Patching network and security devices as new vulnerabilities are identified may sound much easier than it actually is in practice.
There are five questions companies need to ask (and answer) to ensure they have the best, most efficient plan possible to keep the network safe and the staff focused on the right activities.
However, before asking these questions, companies should first think about whether they even have the in-house skills to help evaluate. Does your company have someone that understands network security on staff? If you do, continue on to ask yourself these five questions. If you don't, seek help from an MSSP or other managed services partner, hire a consultant, or perhaps ask your hardware vendors for some assistance.
Once you have the expertise, these are the five things you need to ask:
1) Do you have an accurate and dynamically updated network inventory?
For example, if the network has 50 sites and someone adds a 51st, will I be notified or have a system in place to ensure it’s secure? If one door is open, all the doors might as well be open. Can I automate this process? It’s very important to have a handle on the inventory – how are you looking for rogue devices and new network connections? You need to always understand the scope of the network in order to secure it. This includes having an up-to-date inventory you can rely on that includes the current versions of software on all firewalls and other network devices. As a part of your inventory strategy, you should keep up-to-date network drawings or diagrams.
2) How bulletproof are your backups?
Do you have a completely reliable, trustworthy, failsafe methodology for automating backup and recovery? This needs to be verified and supported by a workflow that can do pre- and post-task validation checks for both backups and restores. The best practice is to have the ability to restore your network with one click – even if it's a complex restore that requires the OS to be reloaded and multiple files to be reloaded in a specific order. If you have a well-implemented backup automation strategy, it's easy. You need to be sure the network is backed up at least daily and before and after changes. You should be able to trigger backups via API so that when you're making changes programmatically, and something fails when you're in a workflow, you can restore the network without someone actually having to interact with the console.
3) How quickly can I upgrade devices with high-severity vulnerabilities?
You need to be able to upgrade any devices with high-severity vulnerabilities immediately. In situations where those devices can't be upgraded immediately, you may need to take other measures to mitigate that risk. This may include temporarily disabling network services and/or blocking access from outside routes to those devices. A solid automation strategy will not only mitigate the vulnerabilities but automatically upgrade the devices and then re-enable network services that were disabled temporarily.
4) Have you automated regularly scheduled upgrades and patches, like OS for firewalls and network infrastructure?
The vast majority of network operations and security professionals say there are more network updates needed than they can keep up with. If you didn’t automate upgrades before, you need to take care of that so they can be done on a high-frequency basis. That automation strategy needs to weave in vulnerability and risk intelligence data as part of the strategy. This helps adequately prioritize your upgrade schedule. Ask your network automation partner which vulnerability intelligence sources they natively integrate with, and seek their advice for this part of your strategy.
5) Does your automation strategy validate your configurations against industry best practices and standards like CIS, NIST, industry-specific compliance regulations, and your own organization’s best practices or golden config standards?
Solid automation strategies conduct nightly network configuration audits to compare current configurations against industry best practices, guidelines like CIS and NIST, and standards and regulations specific to your business. This should be a normal part of your nightly automated backup. Remediate where necessary, automatically where possible, and seek out the root causes of your configuration drift.
A final word on protecting against network vulnerabilities
The corporate network should be a safe place. This is where your company's most valuable digital assets are housed. By ensuring that you have the expertise, tools, and processes in place to keep it secure, you protect not only your company's assets and brand but your own career as well. Leverage automation to continuously improve your network's security hygiene and seek out help when you need it.
Josh Stephens is Chief Technology Officer at BackBox.