FireMon’s CTO and founder, Jody Brazil, talks to CBR about where the blame lies with security breaches.
Can you tell us a bit about FireMon’s role in the industry?
FireMon is focused on security management and, by that, what we mean is that we don’t implement the security. We help to manage the technology that’s already deployed. What we’ve found and what lead us to build this product in the first place more than a decade ago was the recognition that great technology does not solve problems unless it’s properly configured.
Ten years ago, that started out as a challenge with ensuring the changes didn’t disrupt the network operations and as things have progressed – they’ve only become more complex. The networks are becoming more complex, as well as the speed at which these networks change. Virtualisation has had a lot to do with that, demanding that changes happen within hours instead of weeks and it puts significant pressure on the security chains to meet the business requirements for access control. You can go out and buy the latest and greatest next-gen firewall and deploy it in your network but it’s not going to provide the anticipated security unless it’s configured correctly.
So we help organisations gain better visibility into their existing infrastructure, better manage the change management process to ensure that changes happen in an orderly and correct fashion, and ultimately analyse the configurations in the network itself for effective security, identifying the biggest gaps and providing prioritised remediation efforts to help them clean up their security gaps.
What kind of organisations do you work with?
Our problem is one that is really driven by complexity, so we work with all sorts of large organisations. We really don’t have a significant fit in the small organisations, so an organisation that has a network of 5-10 firewalls is about where we start.
The only really consistent factor across our customer base is large organisations with large, complex networks.
What can IT departments do to ensure that there are no risks or security breaches?
I think the first thing is to simply understand what you have. It’s shocking to me that people spend millions of dollars on basic IT security controls like firewall and yet they can’t answer the basic question of what access is allowed between two systems. That seems ridiculous but it’s the reality. So the first thing I recommend to all these IT organisations is to understand what you have. Before you go out and buy that next new technology and spend millions of dollars, understand what you currently have; if you have tremendous security technology, simply configure it more effectively to provide better security.
How can organisations ensure that they are using the cloud safely to avoid data being stolen?
The first step is to understand what you have, then as you become slightly more mature you move beyond that and it becomes better management of those change processes. No matter how perfect the configuration is, it can all go bad with that next change. So managing change effectively is critical to the ongoing security of those organisations. I think for many years, log management or security event management has owned the spotlight for management. When people say ‘security management’ that’s the first thing that comes to mind. I think its important to recognise that law management is very reactive.
A bad event must occur before you have any visibility into what’s happening. That’s just the nature, its very reactive technology. It can be configured very effectively, or you can buy really cool technology that tries to do some association between different events. But it doesn’t change the fact that events must occur before you have any visibility into what’s going. There’s a second half of security management which is where we play, which is just as critical, if not more critical, that is the proactive security management, to understand how you’re currently configured and where your current risks and gaps exist. When you combine those two management technologies together, the proactive understanding of where you’re at today, as well as the reactive understanding that you can’t stop everything, then you have effective visibility into your potential and real security situations.
Who should be held responsible for mistakes down to carelessness regarding data loss?
First, I strongly believe that blame needs to shift to the business owner and away from the IT security department. But negligence, however, is a matter of ownership. For example, I believe that the ownership of accepting risk to an organisation should shift to the business.
To make that happen, the IT department and security department in particular needs to do a much better job in communicating what those risks are to the business in terms that they understand. Once you can do that, now the business is in charge of the same kind of risks that there are with financial risks: should they invest in this new technology or not?
These are risks that the businesses are extremely comfortable dealing with on a daily basis. And adding security to that should be part of the solution. But when the decision is made to accept or not accept risk, and its left to the IT department to then implement the control that has been agreed upon, that is when responsibility gets pushed down to the security department. If there is negligence, if they failed to do the job that they said they were going to do, then in that particular case then it’s clearly the fault of the IT or security group, and they should be to blame. But all too often the business unit is forcing the IT department to make a change that is against the recommendation of the security department, and then some poor administrator gets blamed for a decision that was made way above that person’s responsibility.
So what’s next for Firemon?
We remain very focused on this idea of visibility in the security realm. We believe strongly that the future of IT security is going to lean towards automation and events continue to happen more quickly but also the technology itself moves more quickly too; automation is going to be important in the realm of security. So we see both of those things as key drivers for us as we move forward.