Highly publicized security threats and breaches have been grabbing the spotlight recently, forcing many enterprises to make hasty changes to their infrastructure or revisit their security policy management processes. But hurried changes -- and not enough emphasis on the daily, fundamental elements of network security -- can spark a chain reaction of larger security problems down the road and unexpected network outages.
Enterprise network security teams are so focused on quickly responding to high-profile security threats -- such as the Heartbleed vulnerability and the Edward Snowden-NSA revelations -- they often fail to enforce change management policies for infrastructure and security appliances. These change management failures are leading to a rise in application and network outages -- up from 55% of noted outages in 2012, to 73% in 2013, and up 82% in 2014 so far, according to a recent survey of enterprise security and network operations professionals from security policy management vendor AlgoSec.
You have to pay attention to the tank pointed at your front door, but you also have to be aware that there are probably termites in your house, too.
network engineer and blogger
Many enterprises prevent or recover from a security breach by making unplanned, undocumented and potentially hard-to-support changes to a border device in order to block a new threat. But if there aren't good change management features built into routers or firewalls, that change can have unexpected ramifications, said network engineer and blogger Nick Buraglio.
"These changes are often made without thinking them all the way through and that can bite you later," he said. "The smallest configuration flaw is still a flaw."
Overlooking security policy management process fundamentals? Watch out for outages
Knee-jerk reactions to high-profile security breaches are all too common within enterprises, Buraglio said. While enterprises focus on breaches like Heartbleed, ignoring the rest of the everyday defense strategy is a recipe for even bigger issues down the road.
"You have to pay attention to the tank pointed at your front door, but you also have to be aware that there are probably termites in your house, too. Taking care of the little security items always seem to get pushed to the back burner," Buraglio said.
"There's always going to be something larger that security professionals could be working on. But in reality, if they just focused on the fundamentals -- like keeping patches up to date -- they'd be so much further along," said John Pironti, president of Rowley, Mass.-based consultancy IP Architects LLC.
Change management, a fundamental part of the security process, should be given more attention and time. "The problem is that the board or the CIO will read about a breach in the Wall Street Journal and then go ask IT what they are doing to prevent something like this," said Nimmy Reichenberg, vice president of marketing and strategy for AlgoSec. "A focus more on the fundamentals might not sound like as good a response as 'look at the new anti-threat gadget we just bought,'" he said.
But as networks evolve and cloud services become a part of the enterprise environment, fundamental tasks like configuration and management are becoming difficult, resulting in a more complex security threat landscape. In 2013, 57% of organizations suffered a data center application outage due to a security misconfiguration, according to the survey. "It's becoming even more difficult for IT to just keep the lights on," Reichenberg said.
Rethinking security policy management: Tools and best practices
Change management tools and automation software can help eliminate manual error, but businesses often skimp on these tools, Buraglio said. "It's frightening how [often] change management is not in place -- so many enterprises are not keeping track of their flow or log data," he said.
These tools can help enterprises understand the surface area that needs to be protected and highlights where changes may not have been properly put into place, IP Architects' Pironti said.
More on security policy management
Guide: IT security policy management
Security policy management for emerging technologies
Common Linux security policy management gaps
While change management and configuration tools can help, it will be more important to update best practices to match the needs of the evolving network and then follow these practices closely. "Change management has to be more of a routine than a product. Even the best tool is not going to fix a broken process," Pironti said.
At the same time, many change management routines are antiquated, and change can actually take too long for some enterprises, said John Kindervag, principal analyst with Cambridge, Mass.-based Forrester Research. "The concepts around change management were originally designed to ensure maximum uptime of systems, but these enterprises have to stop deprioritizing security changes in the name of efficiency and availability," he said. "We need automation, but in a way that allows [businesses] to be responsive and deal with threats and problems."
"Enterprises have to spend some time rethinking how they handle security at that fundamental level, and that's going to be hard for many to do because the landscape is changing so quickly," Kindervag said.