Posted on Aug 10th, 2020 by John Moran

No matter how secure we think our networks may be, the risk of a security incident is always imminent. And when it happens, analysts and incident responders need to act fast -- with immediate access to data to effectively scope, investigate, and ultimately, contain the incident. 

Across the many potential sources, network data continues to be the most challenging to collect, maintain, and distribute. Network, application, and cloud teams are stretched so thin, that proper documentation takes a back seat to simply “making it work”. The increasingly dynamic, hybrid nature of today’s networks means that any statically defined network and app data is often obsolete in days or even hours. Simply out, spreadsheets are no longer a viable tool for maintaining this information. 

Once an incident is detected, sufficiently containing it in a feasible timeframe,  poses additional challenges. In large enterprises with distributed responsibilities, it’s more than likely that teams responsible for incident response don’t have the required access or authorization to contain an incident. Instead, they must rely on other teams, who may have conflicting priorities, to get the job done.

Let’s take a look at how the Tufin Orchestration Suite can help incident response teams to work smarter and faster when faced with a potential security incident.

Tufin for Cortex XSOAR: Unified real-time network visibility, policy intelligence, and automated playbook-driven response solution

Tufin SecureTrack: Information Enrichment and Context

When a potential incident is first detected, it may be a single endpoint detection or an IDS alert with very little information. A single alert is probably one of tens, hundreds, or even thousands of alerts received every day. Organizations must quickly assess and prioritize each alert, as a single overlooked alert might be the one that initially detected an incident. Successfully handling incidents at scale requires accurate data enrichment to provide actionable context for each alert.

The first step is to determine if the alert is in fact, an incident, and if it is, begin enriching the initial alert data and adding context. Keep in mind that enrichment data may be missing or obsolete. Analysts and incident responders must be able to trust that the data used is accurate and up to date. Collecting this information is often done manually, taking precious minutes or hours of triage time. This problem is compounded by the fact that analysts and responders must often manually query multiple data sources to gather all the network intelligence required to properly triage an alert.

Network and business context at the core

Without proper context, it’s impossible to determine the potential risk to your organization, and therefore, the appropriate response. 

Tufin SecureTrack is powered by network intelligence gathered directly from managed devices, including network objects, security policies, routes, and more.  SecureTrack queries this information automatically, requiring no manual input from network admins when a change is made. When changes are made in a dynamic network environment, they are reflected in SecureTrack.

SecureTrack isn’t just a data repository. Based on the information collected, SecureTrack builds a network topology map showing the interconnectivity of all managed devices, to perform topology queries and “what-if” scenarios, showing the route traffic would take from one point to the next, and where that traffic may be blocked.

Tufin SecureTrack network traffic based on source/destination

SecureTrack’s Unified Security Policy (USP) allows organizations to set policy guidelines which can be used across multiple devices in a heterogeneous network environment. USP violations, such as a rule which permits traffic over an unsecure protocol to a business-critical network zone, will be automatically detected,  generating automatic alerts.

Tufin SecureTrack policy search results

Tufin SecureApp: Application Visibility

When an incident occurs, it’s often identified by a specific host or port, but businesses don’t run on hosts and ports -- they run on applications. In a small environment with a dozen applications running on five hosts, translating host to application by memory or tracking this information on a spreadsheet may be feasible. Unfortunately, these approaches do not scale to an enterprise environment with hundreds or thousands of hosts and applications. 

Analysts and incident responders often lack this application context during the incident response process, however, it is critical in accurately assessing the impact and potential risk. An incident impacting a system which hosts an HR application may pose a greater risk than an incident impacting a system hosting a public website. On the other hand, an incident impacting a system which hosts a public-facing website has a much greater impact to an e-commerce company than an incident impacting a system hosting a collaboration tool. No matter what, application context is critical.

Tufin SecureApp provides users with an abstracted view of network security policies based on application connectivity requirements. Users can easily query an application and discover all of its connectivity dependencies. Not only does this provide insight into the applications hosted on an impacted system, it can also provide visibility into the connectivity allowed to/from the host, providing clues as to possible attack vectors and pivots which may have been made from the host.

Tufin SecureApp search results

Tufin SecureCloud: Cloud Visibility

Organizations are turning to cloud-hosted services to increase their agility and scalability, creating the proverbial ‘black hole’, as security teams often lack adequate visibility into cloud environments. Even when cloud security controls are in place, they’re very often managed outside of the security team (DevOps or Cloud Ops), and are autonomous from other network security controls.

This lack of visibility is compounded by the fact that cloud is a relatively new and quickly evolving technology which may not be fully understood by analysts and incident responders, and requires a different approach to incident response.  Cloud services may be spun up and down automatically in response to demand, with security policies being dynamically applied on the fly. By the time an incident is discovered, the impacted resource may no longer exist.

Tufin SecureCloud provides analysts and incident responders with a comprehensive view of a hybrid cloud ecosystem and the dynamic policies which govern it. Cloud security policies, including those which may violate best practices or be overly permissive, can be viewed across the entire hybrid cloud.  SecureCloud also provides a connectivity graph, to easily visualize connectivity between nodes, clusters, and virtual machines, etc., which can be crucial for scoping an incident in a dynamic environment.

Tufin SecureChange: Containment

Once a security incident has been identified, one of the primary goals is incident containment. Often described as “stopping the bleeding”, the focus is to put immediate measures in place to contain the incident, while further investigation and more permanent measures can be deployed. Often, containment will include blocking certain hosts, ports, or services by implementing new network security policies while the investigation continues.

Applying new security policies for incident containment poses two problems.  First, designing and implementing these changes takes time and a thorough understanding of network topology, two things which analysts and incident responders often lack. In an enterprise network, blocking a new host, port, or service is not as simple as creating a workflow which says, “block host X on network device Y”. Depending on the location of the incident, “network device Y” could be any one of hundreds of network devices, or even more than one device. 

Second, changes made during incident containment are frequently made outside of the organization’s usual change control process. While the urgency may require going outside standard change control processes, bypassing its safeguards, may result in additional risk inadvertently introduced to the network, critical services unintentionally being taken offline, or compliance violations, as changes are not properly logged.

Orchestrate risk-free response

Because SecureChange has visibility into the entire network topology, analysts and incident responders can block a host, port, or service by simply submitting a change request with a source and destination. SecureChange then automatically designs and provisions the required change on the appropriate network devices to ensure effective containment.

When the change is made through SecureChange, existing compliance guidelines are followed and all changes are audited, ensuring no additional risk is introduced because of the change. To increase agility, SecureChange users can create a dedicated change workflow specifically for incident response, ensuring an efficient response, while maintaining compliance with an established change control process.

Faster, compliant and more accurate response by integrating SOAR and network intelligence

The Tufin Orchestration Suite provides responders with critical network information which is accurate, up to date, and actionable. Multi-vendor support enables visibility and control across a heterogeneous environment, serving as a single source of truth for the entire network. Incorporating Tufin into the incident response process significantly reduces the time to triage an alert and the mean time to respond (MTTR) to an incident. 

The feature-rich API allows virtually all Tufin functionality to be automated, decreasing the time analysts and incident responders must spend on manual tasks, and allowing them to focus their valuable time on actions which require human intervention. To help you incorporate network insight and  change automation into your IR playbooks, Tufin offers many incident response-focused integrations with leading SOAR and ITSM solutions which are available for download on the Tufin Marketplace.