Half of respondents to the recent ActualTech Media MegaCast: Ensuring Trust and Security in Enterprise IT and the Cloud survey were not confident that their data is as secure in the cloud as it is on-premises. Businesses are concerned they’ll lose control of their environment, become unable to define and manage their attack surface and fail to keep up with network management tasks.

As security practitioners, how do we ensure this gets done correctly? The best path to securing a hybrid environment isn’t by focusing on cutting-edge, revolutionary ideas. It’s by going back to the basics. If you’ve been in the security field for a while, you know what I am talking about. You’ve done it. You already know a lot about visibility, threat reduction and automation. So, if everyone knows about these things, why isn’t everyone doing them?

Corporate Imperatives Clash with Security Realities

The most common feedback I hear is that traditional approaches force you to slow down to stay secure. This does not work in today’s agile business environment. Security and network teams need to be enablers, not roadblocks. But while enterprises demand digital transformation, innovation, hybrid cloud and quick time-to-market, security and network teams are stuck with too many policies in too many places, too many types of devices, too many changes, and too many manual processes exacerbated by—of course—the skills gap.

A few years ago, I received a call from a customer who described themselves as ‘putting the no in innovation.’ The company was trying to move quickly but the security and network departments were causing slowdowns as they tried to ensure changes were made securely. They weren’t trying to intentionally stifle innovation, but their primary focus was making sure everything was secure. Making fast changes in environments that include SD-WAN, SASE, branch offices, the cloud and other technological environments is a tall order. But it can and needs to be done.

A common obstacle to delivering fast secure changes is staffing. There aren’t enough of us. I’ve dealt with hundreds of companies, and I’ve never heard anyone say they have enough people and that their people are fully trained. As new technologies roll out at an ever-increasing pace, the problem is getting worse. CI/CD, SASE, software-defined everything—our teams rarely get training on new things. A lot of times, we are trying to figure them out as we go with the support of user forums and Google. All the while, the pace of business gets faster and the pressure on security and network teams gets more intense.

Is there a light at the end of the tunnel?  I believe there is. Over the years, I have found that there are three simple things you can do to reduce risk in your hybrid environments, and none of them are revolutionary or paradigm-breaking. They are not tech-centric or a new and exciting application or methodology.  They are: Visibility, threat reduction and automation. These are simple and time-tested. But if you do these today, you’re setting yourself up for an easier and better tomorrow.

Security Basics: Complete Visibility

You can’t secure what you don’t know. What if I owned a few apartment buildings and I told you, 

‘Hey, go protect my buildings. I don’t really know where they all are, but talk to Joe; he might know.’ 

That would make your job extremely hard. And that’s what we’re dealing with in IT. We’re told to secure every single thing that’s out there, but we don’t know what is out there. We don’t know what we don’t know. In most cases, we are not even in charge of the things we need to secure—for example, you may not be in charge of the cloud provider or SaaS vendors. But you still need complete visibility into everything that’s in your environment. 

There are a lot of great network scanning and discovery technologies on the market, and the cloud has a lot of native tools that will help businesses understand what’s in their environment. But what you need is something that can concatenate everything into one place. Otherwise, your teams end up clicking between consoles and trying to normalize massive amounts of disparate data, and there’s no way to do that manually and maintain the speed of business or any degree of reliability or accuracy.

Using an automated discovery tool has helped real organizations. I worked with a government entity that presumed they had about 150,000 endpoints. After a scan, we found they had about 170,000. That’s a 12% difference. A finance company thought they had 600,000 endpoints but, after scanning, we found they actually had twice that many—1.2 million.  These unknown endpoints are also unmanaged by security. They could be infected with viruses or could have unsanctioned software on them.

Knowing everything that’s out there is a start. But you also want to know everything about what’s out there—what software is it running? What is it connected to? Is it in compliance? When does it change? Who changed it? Are its rules overly permissive? Is it allowing known vulnerabilities into the network? And so on. Only when the stragglers are brought into the fold can you manage them properly.

Complete Visibility in a Nutshell: Four Attributes

1. Real-time visibility and change detection
2. Zero blind spots
3. No unnecessary access
4. Every device on the network is identified and classified

Security Basics: Threat Reduction

Once we have a nice, big, complete inventory of everything in our environment, we want to take a look at the biggest threats and start getting rid of them. Which rules are overly permissive? Which rules allow known vulnerabilities to be exploited? Which rules are unused and have been for years but are still allowing a direct line of access into your network?

Reactive security is an outdated approach. Nobody wants to nail the barn door shut after the horse has been stolen. We want to know what the impact of a change will be before we make it. So, for example, will introducing this new tool and opening it up to the internet expose the environment to new vulnerabilities or go against compliance standards? We need to know that in advance. We want to ensure any new access is safe and compliant and we want to reduce human error. 

5 Steps Toward Threat Reduction

1. Gain complete visibility
2. Assess risk in real-time
3. Prioritize vulnerability patching
4. Perform real-time compliance checks
5. Start knocking out threats

Security Basics: Automation

The average enterprise I work with has, on average, 200 ACL changes a week across their hybrid environment. Besides having a huge team devoted to reviewing every single change, there is no way to keep up with that many changes in a hybrid environment using manual processes. Our manual processes take too long and are too error-prone. You should be trying to eliminate manual processes entirely.

In my security career, the biggest benefit I ever experienced from using automation was automating the installation of approved firewall rules. Now I didn’t have to have my firewall admin sitting in front of a screen at 2 a.m. during the Saturday night dark window trying to manually type in 40 different rule changes with 500 IPs.  No one can be expected to do that type of work and not make mistakes. But a computer can. Automation is our friend.

There are two paths to automation. One is just-in-time automation, which follows the traditional change management process through different phases. So, for instance, it’s possible to find out if an ACL change will cause new risk during the design phase. If it won’t, the change process is allowed to proceed to the next phase. The other approach is total automation, which tells the automation that as long as a change doesn’t break compliance or cause risk, it’s okay to push it out.

Either approach will free up the highly skilled people in your environment—who are currently doing repetitive tasks—to focus on doing more important and impactful work. Either approach will reduce human error and support compliance by automating configurations. And either approach will optimize efficiency, reduce risk and reduce costs.

4 Ways Automation Helps you Stay Secure

1. Keep pace with network changes
2. Run what-if scenarios for new access
3. Reduce complexity by removing unneeded policies
4. Remain compliant with real-time checks at every stage

Basic is Good Because Basic Works

Four concrete actions businesses can take to achieving greater visibility, threat reduction and automation are:

1. Buy yourself a good discovery tool to figure out what you have
2. Start figuring out where your vulnerabilities are in the network
3. Assign a team to attack those vulnerabilities one at a time and you’ll see your threat level and attack surface shrinking over time
4. Make some easy changes. Automate things that will give you the greatest benefit for the least amount of effort. This will free up your security team to actually go back into those vulnerabilities to start making your environment more and more secure.

The three steps I’ve talked about today are basic, and basic is good because basic works. If you work on these three things—visibility, threat reduction and automation—I promise you you’re going to start having a better and safer tomorrow.

Recent Articles By Author

• Firewall Migration Checklist: Complete 10-Step Guide for IT Teams
• Network visibility is a differentiator for innovation

More from Rob Rodriguez