Modularity Is the Name of the Game
The more modular you can design a network, the easier it is to control and monitor traffic, according to Norberg.
"You want a network that you're able to functionally monitor and secure, so you're controlling the traffic on the network. You want one that can grow with the users," he says. "A lot of times, you start with a flat network and then you start to modularize the phone traffic, the PC traffic and, if they're in a retail environment, some of the POS terminals to make sure they're secure and separated from each other. And then you want to get more granular from there."
When done efficiently, network segmentation and modularity give a lot more flexibility in prioritizing risky segments of the network so you can focus your monitoring and security efforts on the most critical areas rather than having to worry about all of the infrastructure in aggregate. That's a step up from what most organizations are used to, says Norberg.
"Traditionally, you might just slap a firewall into there and when it goes down, the customer calls you," he says. "These days, we're actually looking at the logs and doing proactive monitoring on the devices to make sure that they're not only secured and updated with the latest firmware, but you're also looking at what's happening with the firewall and the connection itself."
Manage Firewalls More Intelligently
Speaking of firewalls, organizations have to take an active management approach to their firewall rules if they're going to get the most out of these assets. With most enterprises today depending on thousands of firewalls dispersed throughout their network fabric, firewall management has become an important element both for efficient IT operations and effective IT security.
"The core of network complexity begins with a firewall," says Kevin Beaver, founder and principal information security consultant at Principle Logic.
Beaver says that, all too often, he sees organizations that believe that their security is OK. However, once he starts digging into their firewall rule sets and configurations, security holes are discovered.
"[We find] system configuration problems, weak passwords, network segments that shouldn't be talking to one another, ports that are open," he says. "I often see database servers that are sitting out on the public Internet wide open for attack."
Patch management isn't just for endpoints. Smart organizations need to have utilities in place that can automate system patching across all IT infrastructure.
"If I'm the IT director for the company, I want to make sure I'm using every tool capable of doing updating firmware and software on an immediate basis and alerting and reporting on it," says Norberg. "Generally, you want to buy a third-party product that's capable of doing more than just one particular manufacturer. Otherwise, you run into problems where you've got some of this gear, some of that gear, some of these servers, and then you end up spending a lot of your time not being very efficient in the way you're patching things."