We bought a next-generation firewall, as I had hoped we would. The real trick, though, was getting the IT department to take full advantage of all of its advanced functionality.
A few months ago, we put a loaner Palo Alto Networks firewall in place to monitor our corporate network as a proof of concept. I was psyched about how this firewall could give us much greater visibility into application data and aid us with threat detection and prevention, URL filtering and advanced malware analysis.
However, the IT department has always been responsible for firewall administration, while I have dictated policy and monitored events. And IT was nervous about putting the new firewall in-line — meaning our advanced firewall wouldn’t do anything more than block ports, just like the archaic firewalls I want to move beyond. Rather than throw my weight around and demand that the firewall be placed in-line, I decided to raise IT’s consciousness by constantly barraging them with insights about how the next-generation firewall could make their lives easier if it were in-line.
Yes, I was going to be annoying.
This was fairly simple to do, since I was able to produce an abundance of evidence supporting my position that we should be blocking certain traffic. The problem with monitor-only mode is that when a security event indicative of malicious activity is discovered but not blocked, the IT department has to follow up.
Now, on a daily basis, an average of six PCs in my company are reported to be infected with malware. A PC might attempt to connect to a known botnet server. An employee might browse to websites that are inappropriate or, worse, represent a security or legal risk to the company. Servers, which shouldn’t be put to personal use, might be connected to social media sites, raising the question of whether it was a system administrator doing something stupid or a piece of malware doing something malicious. Whatever the case, the IT administrators and the head of IT receive an email and have to act to track down the cause of the alert and make sure the machines that have been flagged are cleaned up.
If a PC is suspected of being compromised, the IT admin has to identify the user, ask the user a series of questions, determine the PC’s patch status and the condition of the antivirus client, determine if there are any risky programs installed, and run a couple of malware-detection utilities. Doing all of this for a single PC can take more than an hour. In some cases, it takes much more time, since the PC has to be wiped and the operating system and standard enterprise applications then have to be reinstalled.
As all of these things continued to happen, I didn’t miss an opportunity of pointing out that all that follow-up and remediation would be unnecessary if advanced firewalls were placed in-line and allowed to block the sorts of things that cause PCs to become infected — and IT administrators could be doing more valuable things.
Or they could keep doing follow-ups that ate up their time. Since I had decided that being annoying would be an effective tactic, I insisted that an IT administrator had to look into every instance of a server initiating a connection to a file storage site. Doing that is the only way we can determine whether the connection was made by a human being or a piece of malware. And then I would add, annoyingly, “If the firewall were inline, suspicious traffic could be blocked, and eventually admins wouldn’t use production servers to check their webmail.”
Another thing that IT regularly does is send emails to HR whenever an employee surfs porn sites. And so I explained that we could create a policy that would both block access to these types of sites and present the naughty Web surfer an interrupter page letting the user know that such activity is inappropriate. Having one of those pop up on your monitor is embarrassing enough to prompt permanent behavior change while in the office.
In the end, my persistence and annoying behavior won the day. The IT department got tired of me having them stop everything they were doing to investigate. They agreed to order another next-generation firewall, for a highly available pair, and replace the legacy devices. Putting my obnoxious behavior aside, I agreed to dip into my budget and pay for training for the IT administrators who will be responsible for firewall administration.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.