Table of Contents
In this article, I am going to cover the challenges organizations face when auditing their security environment, the challenges they face with audits, and the best practices for finding vulnerabilities and fixing them with a Firewall Healthcheck.
Organizations are Spending More on IT Security
In this world, nothing can be said to be certain – except death and taxes. Well, that and the need to invest in IT security. As our world grows more technologically advanced, our lives become more digitized and everything becomes even more interconnected; therefore, the need for security only increases. Of course, this need is as true for the companies and organizations with and for which we work as it is for us as individuals in our personal lives.
In 2019, spending for IT security – according to research from Gartner – increased by 8.7% from that of 2018 versus a general IT spend increase of only 3.4%. The expectation was certainly that the trend would continue and spending in 2020 would increase by at least as much; of course, that prediction was made in the halcyon days before the Coronavirus pandemic. As you may expect, spending on IT security has decreased as a result; instead, the current IT security spending projection is only a 2.4% increase or 1% less than that of the general IT increase from last year – before the world went mad. The need to invest in security slowed though it may be right now, is obviously not going anywhere.
Information Security & Risk Management Spending by Segment, 2020-2021 (Millions of U.S. Dollars)
| Market Segment | 2020 | 2021 | Growth (%) |
|---|---|---|---|
| Application Security | 3,333 | 3,738 | 12.2 |
| Cloud Security | 595 | 841 | 41.2 |
| Data Security | 2,981 | 3,505 | 17.5 |
| Identity Access Management | 12,036 | 13,917 | 15.6 |
| Infrastructure Protection | 20,462 | 23,903 | 16.8 |
| Integrated Risk Management | 4,859 | 5,473 | 12.6 |
| Network Security Equipment | 15,626 | 17,020 | 8.9 |
| Other Information Security Software | 2,306 | 2,527 | 9.6 |
| Security Services | 65,070 | 72,497 | 11.4 |
| Consumer Security Software | 6,507 | 6,990 | 7.4 |
| TOTAL | 33,776 | 150,409 | 12.4 |
It Departments Are Wasting Money on Their IT Infrastructure
As an IT Security professional, I find that this change in IT spending is both good and bad. There is a common notion in the security world that the only thing more expensive than paying for the security to prevent an incident is paying for the cost of cleaning one up and fixing the issues. So, the practice of companies continuing to invest in IT security is generally a good thing, but now, more than ever, they need to be strategic in where and how they are spending that money; they can’t treat it like a kid spending their allowance.
Far too often, folks in IT get infected with the urge to chase after the latest shiny thing, like a dog chasing a car, instead of looking inwards at their existing infrastructure. Systems into which organizations have previously invested their money and time can often be re-evaluated to see if they are being used to their fullest potential; this also allows companies to see if there are changes, they could make that would improve their security posture without having to go out and buy new “toys.” It’s a common trend I see in most of the organizations I step into, across all business types and sizes: Money was spent to procure a best-of-breed solution, time was invested in getting it set up and operational, and here we are some measures of time later and changes performed since have all been operational in nature. Security is always a moving target, with standards and best practices changing frequently; organizations who do not adjust and adapt and shift with the changes are usually left behind by them, leaving themselves open for exploitation by adversaries.
For most customers, it seems like a deeper look at security only occurs when they end up getting audited. These audits come in all shapes and sizes – from PCI compliance for folks that process credit cards, to IRS audits for government organizations that handle taxpayer data, to HIPAA compliance for anyone handling patient medical data. These kinds of audits do serve a purpose, of course, but they tend to be long on findings and short on actionable data. Far too often, an audit gets completed and the security team gets left with a stack of findings that they then need to review, classify, rank, and attempt to remediate, all while still performing their normal job functions. What typically happens is that either the audit gets filed away for some nebulous future remediation plan, or one big thing becomes the remediation focus. This one component may, in fact, get resolved, but at the cost of only minimally increasing the organization’s overall level of security. What is needed is not another audit by a generalist, but instead a deeper dive into the subject of concern by engineers that are experts on the matter. This would allow such engineers to then apply a calculated eyeball to the issue, and help security-minded organizations make practical changes to increase their security level, ace their next audit, and increase their overall operational stability – all without needing to buy new product.
A Better Way to Secure Your Environment Without Overspending
There are a number of ways to accomplish this, of course, but for me and my EITS team members, this usually comes in the form of a health check of some kind. Anything that can be hardened and made compliant can then have a health check performed against it; since I handle network security, that’s where I’m going to focus. In our modern security environment, the most obvious icon of network security is the firewall, so let’s dig a bit deeper there. The exact process you would go through is going to vary somewhat depending on the make and model of the firewall, of course, but the concepts and areas to evaluate are going to stay the same – in the same way that a Ford Focus and a Jeep Cherokee are very different vehicles made by two unrelated companies, and yet can be mechanically serviced in much the same way.
So, we have our firewall that we are going to be performing a health check on…what does that really mean? Well, first we always start by talking to the engineers that are doing the daily care and feeding to try and capture as much environmental knowledge as possible. We want to know how the firewall fits into the network, how it gets used, what it physically cables to – really any background knowledge that we can get from those closest to them daily. Doing this gives us the level of detail we need to intelligently investigate the configuration and saves us from tripping ourselves up when we start putting together recommendations for remediation. For example, a border firewall that isn’t doing any form of URL filtering of user traffic would normally be an issue we’d want to focus on; however, if we take our time to learn about the environment we are checking, we might find that the customer is actually using zScaler and is doing URL filtering, but not on the device we are dialed in on. It also helps us to understand what the potential impact of the remediation efforts we are going to be suggesting could be, which is a big part of how we close out these health checks.
With the knowledge dump completed and environmental knowledge gained, it’s time to roll up our sleeves and get into the nitty-gritty of the work: Deep diving into the firewall configurations and applying that calculated eyeball. A full list of things we would want to check for would be rather exhausting and would also vary depending on the make of the firewall and where in the network it is deployed, but some things are always going require evaluation.
For example:
- Is the firewall under support?
- Is it running a current OEM suggested version of firmware?
- Is it application aware and, if it is, are the rules built out to control traffic based on applications instead of ports?
- What percent of traffic being processed is encrypted and is any of it being decrypted?
- How do administrators authenticate and are their changes being logged and audited?
- Are proper cryptography standards being applied where in use, such as in VPN connections and for administrator access to the system?
- Is High Availability (HA) properly configured?
- Are there features that are included or have been purchased but aren’t being used?
Above is a short list of check points, but you get the idea.
Conclusion: Using the Healthcheck Results to Improve Your Security Posture
Once we’ve completed the evaluation, it’s time to sit down and build our report. Once again, the goal here is to provide actionable data, not just a laundry list of findings. So, while we list everything we’ve discovered in the report, the real focus is on what we believe should be the priorities.
We evaluate and create a list of the ten most important things we found in our health check and then turn around and rank them based on how critical the impact is, what the risk is, and the level of effort. This gives the security team a quick “hit list” to tackle and enables them to decide which items to resolve in what order since we don’t treat all issues the same.
For example, if we look at a High Availability pair of firewalls, a common issue we’ll find is that HA will be configured to trigger in the event that the active firewall fails completely (due to something like a full power outage) but won’t be set to failover in the event it simply stops processing traffic because of a downstream issue (such as a switch failure). This is a critical issue – or will be the moment the environment goes down because the firewalls didn’t failover – but the fix is typically low on the risk level, and the level of effort might be as little as 15 minutes of configuration and testing. Compare that to enabling SSL decryption, for example, which is also a critical issue, but one that will have a high level of risk and effort.
The final task completed as part of the EITS health check is to work with the customer to plan out how to remediate the issues that have been uncovered. This could involve the customer having us do it for them, or it could be a matter of us simply providing guidance and acting as a sounding board for them to handle it internally. Either way, the goal should always be that the end security posture will be much higher when we finish than it was when we started. In addition to changes implemented to improve firewall best practice adherence, we also often uncover opportunities for them to be used in new ways that will solve other problems customers were already facing – all for a fraction of the price of chasing after that new, shiny tool.
Firewall Healthcheck
Get valuable insights and actionable data to increase your security posture.
