Written by Chris Murray
Security is paramount to maintaining reputation and customer trust. The highly coveted information that customers provide to financial institutions make the industry an attractive target for cybercriminals. Since 2004, the financial industry has consistently ranked as the third most targeted sector.[1] Accepting that networks facilitate nearly every transaction, securing them becomes a cornerstone to any cybersecurity strategy.
Unfortunately, network security best practices are often neglected by many organizations due to the laborious nature of maintaining all the elements needed for a secure infrastructure. For example, Cisco reports that more than 80% of production network hardware is running old versions of software.[2] Additionally, network misconfigurations, which expand the attack surface of an organization, can sit for months or years before being caught by an audit. However, these types of vulnerabilities can be easily addressed with NetDevOps practices. Which Cisco defines as combining the culture, technical methods, strategies and best practices of DevOps with Networking. Whereas, DevOps is the practice of leveraging the methodologies used in software development.
Let’s take a look at these common issues, and a few others, individually:
Outdated Operating Systems
- Best practice: Biannual OS Updates
- Typical Practice: Sporadic upgrades usually motivated by security incidents or major security advisories
- Threat: As security advisories are announced by major vendors, the vulnerabilities become widely known and threat actors seek out affected systems.
- Typical Mitigation: The threat can either be ignored or thousands of labor hours over several months can be devoted to updating affected systems.
- NetDevOps Mitigation: Affected operating systems are upgraded via an automation platform and completed with an order of magnitude less effort. For example, a single NetDevOps-enabled engineer can upgrade a few thousand devices in less than a month.
Poor Device Lifecycle Management
- Best Practice: Methodical record keeping of all relevant lifecycle data (Security Advisories, End of Sales, End of Life, Contracts, Licenses, SW Versions, etc.) paired with a robust lifecycle management policy.
- Typical Practice: This information is usually spread across multiple systems, and some of it is missing. Typically, audits are required to determine the current state of the network.
- Threat: A disorganized approach causes security vulnerabilities, poor performance and reliability, increased operational costs, and insufficient resource planning.
- Typical Mitigation: Lifecycle Management issues are dealt with only after a crisis, leading to short compliance windows, poor planning, and fire drills.
- NetDevOps Mitigation: All relevant lifecycle data is populated into a Single Source of Truth database and periodically audited using an automation platform. Upcoming important dates are called to the attention of administrators. This ensures that they always know what to expect in the future and what devices are affected when security vulnerabilities are announced.
Erroneous Configurations
- Best Practice: Device configurations are maintained with an extremely high degree of standardization and intentionality.
- Typical Practice: New devices are deployed with a standard template, but exceptions quickly manifest due to incident management and change activities.
- Threat: Security vulnerabilities, increased outage frequency and duration, management headaches, poor performance, and network unpredictability.
- Typical Mitigation: Misconfigurations may go undetected until they cause a problem. Even adults may fail to discover all instances of misconfiguration.
- NetDevOps Mitigation: Configurations are maintained to a defined data-centric standard that is generated dynamically based on an array of device attributes, such as role and location. These desired configurations are maintained separately from the device itself and are compared to the actual configuration to ensure compliance. When deviations are discovered, administrators are promptly notified, allowing them to quickly address the deviations. This proactive approach mitigates the threat of erroneous configurations and the effects of configuration drift.
Poorly Managed Firewall Rules
- Best Practice: Firewall rules are deployed using a standardized approach to promote consistency and effectiveness.
- Typical Practice: Rules are written and deployed inconsistently due to the natural variances that occur when multiple engineers write configurations across a given network. When mistakes are made during this process, security pinholes are created, increasing the network’s attack surface.
- Threat: Almost all business processes are facilitated by the network. Improper firewall management invites major threats with catastrophic consequences. In fact, 99% of firewall breaches are caused by misconfigured firewalls according to Gartner research.[3]
- Typical Mitigation: Mistakes are usually discovered by chance or after a breach. Periodic audits are also used; but by implication, the network was vulnerable during the interim between rule application and audit.
- NetDevOps Mitigation: Firewall rules are deployed via automated workflows that ensure they are consistently configured and in compliance with security policies. These workflows also permit administrators to have as much or as little participation in the approval process as desired.
There’s little doubt among industry experts that replacing legacy management practices with automated DevOps-enabled practices enables organizations to achieve a more robust security posture. But that’s not the only benefit. These practices lower operating costs[4], reduce risk, increase business agility, and provide enhanced control over the network. Although many organizations are still mired in practices developed 20 years ago, the good news is that network and security automation adoption is accelerating and is easier than ever before.
Chris Murray
Senior Technical Marketing Engineer
Network to Code
www.networktocode.com
Network to Code is a network automation services and solutions provider that helps companies transform the way their networks are deployed, managed, and consumed. Through managed and professional services, Network to Code enables enterprises across all industries and geographies to deploy data-driven network automation based on NetDevOps principles to improve reliability, efficiency, and security while reducing costs.
[1] “Exposed Industries”, Proxyrack (2022)
[2] Prasad Chebrolu, “Initiative Stresses Periodic Software Upgrades for Better Reliability, Security, Performance, & Enhanced Features”, Cisco Blogs (2022)
[3] Kevin Townsend, “‘State of the Firewall’ Report: Automation Key to Preventing Costly Misconfigurations,” Security Week (2019)
[4] Dr. Mark H Mortensen, “Economic Benefits of Network Automation”, ACG Research (2020)