Each year, companies of all sizes collectively spend tens of billions of dollars on network security hardware and software only to find out they have been breached. They find out during post-mortems that something was overlooked, a change was made in conflict with a design rule which yielded unintended results, or the protection logic implemented or configured didn’t work as expected. The resulting breaches cause long-duration outages which can be devastating from a P/R standpoint and incredibly costly. These companies can lose billions of dollars in direct and indirect costs, not to mention company valuation, customer recovery, and retention.
Unfortunately, security breaches happen quite often, with a recent study produced by the University of Maryland claiming that a successful breach occurs every 39 seconds! No wonder high-profile examples of breaches are in the news every day. The largest financial institutions, retail, airlines, pharmaceutical, healthcare, and even the social media giants all reported catastrophic security breaches throughout the year.
Breaches and the subsequent outages that occur can be prevented if companies understand the increasing vulnerabilities of their network before problems manifest in production. The only way to truly recognize potential flaws in a network is to frequently test the actual behavior relative to the security architecture and resulting specific list of desired behaviors. As a rule, traffic must either be allowed to flow, or it can be denied. And for this to be effective, the traffic being verified must be described in very granular detail. In fact, certain protocols may be allowed to flow between any given point, while others may not. Sounds simple, right?
Well, in each of these incidents, the companies involved emphatically state that they would be making “major changes” to their networks and their operational processes to reduce the risk of similar security issues happening in the future. And they do, initially. They have an incident review, they assure security configurations are proper and in some cases, they invest in new hardware or software.
And while this is a good first step, rarely do these organizations address the root of the security problem, which largely is configuration drift and human error. They fall far short of changing their operational plans from the top down. In other words, the clock is reset on the quality of protection immediately following an incident, but the quality of the network protection begins to deteriorate as soon as normal network operations restart. They are still focused on bottoms-up device-level designs, rather than operational verification.
Continuous Security Validation
What is needed is a means to capture all the desired behaviors of the network, all of the ‘allow’ and ‘deny’ conditions, and then continuously test those across the entire network. The trick is ‘writing down’ what is expected in specific detail that can be tested and enforced… and do this at the scale of an enterprise. Doing so yields tens or hundreds of thousands of conditions or “Network Intents” that must be tested to confirm that the security footprint is in force as designed by the architects. It confirms that the protections defined by hardware and software are in place, active, and doing what they were intended to do. This sort of verification at scale can only effectively be accomplished via automation.
Network Automation and Security
Thanks to NetBrain’s network automation, continuous network security testing at scale is here. Continuous testing of security behaviors is in stark contrast to the traditional position most organizations that find themselves breached have to taken with regards to security. In fact, those organizations have trusted the advertised strength of their investments in hardware and software and have trusted the sometimes decades-old operational processes that go with them. The net result is they pay far less attention to the ongoing and continuous operational verification of what they have purchased to assure with complete certainty that it is all doing what it is supposed to be doing, allowing or denying traffic.
Verification, Verification, Verification
Continuously testing networks and systems helps organizations understand their security issues, and vulnerabilities and helps them create strategies and policies to strengthen their network configuration and operational policies. Without automated and continuous testing, it isn’t possible to know the success of the security footprint until it’s far too late.
Network automation allows organizations to verify security behaviors at scale. While many companies focus on perimeter-level attack prevention, continuous intent-based network automation makes it possible to test the net-net results of everything that should be actively involved in the data flow. Continuous testing defends a network with auditable status. It ensures that money spent on network security is actually doing its job.
For more information on continuous automated security validation, and how it keeps your network safe and helps you direct spending and efforts to the right places, please contact NetBrain today.