Security professionals all know that they should test their security hardware and software periodically to make sure it’s working as intended. Many normal IT activities have unintended consequences that cause security configurations to “drift” over time and make the organization more vulnerable. But in reality, this testing is almost always postponed or ignored - it’s simply never a high enough priority. We spoke with Song Pang, SVP of Engineering, NetBrain Technologies, to discuss why organizations commonly overlook policy enforcement at the network layer, the risk of that oversight, and how companies can mitigate their risks with automated network security testing. While system and data-level security is a top priority across IT, policy enforcement at the network layer is often overlooked? Why?
The simple answer is that policy enforcement at the network level tends to be the last thing on the to-do list for busy network engineers. Without automation, they assume the security tools and processes in place are doing what they were purchased and deployed to do. But the real issue is scale. Without an efficient mechanism and skilled personnel to manage ongoing rules and policies, they not only need to manually find every device and application on the network but also know how each device is supposed to be configured over time and trace how data is moving between them to enforce policy. Today’s networks are complicated multi-cloud hybrid designs which evolve over time. As devices and applications are added or decommissioned and configurations changed to support these changes, each change can potentially introduce new security vulnerabilities. In addition, turnover in the IT personnel responsible for network management can lead to a loss of institutional memory for how the network is supposed to operate with respect to performance and business outcomes.
To assure that the security architecture is operational, the long list of security requirements (network “intents,”) can be well-documented, and continuously updated and regularly validated. That is the only way to assure the infrastructure is protected. No-code network automation removes the main obstacle to policy enforcement at the network level and identifies security vulnerabilities before they can be exploited.
What are the potential consequences of overlooking this type of testing?
Security problems in the network tend to compound over time as configurations drift farther from their deployed state. As we see over and over again, making an unintended configuration error to something as simple as a single port on a firewall can provide enough of an opening for a bad actor to launch a devastating attack. Or an engineer might change the privileges on a device or application in order to perform routine maintenance and either forget to revert them or inadvertently change them to an incorrect value, creating a whole new vulnerability. Attackers are constantly probing for new weaknesses, so testing for security policy compliance must be continuous.
What are the benefits of this kind of regular automated network security testing?
First and foremost, continuous automated testing can ensure that the network is consistently performing the way network and security architects intended, including all of its expected security behaviors. With complex networks, configuration drift becomes a real issue as devices and applications are altered for both intentional and unintentional reasons. Devices and applications also need to be regularly updated and patched in order to address known vulnerabilities. No-code network automation can validate the live hybrid network against pre-defined and expected policies providing continuous observability, diagnosis and alerting for control at business scale. Not only does this proactively identify issues that need to be addressed, but it also provides auditable validation and reporting on how the network is performing. Ultimately, this leads to more comprehensive and rigorous network hardening.
How should network enforcement at scale be automated?
The only practical way to automate network enforcement at scale is to take a no-code intent-based approach, rather than a device-centric approach. Network intents describe the foundational connectivity, performance and security requirements that must be satisfied for a network to effectively support the applications and services that drive the business. An enterprise network can easily have hundreds or thousands of these network intents. The no-code network automation approach enables these many expected behaviors to be codified, replicated to similar situations across the network, and then continuously and automatically enforced.
What would you say to an IT executive who is concerned with the cost of automation or skeptical that automation will yield significant results in a timely manner?
The scale and complexity of enterprise networks is growing faster than the IT teams that must support and operate them. That problem is only getting worse as the IT and cybersecurity skills gap increases. While automation projects have come and gone over the years, typically characterized by swarms of developers, long duration projects, high costs, and limited and rigid results, “no-code network automation” is an entirely different beast. No-code automation is approachable and can be adopted by any organization that wishes to do so. No-code network automation yields results in hours or days, not months or years. And no-code leverage one of the most valuable resources an organization already has - subject matter experts! It allows these experts to capture their knowledge and nuance, and share it with their peers with the touch of a button. It can be applied to the largest or smallest of problems, and is an agile approach, allowing ideas to be turned into executables, tested for results, and then refined at will.
Ultimately, the cost of no-code network automation is noise when compared to the cost of even a single security breach incident. With no-code network automation at scale so readily available, it's the perfect time to adopt this trust and verify approach to cybersecurity.