing the change prior to going live. Changes across multiple devices may involve several people as security devices need highly skilled security professionals to manage them. Without an effective process or solution an organisation could be wasting the time of expensive resources and may incur unexpected and costly downtime.

To meet these challenges in a cost-effective manner, Tufin recommends that organizations need to extend IT automation into the domain of network security configuration. Automating the security change lifecycle can help companies to: 

  • Improve network security and uptime
  • Enforce corporate governance
  • Manage risk effectively and proactively
  • Increase operational efficiency
  • Comply with industry and regulatory standards
  • Audit security infrastructure quickly and accurately
  • Improve service levels

Tufin believe the key to effective security change automation solution is a combination of both workflow and security technologies. Generic ticketing and helpdesk systems can route requests to security administrators, but since they have a limited understanding of security processes and compliance policies, they cannot automate and enhance each of the stages in a configuration change, from request and design, through implementation and auditing. A comprehensive security change automation solution will work either alone, or in concert with a standard ticketing system, to provide: 

  • Multiple, customizable change workflows tightly coupled with security and network infrastructure, directory services and compliance policies
  • Automated, proactive risk and compliance analysis as an integral part of the change process
  • Configuration change advisory and automatic verification to reduce the risk of errors and shorten ticket resolution time
  • Separation of duties and enforcement of IT governance
  • A comprehensive audit trail with integrated reporting
  • SLAtracking and high-level monitoring tools to ensure continuous improvement 

The security change lifecycle represents a holistic view of an organization’s security configuration change processes.

A typical security change lifecycle could include the following stages: 

Request: A business user requests a service, most commonly access to an application or network, or IT requests connectivity changes for a new or modified server or application. 

Business Approval: The request is sent for approval to an IT manager to ensure that it is justified. 

Technical Design: An engineer translates the request from its business context into a specific implementation plan on the affected firewalls or devices. 

Risk Analysis: A security manager performs risk analysis and checks the change for compliance. 

Implementation: The change is actually implemented on the network infrastructure by one or more administrators. 

Verification: The user checks that his/her request has been fulfilled. At this stage, a manager can also verify that the implementation was in accordance with the approved design. 

Audit: Periodically, all changes must be audited in order to demonstrate sufficient security levels and compliance with standards. 

Other firewall solutions are available from companies like Firemon and many Firewall vendors have introduced their own solutions for example Check Point. 

Download the Tufin White Paper here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: