Macro and Micro View Network Security Management

Macro and Micro View Network Security Management: Organizations need a holistic view of their network. With disparate vendor devices and hosts, security teams need a normalized, comprehensive view of the network, including: routing rules, access rules, NAT, VPN, etc.; hosts, including all products (and versions), services, vulnerabilities, and patches; and assets, including asset groupings and classifications. With a comprehensive view of the network, security teams can view hosts in the network, as well as configurations, classifications and other pertinent information. A network map or model is both a useful visualization tool and a diagnostic tool, providing analysis that is only possible when considering an overall view. For example, security and compliance teams can use this macro view to see how data would move between points on the network.

Although the macro view is needed to see how all the pieces of the network fit together, network administrators must also be able to drill down into the details for a particular device, easily accessing information on rules, access policies, and configuration compliance. And this information must be considered within the framework of the broader network, including context such as segments or zones, routing, routers, switches, intrusion prevention systems (IPS), and firewalls.

The network components that impact the device will undoubtedly come from various vendors, creating data of different vendor languages that must be deciphered, correlated, and optimized to allow administrators to streamline rule sets. Daily or weekly reviews of all devices on the network is unattainable with a manual process, and reviewing device configurations less frequently puts network security and compliance at risk. Automating policy compliance helps ensure compliance and consistency, and preserves IT resources. Ideally, a network modeling tool that provides a macro view should also allow administrators to drill down into a micro view of each device, providing information on users, applications, vulnerabilities, and more. This allows administrators to see the broader network view and then focus in on particular devices for management.

Create Usage Policy Statements: Creating usage policy statements that outline users' roles and responsibilities with regard to security. You can start with a general policy that covers all network systems and data within the company. This document should provide the general user community with an understanding of the security policy, its purpose, guidelines for improving their security practices, and definitions of their security responsibilities. Create an administrator acceptable use statement to explain the procedures for user account administration, policy enforcement, and privilege review. If your company has specific policies concerning user passwords or subsequent handling of data, clearly present those policies as well. Check the policy against the partner acceptable use and the user acceptable use policy statements to ensure uniformity. Make sure that administrator requirements listed in the acceptable use policy are reflected in training plans and performance evaluations.

Policy development is focused on establishing and reviewing security policies for the company. At a minimum, review both the risk analysis and the security policy on an annual basis. Practice is the stage during which the security team conducts the risk analysis, the approval of security change requests, reviews security alerts from both vendors and the mailing list, and turns plain language security policy requirements into specific technical implementations.

The last area of responsibility is response. While network monitoring often identifies a security violation, it is the security team members who do the actual troubleshooting and fixing of such a violation. Each security team member should know in detail the security features provided by the equipment in his or her operational area.

Conduct a Risk Analysis: A risk analysis should identify the risks to your network, network resources, and data. The intent of a risk analysis is to identify portions of your network, assign a threat rating to each portion, and apply an appropriate level of security. This helps maintain a workable balance between security and required network access.

Assign each network resource one of the following three risk levels:

1. Low-level Risk Systems: The data that is compromised would not disrupt the business or cause legal or financial ramifications. The targeted system or data can be easily restored and does not permit further access to other systems.
2. Medium level Risk Systems: The data that is compromised would cause a moderate disruption in the business, legal or financial ramification or provide further access to other systems. The targeted system or data requires a moderate effort to restore or the restoration process is disruptive to the system.
3. High-level Risk Systems: The data that is compromised would cause an extreme disruption in the business, cause major legal or financial ramifications, or threaten the health and safety of a person. The targeted system or data requires significant effort to restore or the restoration process is disruptive to the business or other systems.