Best practices for network security management

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Today's IT security teams are faced with rapidly mutating threats at every possible point of entry from the perimeter to the desktop; from mobile to the cloud. Fueled by the fast evolution of the threat landscape and changes in network and security architectures, network security management is far more challenging and complex than just a few years ago.

Security teams must support internal and external compliance mandates, enable new services, optimize performance, ensure availability, and support the ability to troubleshoot efficiently on demand--with no room for error. That's a lot to balance when managing network security.

Here are four essential best practices for network security management:

#1 Network Security Management Requires a Macro View.  Organizations need a holistic view of their network. With disparate vendor devices and hosts, security teams need a normalized, comprehensive view of the network, including: routing rules, access rules, NAT, VPN, etc.; hosts, including all products (and versions), services, vulnerabilities, and patches; and assets, including asset groupings and classifications.With a comprehensive view of the network, security teams can view hosts in the network, as well as configurations, classifications and other pertinent information. A network map or model is both a useful visualization tool and a diagnostic tool, providing analysis that is only possible when considering an overall view. For example, security and compliance teams can use this macro view to see how data would move between points on the network.

Additionally, it highlights information that is missing, such as hosts, access control list (ACL) data, and more.  Sophisticated analytics can be conducted quickly and accurately in a model-based environment, without disrupting the live network. Access path analysis helps to validate changes and can troubleshoot outages or connectivity issues, enhancing visibility and improving security processes. "What-if" analysis indicates both accessible and blocked destinations for designated data.

#2 Daily Device Management Requires a Micro View.  Although the macro view is needed to see how all the pieces of the network fit together, network administrators must also be able to drill down into the details for a particular device, easily accessing information on rules, access policies, and configuration compliance. And this information must be considered within the framework of the broader network, including context such as segments or zones, routing, routers, switches, intrusion prevention systems (IPS), and firewalls.

Information must be provided in a digestible fashion. The network components that impact the device will undoubtedly come from various vendors, creating data of different vendor languages that must be deciphered, correlated, and optimized to allow administrators to streamline rule sets. For example, administrators need to be able to block or limit access by application and view violations of these access policies.

Daily or weekly reviews of all devices on the network is unattainable with a manual process, and reviewing device configurations less frequently puts network security and compliance at risk. Automating policy compliance helps ensure compliance and consistency, and preserves IT resources.

Ideally, a network modeling tool that provides a macro view should also allow administrators to drill down into a micro view of each device, providing information on users, applications, vulnerabilities, and more. This allows administrators to see the broader network view and then focus in on particular devices for management.

#3 Simulate Attacks for Context-Aware Risk Assessments.  Merely knowing the network vulnerabilities and their criticality is insufficient for understanding the true level of risk to an organization. Today's attacks often incorporate multiple steps that cross several different network zones, and an isolated view of any of these steps could appear innocuous.

Attack simulation technology automatically looks at the holistic network business assets, known threats and vulnerabilities and identifies what would happen if the conditions were combined. Attack simulation can also evaluate potential options to block an attack, providing intelligence for decision support. Understanding the likelihood of an attack and its potential impact against valuable targets is the key to assessing which vulnerabilities and threats post the most risk.

Attack simulation technology looks at network context, asset criticality, business metrics, and existing security controls when determining the impact of a potential attack.  For example, if an asset runs an application that is crucial to maintaining the business and requires continuous availability, a medium-level vulnerability that threatens to disable this asset might be a high-level risk to this particular business.

The impact of deploying a particular security control must also be considered. Keeping an IPS continually on active mode can impact network performance. Attack simulation tools enable security teams to target use of their IPS protection, activating only necessary signatures, maximizing performance, and prioritizing vulnerabilities.

#4 Secure Change Management Is Critical.  Once a network is in compliance, a secure change management process is needed to maintain continuous compliance and validate that planned changes do not introduce new risk. Secure change management incorporates risk assessment in an orchestrated, standardized process; flags changes outside of this structure, allows administrators to reconcile flagged changes, and troubleshoots where needed. Secure change management verifies that changes were implemented as intended, identifies when a change has unintended consequences, and highlights unapproved changes.

For example, a change management process can flag when a network change will expose vulnerabilities, when a firewall change opens access to risky services, or when there is an unauthorized access path from a partner to an internal zone. More importantly, to maintain network security, change management processes can be used to determine the impact of a proposed change before implementing the change.

Implementing these four best practices for network security management can reduce risk across the network. With visibility on both the network and device level, tremendous amounts of data are translated into intelligence that deciphers complicated network security transactions into manageable, actionable information. With this insight, attack simulation can then prioritize vulnerabilities and eliminate the attack vectors that are most critical to the organization, protecting business services and data. Finally, change management can automate and optimize security processes to improve security and reduce the security management workload.

Skybox Security, a provider of automated, non-intrusive tools that detect, prioritize, and drive remediation of critical risks such as exposed vulnerabilities and firewall configuration errors. 

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWide Area Network

More about Inc.IPSSkybox Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gidi Cohen, Chief Executive Officer and Founder, Skybox Security

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place