|Automation of Conformity and Risk Analysis|
|By Sergio Bollini|
The increase in the level of complexity of the required security to protect network services, and especially the data they access, impacts on the risks taken by our infrastructure and data.
It is possible not to notice the use of unsafe protocols or those with known vulnerabilities, thus putting confidentiality in jeopardy. At the same time it is more complicated to obtain and maintain conformity with different rules to which our business can be subject, as well as with corporate rules and policies.
A Risk Analysis assesses the risks run by the company according to the value of its assets, the characteristics of its infrastructure, the threats to which is exposed to and its existing vulnerabilities. Meanwhile, a Conformity Analysis analyzes the level of compliance with different rules, regulations, corporate policies and good practices. In other words, while one of these analyses prioritizes immediate actions, the other is aimed at maintaining acceptable risk levels over the course of time. These analyses are neither exclusive nor complementary.
Automated Conformity Analysis
Its purpose is to prepare the organization so as to comply with Audits and ensure conformity with different Security Rules, Regulations and Policies that the business may require. In the specific case of firewalls, the process consists in collecting the various rules and objects that form part of the policy implemented by the different firewalls of the organization, and then comparing them to Rules Policies (which establish the characteristics of the rules), or to Access Policies (which establish authorized access). These policies can implement rules, as well as NIST and PCI-DSS or policies owned by the organization.
Apart from the evident benefits brought by a Conformity Analysis, the possibility of automating it has some specific advantages:
• Regularity of audits.
• Reduction from months to hours of non-conforming windows.
• Simple elaboration on demand of different types of audit reports.
• Change simulations in configuration so as to assess impact.
Automated Risk Analysis
This analysis always starts with acomprehensive asset inventory (security/network devices, servers and associated services, premises, assessment), whose automation is very simple. The following step consists in the network modeling and the automatic collection of the configuration of security devices (firewalls, IPSs, router ACLs, etc.), existing threats and detected vulnerabilities. This model is critical for a realistic risk assessment: once all the potential attack vectors have been identified, together with the attacker localization and the involved network/security devices, then it is possible to determine the existence of any access to the detected vulnerabilities and also the way in which the risk of every detected vulnerability will be assessed taking into account all this information.
In this case automation also brings some benefits which are important to mention:
• To reduce from months to hours exposure windows.
• To simulate attack scenarios
• To speed up the elaboration of different types of reports.