Post on 13-Jan-2017
INCREASE YOUR SECURITY MATURITY THROUGH AN APPLICATION CENTRIC APPROACHJoe DiPietro
AGENDA
• The Security Policy Management Maturity Model
• Understanding Application Architecture
• Autodiscovery for Applications and their Connectivity
• Identifying Risk Within Applications
• Migrating Applications to a New Data Center
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
3 | Confidential
Level 1Level 2
Level 3
Level 4
Understanding the components of the Security Policy Management Maturity Model
Increasing maturity
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
4 | Confidential• Live and dynamically updated map •Network and Security view
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
5 | Confidential•Application Documentation • Integrated Risk and Change Mgt View •Business Impact
Be prepared for Software Defined Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
6 | Confidential•Continuous compliance procedures•Compliance score
• Security policy risks•Application risk
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
7 | Confidential•Automated process• Segregation of duties
•Embedded risk checks
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
2
Notify Requester
Each Firewall Policy is automatically analyzed to see if request is already allowed
3
4
•Add a new rule?•Modify an existing rule?•Create new objects?•Automatically document the rule change
5
6
Automatic “Push” to reduce misconfigurations
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
8 | Confidential•Understand what changed, and who did it•Don’t forget about changes in risk
• Look at the big picture•Have granular audit details
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
9 | Confidential•Reduce complexity•Map applications and automate the process
• Security policy bloat over time•Have a process to decommission
Start the decommission process when you first make the request with
“rule re-certification”!
Please decommission this application!
Legacy WebAccess Application
#6757 Firewall Change Request to remove WebAccess application
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning of application connectivity
Alignment between security, network and service delivery teams
10 | Confidential
•Common goals for the business•Application alignment between groups
•More agile•Reduce risk
The back and forth exchange to clarify information can add days
into a single security policy change request!
Collaboration can occur when each party sees the information
in their native language
Service delivery Networking Security
Different views of the same application
11 | Confidential
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mappingStatic map (E.G. Visio)
Map updatedperiodically
Live map Live map across on premise, SDN and cloud
Application to security mapping NoneApplication architecture documented
Application Risk identified within all app components
App connectivity changes seamless integrated with Security Processes
Security policy posture Poor Fair Good Excellent
Security change managementManual. Error-prone
Mostly manual.Some errors.
Mostly automated. Few errors
Automated policy pushVirtually error-free
Network infrastructure auditing Manual. Costly.Some automation.Costly.
Automated and continuous
Automated and continuous
Secure decommissioning of application connectivity
Never Rare Occasional Always
Alignment between security, network and service delivery teams
Poor Fair Good DevSecOps
Level 1Level 2
Level 3
Level 4
12 | Confidential
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mappingStatic map (E.G. Visio)
Map updatedperiodically
Live map Live map across on premise, SDN and cloud
Application to security mapping NoneApplication architecture documented
Application Risk identified within all app components
App connectivity changes seamless integrated with Security Processes
Security policy posture Poor Fair Good Excellent
Security change managementManual. Error-prone
Mostly manual.Some errors.
Mostly automated. Few errors
Automated policy pushVirtually error-free
Network infrastructure auditing Manual. Costly.Some automation.Costly.
Automated and continuous
Automated and continuous
Secure decommissioning of application connectivity
Never Rare Occasional Always
Alignment between security, network and service delivery teams
Poor Fair Good DevSecOps
Level 1Level 2
Level 3
Level 4
If we understand the application architecture and how it traverses the
network, we can dramatically increase our maturity in these areas and be
prepared for Software Defined Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
13 | Confidential
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Network visibility and mappingStatic map (E.G. Visio)
Map updatedperiodically
Live map Live map across on premise, SDN and cloud
Application to security mapping NoneApplication architecture documented
Application Risk identified within all app components
App connectivity changes seamless integrated with Security Processes
Security policy posture Poor Fair Good Excellent
Security change managementManual. Error-prone
Mostly manual.Some errors.
Mostly automated. Few errors
Automated policy pushVirtually error-free
Network infrastructure auditing Manual. Costly.Some automation.Costly.
Automated and continuous
Automated and continuous
Secure decommissioning of application connectivity
Never Rare Occasional Always
Alignment between security, network and service delivery teams
Poor Fair Good DevSecOps
Level 1Level 2
Level 3
Level 4
If we understand the application architecture and how it traverses the
network, we can dramatically increase our maturity in these areas and be
prepared for Software Defined Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
As well as increase our business agility!
BUSINESS APPLICATION ARCHITECTURE• One of the biggest challenges in IT is to understand
application architectures• Just like security, networking, and other IT
components, they can be complex• There are many different components, and here’s a
simplified view• Browsers (IE, Chrome, FireFox, etc)• Fat or thick clients (SAP, etc)• Web Servers (Apache, MicroSoft IIS, etc)• Middleware (Oracle WebLogic, Fusion, IBM WebSphere, etc)• Database Servers (Oracle, SQL Server, DB2, MongoDB,
Hadoop, etc)
• If we understand the application architecture then we understand how to secure the environment and create business agility when a change is needed
Client Tier
Web Tier
Business Logic Tier
Database Tier
IDENTIFYING BUSINESS APPLICATIONS• How do you get a picture of the application and its components?
• Ask the application developer…they will know a few pieces
• Ask the sysadmin…he know what software was loaded, but…
• Ask the DBA…he just left…
• Ask the middleware engineer…They deal with a lot of applications, which one?
• Look in the CMDB…this has stale information from 5 years ago…
• It’s really hard!!
Client Tier Web Tier Business Logic Database Tier
DEFINING THE APPLICATION ARCHITECTURE
Obtaining application architecture information• Import DB tables through CSV files• Sensors, Probes or Packet Brokers
which get data from:• port mirroring• promiscuous mode on an ESX server• host-based (local) sensor on an
application server• data captures in PCAP, TCPDUMP and
NetFlow format
• Capturing syslog traffic• Existing security policy
Let’s look at this one first…
FIREWALL POLICY
Identify your application…Like Lotus Notes
FIREWALL POLICY
You’ve documented your application!!
Information can be pulled from Section Headers, Comment Fields, Object Names, Services, etc
AUTO DISCOVERY OF BUSINESS APPLICATIONS
• Another method to consider is “Autodiscovery”
• Why? • Because it happens dynamically• You don’t need to rely on tribal
knowledge that left the company• The application is comprised of many
different components that are difficult for one individual to describe for you
• Because your applications run your business and if it breaks, you need to figure out where to fix it
• It can help you automatically identify changes to the application behavior over time
• Autodiscovery can happen in a variety of forms
• The goal is to capture the relevant information in order to build an application diagram
DISCOVERING EXISTING APPLICATIONS
Easily discover existing application connectivity flows
PacketBroker
ESX ServerHost base sensor
On Application Server
Now that we have the application described, how can we identify the risks involved with the application?
• How risky is the application?• Overall application
• Components of the application
• Access to the application
• Identifying the application components helps you gain visibility into the risk of the entire application
• Measure the risk, just like any other corporate process
RISK AND THE APPLICATION
• Applications can have labels and priorities
• Application vulnerability scores can be summarized
IDENTIFY RISK WITHIN CRITICAL BUSINESS APPLICATIONS
• Application component risk• Applications have many
components• Web server• Database server• Middleware• NTP server• DNS • etc
• Unscanned servers• You don’t know what kind of risk
you have here, or if there is malware on these systems already
WHAT OTHER RISKS DO WE HAVE?
• Measuring Risk helps application developers understand security’s view point to help prevent a data breach
• Integrate the vulnerability assessment scanning data into the application architecture
• Qualys, Rapid 7 and Nessus scanners + more
• Helps requestors know what parts of their application are vulnerable to breaches
“RISK” CAN BE ADDED WHEN PERFORMING FIREWALL CHANGE REQUEST
• The red highlight critical risk
• The yellow highlighted medium risk
• The gray identified serves that were not scanned
CONSTANTLY TRY TO IMPROVE YOUR SCORE
• By measuring your application risk you can maintain a process to reduce it over time
• Certain components of the application will be more critical than others
• Prioritize your remediation strategies to accomplish your goals for risk reduction
• How risky is it to migrate your application?
MIGRATE APPLICATIONS TO NEW DATA CENTER
• Identify Applications
• Extract relevant components
• Map new IP information
• Automatically prepare firewall changes for new connectivity
• Implement changes
• Decommission old rules
HELP DESK APPLICATION
1. This is the application to migrate
2. Identify the flows
3. Identify the relevant servers
4. Prepare change requests
Help Desk Application1
2
MIGRATING THE HELP DESK APPLICATION
Extract required servers and prepare them for the
planning stage
Help Desk Application
3
LETS MIGRATE A SERVER FROM THE APPLICATION
SMS SERVER DC1 HAS A NEW DEFINITION
• Understanding the architecture helps you identify what components need to talk to each other
• If this server moves to a new location, these flows will be affected
WE
We have the server definitions defined, but now we need to update the application
OPEN REQUEST CREATED
Updated kicks off an open request to modify application connectivity
4
CHANGE REQUEST IS AUTOMATICALLY PLANNED
RISK CHECKS FOR NEW SERVER MOVE (TO BE APPROVED)
This is where we can understand how much
risk is introduced by the application move
SECURITY POLICY DETAILS FOR EACH DEVICE (TO BE IMPLEMENTED)
ANOTHER DEVICE IN THE PATH
PROGRESSING ALONG THE PATH
MIGRATION COMPLETE
SUMMARY
• Increase your security policy management maturity by mapping your application architecture
• This will give you better security visibility and also business agility
• Try to progress your maturity in a consistent manner
• Include risk analysis for your application visibility
• Mapping applications can accelerate your data center and cloud migration goals!!
40 | Confidential
MORE RESOURCES