Go back

4 Ways NetBrain Helps Govern Federal Networks

November 27, 2018

Before I started at NetBrain, I did some consulting for federal clients out in DC. Despite all of its familiar building blocks, the field is a very different entity than most people understand. I have noticed, however, a number of areas that NetBrain can be of immense value to federal clients.

The federal sector, for those who are unfamiliar with it, is rather difficult to navigate sometimes; the sheer number of security measures, compliance standards, industry, and workforce practices make it stand apart from a lot of other industries. Networks that serve federal agencies are experiencing an objectively more severe amount of growing pains when compared to other industries because they were traditionally locked down environments where changes happened infrequently.

Now as Federal institutions come under increased pressure to modernize, it becomes clear that much of their infrastructure isn’t prepared to enter the modern age with them. Just recently, for example, the Pentagon failed its first audit, with many auditors noting issues with compliance, cybersecurity policies, and improving inventory accuracy.

With this in mind, it’s important to understand the elements that make the Federal sector different.

  • Documentation handoff is incredibly important because contractors are consistently rotated through similar environments.
  • Various military organizations are currently experiencing a glut of network refreshes, overhauling entire departments worth of infrastructure at once – this isn’t something that is as closely tied to ROI as it would be in a privately-held business, but often a matter of organizational and national security.
  • Many Federal organizations are subject to a conga line of regulations and compliance standards that might not apply to other industries.

Let’s take a look at a few use cases that could use some help from our friendly Network Operating System.

#4: IV&V: Validating Network Refresh environments with Change Management

I did some Internal Verification and Validation for a finance-related project, looking at both the legacy and refresh environments and determining the security posture of both areas. It was a straightforward financial application, but they needed to hit a number of SLAs that the old equipment wasn’t properly equipped to provide. To make things worse, a lot of their new equipment had to be set into FIPS-CC compliance mode, which inadvertently wiped the security settings on their refresh environment clean. Over the course of six weeks, I evaluated individual config files, compared tradeoffs between hardening certain systems vs meeting SLAs, and made sure the system as a whole was as secure as the one that came before it. Ultimately, this resulted in a lot of manual work and documentation, as older legacy systems were pulled apart and examined in order to help recreate golden configuration files for the newer systems.

Having recently been given ownership of the Change Management demo for NetBrain, I feel uniquely qualified to claim that I would have loved that functionality at my hands when I was deep in the weeds on this one.

Change Management 1

For one, the ability to upload configuration changes on a massive scale would have saved me time and effort, but more importantly, the ability to perform benchmark before/after comparisons, as well as insert customized reporting Qapps once I was done would have made short work of the entire assignment – I would have been able to tell which devices were not in compliance with the golden standards and modify them all at once.

#3: NIST Compliance with Runbooks

Today more than ever, the federal government is relying on external service providers to carry out a wide range of services using information systems. Protecting confidential information stored in non-federal information systems is one of the government’s highest priorities, and required the creation of a uniquely federal cybersecurity protocol.

NIST, or the National Institute of Standards and Technology, has created a compliance standard for recommended security controls for federal information systems. This standard is endorsed by federal clients, as they encompass security best practice controls across a wide range of industries. In a lot of instances, complying with NIST guidelines and recommendations also helps federal agencies remain compliant with other regulations, like HIPAA, FISMA, FIPS, etc. NIST is focused primarily on infrastructure security, and uses a value-based approach in order to find and protect the most sensitive data.

NIST Runbook 2

NetBrain has a very on-topic Runbook that I discussed in an earlier blog, but fits in very well here too. Runbooks, as you may know, are NetBrain’s built-in application for documenting and automatically executing network operations.

As you can see above, NetBrain performs a number of data collection tasks to verify that the target network is functioning within acceptable security parameters. NIST compliance requires the client to control access and encryption protocols to its most sensitive devices, and the larger a network becomes the more intensive and error-prone the compliance check is. Compliance Qapps are especially useful for audits, as they reduce the amount of time spent crawling between devices and clearly pinpoint where the problem areas in your network are.

#2: Security Remediation with Just-In-Time Automation.

Just-In-Time Automation is an API-triggered NetBrain diagnosis that clients usually program to occur in the event of a monitoring alert or a helpdesk ticket being created.

Just In Time Automation 1

Within the context of applications on a network, one of the most common uses of Just-In-Time automation is to reduce the Mean Time to Restoration (MTTR) for problems that occur on the network, but given the sensitive nature of many federal information systems, another good application for this feature is Security Remediation. An IPS will only tell you where the malicious traffic is located, but NetBrain can provide an outline of the infected area in context to the rest of your network.

Just In Time Automation

Essentially, by applying the API integration into an intrusion prevention platform, NetBrain can be triggered to identify the infected area, calculate the path between the attacker and the victim, and tag this area in a map URL for any security engineer who happens to go onsite. This speeds up the general MTTR of the incident, as most of the initial triage work is completed by the time a human sits down to resolve it. Security incidents are as time sensitive as network outages, if not more so, and having the ability to eliminate the fact-finding and data collection operations means the organization will be more effective when it counts.

#1: Improving Documentation Handoff

One of the biggest problems the federal sector faces is keeping things consistent between contract turnovers.

In the IV&V job I mentioned earlier I was a contractor, and so was everyone else. Once we left, we handed over a few large deliverables of the changes we made, the security posture of the network and as well a few recommendations for their systems moving forward. For several weeks afterward, I was provisionally called back in to explain the changes to newer contractors overseeing the system and advise them how to implement certain security measures on the network.

Even though I was available to come back in, my continued presence was still a significant expense to the client. Imagine if I hadn’t been available – the new contractors would have had to spend time and energy re-learning the same things I discovered in my run-through of their application.

NetBrain has always prided itself in being a documentation platform – and in more ways than one. When most people think of documentation, people gravitate towards topology maps. In fact, as I’ve mentioned before, many people see NetBrain as a mapping platform, but the truth is all of our core functionality can be applied to some form of documentation. Our Runbooks, most notably, enable clients to document common network processes, use them as collaboration platforms across teams, and hand off information to people in order to resolve instances like mine where I had to keep coming back in to retread old ground for newer people.

In this instance, I would have been able to show them the archived versions of all of my network changes, and compliance validations that I had been documenting my progress in. This hand-off that would have obviated my continued presence in the project, but also remained as a permanent and incredibly accessible reference for the client’s entire network refresh, which could be used as the building blocks of future projects

Ultimately, a lot of business requirements are shared across many verticals, but the federal sector stands out in its unique rotation of staff, compliance standards, and emphasis on security over ROI.

NetBrain, as always, has a number of targeted tools that can easily resolve common problems like these, that all too often stand in the way of an organization’s success.