Published November 21st, 2023 by John Moran
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest
No matter how secure we think our networks may be, the risk of a security incident is always imminent. And when it happens, analysts and incident responders need to act fast — with immediate access to data to effectively scope, investigate, and ultimately, contain the incident.
Across the many potential sources, network data continues to be the most challenging to collect, maintain, and distribute. Network, application, and cloud teams are stretched so thin, that proper documentation takes a back seat to simply “making it work”. The increasingly dynamic, hybrid nature of today’s networks means that any statically defined network and app data is often obsolete in days or even hours. Simply out, spreadsheets are no longer a viable tool for maintaining this information.
Once an incident is detected, sufficiently containing it in a feasible timeframe, poses additional challenges. In large enterprises with distributed responsibilities, it’s more than likely that teams responsible for incident response don’t have the required access or authorization to contain an incident. Instead, they must rely on other teams, who may have conflicting priorities, to get the job done.
Let’s take a look at how the Tufin Orchestration Suite can help incident response teams to work smarter and faster when faced with a potential security incident.
Tufin for Cortex XSOAR: Unified real-time network visibility, policy intelligence, and automated playbook-driven response solution
Tufin SecureTrack: Information Enrichment and Context
When a potential incident is first detected, it may be a single endpoint detection or an IDS alert with very little information. A single alert is probably one of tens, hundreds, or even thousands of alerts received every day. Organizations must quickly assess and prioritize each alert, as a single overlooked alert might be the one that initially detected an incident. Successfully handling incidents at scale requires accurate data enrichment to provide actionable context for each alert.
The first step is to determine if the alert is in fact, an incident, and if it is, begin enriching the initial alert data and adding context. Keep in mind that enrichment data may be missing or obsolete. Analysts and incident responders must be able to trust that the data used is accurate and up to date. Collecting this information is often done manually, taking precious minutes or hours of triage time. This problem is compounded by the fact that analysts and responders must often manually query multiple data sources to gather all the network intelligence required to properly triage an alert.
Network and business context at the core
Without proper context, it’s impossible to determine the potential risk to your organization, and therefore, the appropriate response.
Tufin SecureTrack is powered by network intelligence gathered directly from managed devices, including network objects, security policies, routes, and more. SecureTrack queries this information automatically, requiring no manual input from network admins when a change is made. When changes are made in a dynamic network environment, they are reflected in SecureTrack.
SecureTrack isn’t just a data repository. Based on the information collected, SecureTrack builds a network topology map showing the interconnectivity of all managed devices, to perform topology queries and “what-if” scenarios, showing the route traffic would take from one point to the next, and where that traffic may be blocked.
Tufin SecureTrack network traffic based on source/destination
SecureTrack’s Unified Security Policy (USP) allows organizations to set policy guidelines which can be used across multiple devices in a heterogeneous network environment. USP violations, such as a rule which permits traffic over an unsecure protocol to a business-critical network zone, will be automatically detected, generating automatic alerts.
Tufin SecureTrack policy search results
Tufin SecureApp: Application Visibility
When an incident occurs, it’s often identified by a specific host or port, but businesses don’t run on hosts and ports — they run on applications. In a small environment with a dozen applications running on five hosts, translating host to application by memory or tracking this information on a spreadsheet may be feasible. Unfortunately, these approaches do not scale to an enterprise environment with hundreds or thousands of hosts and applications.
Analysts and incident responders often lack this application context during the incident response process, however, it is critical in accurately assessing the impact and potential risk. An incident impacting a system which hosts an HR application may pose a greater risk than an incident impacting a system hosting a public website. On the other hand, an incident impacting a system which hosts a public-facing website has a much greater impact to an e-commerce company than an incident impacting a system hosting a collaboration tool. No matter what, application context is critical.
Tufin SecureApp provides users with an abstracted view of network security policies based on application connectivity requirements. Users can easily query an application and discover all of its connectivity dependencies. Not only does this provide insight into the applications hosted on an impacted system, it can also provide visibility into the connectivity allowed to/from the host, providing clues as to possible attack vectors and pivots which may have been made from the host.
Tufin SecureApp search results