Is Network Automation Essential for Network Security?

Author
Terry Slattery
Principal Architect

If your business is not using network automation, there’s a good chance that there’s a security vulnerability lurking in your network. Remember the T-Mobile data breach? It started through an improperly secured router. How do you make sure a similar event can’t happen in your network?

Implementing good network security can be much less expensive than the cost of a cybersecurity breach. Just look at the ransomware demand prices, the cost of remediating an attack, or the reputational cost to your business. And if you were to pay a ransom to return to business, you’d still have to implement security enhancements in order to avoid being victimized again, potentially by the same attacker.

Your business needs to use automation to avoid leaving any doors open to attack.

Preparing for Network Automation – Culture and Policies

The network and security teams must work together. Some organizations support separate silos for these two functions, putting them at a disadvantage relative to teams that work together. A culture change may be needed, particularly if the security team has a “need-to-know” attitude.

The combined team will need to create and maintain network policies that provide security while supporting the business. Policy elements include things like the use of multi-factor logins, network segmentation, application traffic white-listing, and regular software and OS updates. Don’t hesitate to bring in a security consultant to evaluate policies and the overall security design.

Policies translate into network configuration templates and automation tasks. Firewall configuration templates are obvious but don’t forget about templates for other configuration elements like security event logging, Wi-Fi security, network device security, and network segmentation.

Applying Automation

Automated network discovery is the first step, providing the team with a comprehensive accounting of what’s on the network. Hardware models and software version information from discovery must be checked against PSIRT (product security incident response team) and CVE (common vulnerabilities and exposures) announcements to report known vulnerabilities. You should expect commercial automation products to include this function. The vast majority of breaches are due to known vulnerabilities, and your team should be responsive to any findings.

The automation process must then verify that all network devices are compliant with the configuration templates and operation policies (a process sometimes called configuration audit). It’s a good idea to perform this check when configurations change and at least daily. A separate check, called configuration drift, reports on configuration changes. The network/security team should use a drift to track changes and audit for policy compliance.

Testing with Automation

Automation can be applied to security testing as well. Consider using an external security scanning service to identify vulnerabilities that are visible from the Internet. This matches the process that the bad actors use to find the chink in your company’s security armor. As with the PSIRT/CVE process, it is important to promptly address any deficiencies. In one example, an unprotected IoT device was scanned and hacked within an hour of being installed. This emphasizes that any external security scanning service must support initiating a scan whenever a change is made to the Internet-facing part of your network. If you want an in-depth security analysis, employ a penetration testing company on a periodic basis.

Responding with Automation

Automation isn’t just for the initial configuration. It also applies when your network is being attacked. You’ll need an incident response plan and the tools to help you contain an attacker and recover. Different attacks will need different responses. Remediating ransomware will be different than closing off an attacker’s access to your network and different still from handling denial of service attacks. Automated tools for quickly segmenting the network are essential.

The bad actors are using automation to attack your network.  Responding with manual processes that just can’t keep up is no longer an option.