Selling IT on getting the most out of a new firewall

The IT department was reluctant to take full advantage of the advanced functionality. So our manager annoyed them into compliance.

Action Plan: Keep reminding the IT admins that they are spending a lot of time following up on potential malicious activity that the firewall could nip in the bud.

We bought a next-generation firewall, as I had hoped we would. The real trick, though, was getting the IT department to take full advantage of all of its advanced functionality.

A few months ago, we put a loaner Palo Alto Networks firewall in place to monitor our corporate network as a proof of concept. I was psyched about how this firewall could give us much greater visibility into application data and aid us with threat detection and prevention, URL filtering and advanced malware analysis.

However, the IT department has always been responsible for firewall administration, while I have dictated policy and monitored events. And IT was nervous about putting the new firewall in-line — meaning our advanced firewall wouldn’t do anything more than block ports, just like the archaic firewalls I want to move beyond. Rather than throw my weight around and demand that the firewall be placed in-line, I decided to raise IT’s consciousness by constantly barraging them with insights about how the next-generation firewall could make their lives easier if it were in-line.

Yes, I was going to be annoying.

This was fairly simple to do, since I was able to produce an abundance of evidence supporting my position that we should be blocking certain traffic. The problem with monitor-only mode is that when a security event indicative of malicious activity is discovered but not blocked, the IT department has to follow up.

Now, on a daily basis, an average of six PCs in my company are reported to be infected with malware. A PC might attempt to connect to a known botnet server. An employee might browse to websites that are inappropriate or, worse, represent a security or legal risk to the company. Servers, which shouldn’t be put to personal use, might be connected to social media sites, raising the question of whether it was a system administrator doing something stupid or a piece of malware doing something malicious. Whatever the case, the IT administrators and the head of IT receive an email and have to act to track down the cause of the alert and make sure the machines that have been flagged are cleaned up.

If a PC is suspected of being compromised, the IT admin has to identify the user, ask the user a series of questions, determine the PC’s patch status and the condition of the antivirus client, determine if there are any risky programs installed, and run a couple of malware-detection utilities. Doing all of this for a single PC can take more than an hour. In some cases, it takes much more time, since the PC has to be wiped and the operating system and standard enterprise applications then have to be reinstalled.

As all of these things continued to happen, I didn’t miss an opportunity of pointing out that all that follow-up and remediation would be unnecessary if advanced firewalls were placed in-line and allowed to block the sorts of things that cause PCs to become infected — and IT administrators could be doing more valuable things.

Or they could keep doing follow-ups that ate up their time. Since I had decided that being annoying would be an effective tactic, I insisted that an IT administrator had to look into every instance of a server initiating a connection to a file storage site. Doing that is the only way we can determine whether the connection was made by a human being or a piece of malware. And then I would add, annoyingly, “If the firewall were inline, suspicious traffic could be blocked, and eventually admins wouldn’t use production servers to check their webmail.”

Another thing that IT regularly does is send emails to HR whenever an employee surfs porn sites. And so I explained that we could create a policy that would both block access to these types of sites and present the naughty Web surfer an interrupter page letting the user know that such activity is inappropriate. Having one of those pop up on your monitor is embarrassing enough to prompt permanent behavior change while in the office.

In the end, my persistence and annoying behavior won the day. The IT department got tired of me having them stop everything they were doing to investigate. They agreed to order another next-generation firewall, for a highly available pair, and replace the legacy devices. Putting my obnoxious behavior aside, I agreed to dip into my budget and pay for training for the IT administrators who will be responsible for firewall administration.

Join the CSO newsletter!

Error: Please check your email address.

More about Palo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts