AlgoSec Zero Trust Presentation @Forrester Event

Customer Testimonials | AlgoSec Zero Trust Presentation @Forrester Event Subscribe

The Forrester Zero Trust Model, when applied to network security, can help organizations develop robust prevention, detection, and incident response capabilities. The session, presented at the Security and Privacy event in Washington DC covered the challenges organizations face and approaches that can be employed, including steps to achieve visibility, policy management automation, application connectivity analysis and network segmentation.

View transcript

okay hello everyone welcome to the session on zero trust framework for network security so here we are at a forest or conference I'm sure given that foresters unique role as the originator and promoter and an advocate of zero trust many of you I'm sure we're in the previous session with Chase Cunningham about zero trust security as so many of you are practitioners or advocates or champions or maybe you're just getting started with zero trust or maybe you've been a longtime professionals what we're going to do is kind of zoom in you've seen this diagram on probably a number of presentations or bring your own documentation if you've been implementing zero trust and you can see zero trust is a very all-encompassing framework you can apply it to all of these elements of IT here what we're going to do now is turn Ian specifically on the right mid circle there on the network side of things and a little bit on the cusp of the devices part and of course the Rings the automation and orchestration and the visibility and analytics so we're going to try to get practical specifically exactly as chase said it's all-encompassing but you have to apply it to different segments of IT and we're going to talk about it in the framework of network security and application connectivity now the way we're going to do it to kind of make it more interesting hopefully a little entertaining is instead of just a frontal presentation by one person we're going to try to mix it up and we're going to adopt the role of personas and be some characters here and I'll use this opportunity to introduce ourselves all of us are from algo SEC Iowa SEC is focused on not a business driven network security management but specifically today we're going to take on different roles I'm going to be the seaso and I'm going to talk specifically about some of the guidance associated with Xero trust on network security and as well as some of the challenges associated with the guidance yitzy here is going to be the business so he's gonna translate that guidance and translate those challenges into tangible requirements and Brian here is our network security architect and he's going to talk about the actual use case when the rubber hits the road and how to implement it and show it in an actual use case that's the idea so again I'm going to talk about the Forrester guidance I'll talk about the guidance and some of the associated challenges yet sealed translated that into requirements and then Brian will talk about the use case and we're going to do that in four components primarily that are key elements in network security under this framework we're going to talk about visibility automation segmentation and compliance and then we'll wrap it up a little bit by talking about the ecosystem which is associated with the API integration so first of all guidance relating to visibility when it comes to visibility Forrester is very simple direct and straightforward visibility is the key to defending any asset you need to sit invest significantly in visibility because you can't protect the invisible you really can't combat threats that you don't see that you don't understand visibility is the baseline that prerequisite the key element to achieving zero Trust in the beginning the foundation however in a network environment especially today's enterprise network environment there are challenges associated with that especially when you're talking about today's very large mixed complex heterogeneous environments we're just going to touch on three elements of that complexity we're talking about now migration to the cloud you have multi cloud you have all the public cloud vendors AWS as your Google then private cloud Sdn platforms vmware nsx cisco ACI whatever is in your particular configuration and then of course on-premise all the firewall vendors that may be in your mixed environment cisco checkpoint Palo Alto it goes on and on so the visibility how do you achieve this ability when you have a mixed environment all of these platform vendors may have a specific tool that gives you visibility on their part of the estate but how do you see visibility across all those vendors across all this mixed environment so that translates into some so jumping in when we want to look at our network what are we talking about here so the first as Jeffrey mentioned we want to see all the network the whole network we're looking at the on-prem stuff but the network is no longer just on Prem we're looking at on Prem we're looking at at the end we're looking at public cloud we're looking at private cloud you want to get a full picture of your entire network if you're missing a part of it you don't really have visibility the next stage is to kind of go deeper and understand what are the security controls within that network what are my firewalls what am i routers what are my security groups but that's not enough you want to go deeper and understand what are the policies that make up the security group or do the policy that make up the firewalls understanding what's allowed trapping and blocking traffic once you get that picture you get a full visibility into your network but that's still not enough you want to understand the same disability instead of from a network perspective from application perspective what within the network is allowing my application to run what firewall rules are associated with these with each application so the final stage is discovering applications and understanding how they're represented within the network Brian how would we do this well visibility clearly gets you set the most the first part is what's our architecture you know what does our network look like and model that we've got to you can't protect what we can't see and so what we had here is an example of you know single pane of glass that provides that architectural view provides that map that model upon which everything else is space we start with the infrastructure we start with the physical firewalls with the cloud instances and security groups and things like that it's a bit of a busy picture but what we have here again is the things he mentioned premises based AWS azure and all that's tied into a single model so that we can accomplish the other things that gets he needs to accomplish to get to get his job done and to deliver requirements to me so that was a network side the network visibility side and of course one thing I'm neglected mentioned we'll see here in a minute for every one of those devices out there we've got full visibility into what they look like into their posture so to speak what their security policies look like and how they relate to one another we talked about application so this is an application use case for visibility discovering applications and discovering of the flows that make up those applications and this is again more aimed at my business owner over here versus that previous one is more for my intake because this gives him a view of the world he understands these it's again a little busy but there's three flows that make up this application a very simple application obviously there's a shared infrastructure flow and there's one that's read so my analyst again Aegis is there's a problem rather than racing the blame the network without without knowledge that it really is the network he can see by that red bar there that his HTTP flow is blocked we've got a problem in the network and and and it gets his team and my team on the same page so it's not only disability from a you know from a segmentation standpoint it's also visibility from a maintenance operations and troubleshooting standpoint they they go hand in there so now let's move from visibility to the other core component of zero trust which is productivity oriented which is automation okay and again the guidance from Forrester is very straightforward you gotta you leverage the tools and technologies we heard test Cunningham talked about consolidating those and making sure that's efficient on a select group of of core platforms tools technologies and vendors but then enable it enable the automation and orchestration across the entire enterprise focused on automation but again there are challenges associated with the automation first and foremost defining and maintaining such a zero trust Network in the context of automation involves lots and lots of constant changes constant changes in your security policies in your permutations in your configurations in your firewall rules and beyond that those change processes when done manually are going to cause errors human errors misconfigurations nobody's perfect especially in this complex environment it's unavoidable when you have a manual intensive complex process like that but think about it when you talk about a cumbersome process like that when even a single change in a complex Enterprise environment takes a significant amount of time and then you're multiplying that times hundreds of changes per month so the workload to implement or the business case to execute this automation just becomes even stronger and then ultimately you need to do the risk assessment and you have lots of teams lots of owners kind of wrangling each speaking a different language each with different objectives and this is the context this is a difficult environment from which you need this automation to unfold now the requirements so when looking at automation and looking at zero trust there gonna be a lot of changes we're gonna have to make it's not one it's not two it's tens it's hundreds thousands of changes doing that manually almost impossible it'll take weeks it'll take months and not only that even if you do it manually you have that time you have that math manpower which none of us had mistakes will happen people make mistakes humans make mistakes so the only real trick here is it do to automatically have the change management the changes happen automatically an automatic process that will eliminate risk that will do it happen quickly and when you have a controlled environment where the changes happen people will be account accountable to the changes each change made will have someone's name on it so both for internal purposes and for compliance purposes these changes are associated with someone who's accountable so again a simple case here but what's the first step and and we could be talking about adding adding a new traffic element to an existing flow and what we're really talking about here again is either traffic enablement or disablement notice we haven't really mentioned the word rule much at all we're really talking about enabling the business by enabling or disabling traffic and so a key first step here is what's in the you know if I need to add if I'm if I'm migrating part of my application to Amazon what's in the path what traffic do I need to do in able to provide that this is something that again our customers tell us since this can take hours days and they often get it wrong using that model we saw earlier that that map since we have a full we have full visibility of the security infrastructure we can in minutes find the devices and scope so we've got and notice - we've got three different vendors we've got a checkpoint we've got juniper we got an Amazon security group and we've got some Cisco routers running ACLs happens that the traffic we're asking for it works on those routers so we're not gonna touch them don't be part of the change they'll be part of that compliance but don't create a redundant rule don't create a rule for traffic that already exists and that goes back to 25 to 30% of changes we believe and our customers kind of confirm this for us change request traffic change request actually already work in the network that traffic is already provisioned so use a zero touch workflow for that don't have a human touch it at all there's no need and and it just improves again the efficiency you could take 20 to 30% of your change requests and have them just done by a machine and do what machines do really well which is handle repetitive and monotonous tasks with very low error rates that's it that's a huge win and we get that feedback we get that feedback a lot from our customers next please you mentioned risks that's another piece of this and this is where things get a little bit you know the lines between the different parts of our presentation get a little blurred up there at the top I hope you can read it but part of your workflow and part of every customers workflow one what's in path okay I got that what risks what potential risks does this traffic introduce to my network got to look at that again fine automation find a platform that will do that for you that will apply in this case PCI compliant a custom zone to zone compliance profile that the customer did themselves and and what we see there is we're allowing traffic from outside into our PCI zone and we're opening up the FTP protocol 30 and secure so we're going to reject this out of can this is a safe change but we're going to send it back to the requester via automation that says hey see if you can you get a secure protocol from your vendor we don't use FTP in this network and then the final piece once we assess that risk and let's go back to zero touch one more time if there's no new risk zero touch it send it to the finish line and form everybody that no human needs to mess with it and then there the bottom in the blue that the final piece is okay we do need to make changes now I'm gonna say it there's a rule right the first time I've used that in this context this is the new rule in fact it's an existing rule where we just need to add an object to it it's 2/3 of the way they're the most efficient least impact way to handle this for this device is to add that object and then go ahead and implement it and we'll create unique work orders for each of these devices so think about it in terms I'm inquiring a new company it's a completely different technology that my people are used to it's another win here for automation the machine understands those new devices I don't have to go find new expertise or cross trained people they don't learn by doing and again the machine is gonna do what the Machine does really well great now we've heard a lot especially those of you who are in the previous session heard from chase Cunningham about micro segmentation and again Forrester is very a crystal crisp and clear on this segmentation is basically about segmenting in a way that gives you ice elation in control over the network and that becomes when you're applying it to network security network lock automation an application connectivity that becomes a pivotal point of control the ability to segment and achieve this kind of isolation for application or whatever your parameter is but again there are quite a bit of complexities with implementing any segmentation scheme specifically detecting assessing and making decisions about these applications which ones should be segmented and how should they be placed and where should they be placed in this complex zero trust network and more than that you have to make the risk assessment you have to understand the business impact of each of the proposed changes that are part of your segmentation schemes that implement then what are going to be the business impact what are the associated risks with their understanding those up front prior to implementation and misconfigurations is a common theme very pervasive problem in this type of situation those misconfigurations can introduce enormous associated unnecessary risks and cost outages that affect business continuity ongoing business operations and ultimately this is a slow process and without the automation without the segmentation but you have to implement the segmentation and a way that you can achieve these this productivity and again bridge the gap between these multiple disparate teams throughout the organization the business stakeholders the network people the business owners the security people all of whom may be on different pages as it relates to understanding what needs to be achieved here so what are the requirements to achieve the segmentation so yeah the yura trust the segmentation is not gonna be easy segmentation we're not talking about a small project this is a huge project it'll be very compact and so the issues that we'll need and the tools we'll need kind of take us back to what we loved about when he talks to visibility you need a really understand your network you need understand what's going on there to be able to decide what's gonna go where how do I create the segment's what might what each segment will look like once I have the visibility I'll need the automation to do it automatically as you mention earlier doing it manually has a lot of risk the last stage will be segmentation is not a point in time you don't send me your network and go home you need to make sure that at every point every change that's made is compliant with the ulid segmentation with this new york trust strategy so it's an ongoing process to make sure that everything we do is in line with the segmentation strategy how would I do that Brian well again this comes back it comes back to understanding sort of your your risk surface your posture again this view here something something else that automation is providing for us is looking at specific risks on a given device so on this on checkpoint firewall these are the risks things like again insecure protocols insecure zone constructs things like that that again is back to that visibility so again these things cross a lot I'm using automation to do when I talk to customers now that are not using automation this is a manual process they miss a lot this is just if you come to our booth later there's hundreds of hits on this list I could only list a few for the screen but then believe beneath that back to the visibility the automation providing the visibility to drive the segmentation if I click on any one of these click on any one of these risks best practice risks it's going to take me directly to the device and the specific rules that are enabling that risk so now boom I've got the visibility I can start closing those holes and again as he said you know segmentation is a process you start from the outside and you work you work in slowly and it's it's time-consuming but you have to start again with that visibility of where do I have leakage where do I have risk where do I have risk that I now can quantify and start addressing that back to something you've seen again and this is where I talk about the lines blurring a little bit another view of risk associated specific traffic so there's visibility of the risk overall within the model within the landscape so to speak on a per device basis that's one place we need to remediate but then you know that that's kind of taken here in the brown field the more we use this automation to push new traffic it's gonna normalize our policy it's going to normalize their segmentation things are going to be done much in a much more compliant fashion so again it's kind of cookies right looks that it's the new things and it's taken care of the old things that we know we need to clean up and that's just a little better view of that of that risk profile them again this is provided by automation this is this is one-click comes up in a couple of minutes quantifies that risk exactly for the folks that need to make that decision great now I'm moving on to a really cornerstone a centerpiece of Forrester a zero trust of courses compliance and I think chase Cunningham said it very well in the last presentation basically if you compliance isn't a strategy but if you comply with the proper strategy compliance would be a part of the equation and those who implement this vision find that they meet their complier compliance requirements in a much easier fashion because it also the focus on what compliance initiatives you want to execute can kind of really allow you to segment and prioritize and really focus on what scopes you need to achieve in order to reach the particular compliance goals you have it may be PCI and each compliance initiative that you're pursuing has its own data types as its own segmentation schemes and really allows you to pursue compliance and more systematic and strategic way but again if you're implementing zero trust as part of an all-encompassing strategy you will far exceed most of the requirements for compliance and that's more than a good thing in the words of Forrester however again we have challenges you know there's a there's an overhead here the more segments you have the more firewalls you need to deploy and manage as part of your own compliance initiatives depending on on which ones you're on the focused on to achieve in auditing as a subset or as a you know going hand-in-hand with the compliance typically preparation for these audits of manual time-consuming and costly and as we know they works attention and resources and focus away from more strategic initiatives you may want your teams and purpose on in continuous compliance compliance is not a point in time you don't did you know spray the magic fairy compliance dust and then your diamond compliance requires continuous ongoing continuity and non-stop attention to maintain that compliance and then ultimately it's not just a matter of compliance but all the documentation and tools and systems associated with that compliance all of which tend to be the more tedious in time swimming elements of the framework that you need to execute here this has requirements of course associated so I'm happy zero trust I'm complying I don't even spend crazy jumping through hoops to get my organization in line as compliance but in a recent the turbo survey we found that a typical organization will take somewhere between two and four weeks to prepare for an audit that's time we don't have we need to find a way to do it instantaneously be able to perform and to find out it find out if we're complying at how we're compliant be audit ready within minutes but that's not enough as Jeffrey mentioned complies with not a point in time you want to make sure that every change you make is compliant if both comply with the regulatory compliance PCI you newark Sox they thought whatever industry you're in but also going to make sure that you're compliant with the zero trust gratitude like one of the changes you're making it doesn't breach the segmentation strategy is your zero truck strategy because all you need is one guy to kind of make it make a quick change that no one notices and your network is vulnerable you have a breach in your network or appetite up opening that is a potential breach in that network so you want to make sure that you're always compliant that every change that's made is a mine of compliance that we're gonna do that in this case this is a set of out-of-the-box compliance reports PCI Sox have a numerous NIST standards those kinds of things and again this is applied against our network against their devices every day by automation so every morning again this is a process not a not an event every morning I know where I stand and and when I ask in my real life as a Sales Engineer if I'm talking to folks on the network team and security teams that are responsible for audits they just groan it's a lot of work and they know they're gonna miss things you know how great is it did one know I'm able to start ticking off things you know from a detailed report where you fail fix those and then two weeks before the auditors show up send this to them right then they have a good idea of how it's just going to be a really dirty hard job or you guys really have your act together but in any case it's just going to go smooth that the conversation is better and these folks work by a day rate or the hour it's nice to reduce the amount of overhead you need from them by being better prepared and showing them that so again just a little detail if you want to see more this tends to get a lot of interest you want to see more of this kind of thing we can show you that finally all of this is sort of rolling out in a very complex environment as we mentioned at the very beginning heterogeneous multi vendor hybrid and you have to understand the full ecosystem by which this operates and make sure it's business driven you don't want the chaos of having a multi-vendor environment dragged you into processes that are vendor driven as opposed to your business you want to really focus everything around your business processes here you get a good sense of what the ecosystem ideally should focus on the top part of the circle are the things that you want to manage from a network security policy management point of view you want to think about the network devices the security devices the firewalls all the on-premise stuff as well as the cloud and Sdn stuff again you can see all the major vendors here I'm sure you recognize many vendors that you're working with but in addition to managing those as part of your zero trust network security policy management you also have to interface and integrate with a wide range of product categories I think chase Cunningham mentioned in the last presentation you know some people would have more tens and tens of vendors probably cutting across all these different product categories vulnerability scanners Sam Identity Management orchestration you name it all of these have to be part of the equation and interfaced with and integrated in the right way and then you see that green slice which is of course the poor business Act patience under which all this is protecting and safeguarding whether it be CRM or payroll or whatever they are business applications are but the blue circle right in the middle is really what should be the mantra when you look at the ecosystem make sure this security management is business driven make sure not to focus just on IT assets but to actually think about the business applications and the business processes and get everyone focused and mobilized around speaking that language you're not just thinking about the servers and assets and identities and things like that but really bringing that up to the business layer as well and then not viewing all of this chaos but really as part of a structured ecosystem within which you can execute the zero cluster framework is there a trust ecosystem if you will so basically that gives you an idea of kind of a framework for applying Forrester zero trust to the network security think in terms of these you know five pillars visibility automation segmentation compliance and then the API integration ecosystem you need the rich fbi's interfacing with that vendor network but again these are the pillars and this is sort of a good framework for how you plan and analyze to implement zero trust within your network there's a lot of resource thought leadership best practices content available at the resource center of the august sec well site as well thank you very much appreciate it

Videos

Customer Testimonials | AlgoSec Zero Trust Presentation @Forrester Event Subscribe

Related videos

AlgoSec Case Study: BM&FBOVESPA (English)

AlgoSec Case Study: T-Mobile

Reece Group empowers business and IT teams with ChatOps –...

Go App Centric with AppViz