Optimization Requires Orchestration

[deanwebb]

https://www.merlincyber.com/insights/blog/optimization-requires-orchestration?hsLang=en 

[Otanx]

Good article. I bet the author is one awesome dude. You just can't scale if you are doing everything by hand. Now where that automation can really help from the security side is to block external threats that show up. You should be ingesting authentication logs from say your VPN head end. If you see multiple failed attempts then black hole that IP across your entire infrastructure. You are probably OK with not letting the guy trying to brute force your VPN from connecting to your web site, or sending you email.

-Otanx

[deanwebb]

Exactly. And most shops will stop short at notification-only with manual responses. Works great against the Great Sloth Lord and his hordes of snail soldiers...

[Otanx]

Exactly. And most shops will stop short at notification-only with manual responses. Works great against the Great Sloth Lord and his hordes of snail soldiers...

Yep, and how I typically handle that fear is to automate the deployment, but let them keep their manual activation. So give them a way to supply IPs/networks, domains, ASN, and file hashes. That can cover just about anything they would want to block. Then we automate the deployment. IPs/Networks/ASNs out to the routers, firewalls, etc. Domains pushed to proxies, DNS Servers, firewalls, hashes to AV solutions, email filters, etc. Still slow, but at least they don't get partial deployments of the blocks they want. Once they accept that then we can start talking about automating the activation depending on the source. Like mentioned in the article, take it slow. Get A to B before talking about A to C.

-Otanx

[deanwebb]

Indeed. Security is often a game of inches. But the good news is if the tools being used have good reporting, the pretty colors and circles in the reports can convince managers that we're making progress.

I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.

[Otanx]

I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.

Can't wait for that one. Firewall rule management is a pain. We have automated object management so the objects that the rules reference are maintained automagically, but the rules themselves are still manual, and manual audit.

-Otanx

[icecream-guy]

I'm working on a one-pager about firewall management tools. It's taking me back to $GLOBAL_MEGACORP days when we found all kinds of hell in our firewall rule sets when we started on that project.

Can't wait for that one. Firewall rule management is a pain. We have automated object management so the objects that the rules reference are maintained automagically, but the rules themselves are still manual, and manual audit.

-Otanx

I'm still living in a nightmare GAO audit from 2 years ago.  Although Algosec is a fairly good tool for firewall management tool, it does not really help with implementing granular rules needed to secure the network, it just says that the traffic is permitted, and if not, makes it so.  Policy is better, but someone has to define the policy. The granular rules are all manual using the ASA ACL hashes and Splunk to see what is hitting any particular rule, sort on count high to low and start trimming the offending rule.

[deanwebb]

Algosec is more lightweight. I'd prefer Firemon or Tufin - currently partnered with Firemon, so I'll sing their praise. There's also RedSeal which is wicked cool for finding what CVEs you have exposed and where.