Last updated Sep 20th, 2022 by Dan Rheault

On Jan 18th, 2022, the US Department of Homeland Cybersecurity and Infrastructure Security Agency (CISA) issued a bulletin for senior leaders of US organizations to immediately implement a list of security processes to address risks of cyberattacks taking place in the Ukraine, and the risk of those attacks pivoting to US networks.

The list of preventative measures indicated by CISA includes ensuring Multi-Factor Authentication (MFA) is utilized, vulnerable software is patched, unnecessary ports and protocols are disabled, and strong security controls are implemented in the cloud. Additionally, CISA recommended that organizations take advantage of CISA’s free cyber hygiene program.

Fortunately, Tufin customers are able to address and implement much of this guidance efficiently and effectively if they haven’t already done so. Let’s talk about how.

Patching Vulnerable Software

Every organization has software vulnerabilities. The sheer volume of software utilized by typical organizations and their associated vulnerabilities results in a trend of more vulnerabilities than ever before and is a reality that is not going to change anytime soon. So, the challenge when it comes to vulnerability management is prioritizing the most critical vulnerabilities, and systematically addressing them.

Fortunately, Tufin customers can utilize our out-of-the-box integrations with vulnerability scanning and management solutions from Tenable, Qualys, and Rapid7 to correlate the contextual exposure of identified remote-based network vulnerabilities through SecureTrack. The Tufin Vulnerability Mitigation App (VMA) is designed for just this purpose.

Not only does this identify which vulnerable assets are exposed based on the necessary access for exploitation, but it can prioritize these vulnerabilities based on severity of risk, and contextually attribute them to SecureTrack security zones - meaning when two assets are exposed with the same vulnerability, you’ll be able to understand which one is the most critical to address based on its importance to the business.

When you consider the volume of vulnerabilities in a modern enterprise network, the prioritization Tufin provides helps reduce the “noise” and enables business-specific risk reduction decisions. Where remediation (patching) is unavailable, integration with SecureChange workflows provide mitigation capabilities including group modification for adding exposed assets to block groups, automated asset access decommissioning, and rule modification to remove assets from rules exposing them. If remediation and mitigation are the responsibilities of other teams, the vulnerability exposure data is available through an API for integration with remediation calculators like ServiceNow, or other REST integrated vulnerability prioritization products.

For customers that have Tufin’s topology feature implemented, you can also correlate access to untrusted networks, whether that be internet and/or specific geo-locations with available network access - such as Ukraine.

Another vulnerability scanner integration customers can implement to avoid introducing risky access is Tufin’s Vulnerability-based Change Automation app (VCA). The VCA integrates vulnerability scanner data output, or initiates new scans, and calculates risk associated with access requests. This is a common requirement of PCI–DSS and other cybersecurity frameworks, and ensures that as network access changes are implemented, the results of those don’t bring unintended outcomes, such as exposing a vulnerable asset to attackers.

These Tufin apps – all a part of the broader Tufin Orchestration Suite - can be tested by customers without engaging Tufin by downloading and implementing them from the Tufin Marketplace. If you run into trouble generating eval licenses, you can contact us.

Close Unused Ports and Protocols

Tufin users can leverage predefined queries, or create their own, to identify unused or unnecessary access. Integration with workflows provides the ability to mitigate identified access-dependent vulnerabilities and measure the attack surface.

Additionally, Tufin’s Automatic Policy Generator (APG) can analyze and reduce an enforcement point’s rule base based on how granular you’d like access to be. The benefit here is that you can either upload logs or have the solution “listen” to network access use over a period of time in order to provide an optimized rule set.

Additionally, Tufin’s Unified Security Policy (USP) enables you to easily specify access (and properties of access) permissible between and among network security zones. Customers can use our newest app, the Security Policy Builder, to generate a USP based on their existing access and revise it to reflect the desired state of access - or even define a basic one to guide access cleanup.

Strong Security Controls in the Cloud

When it comes to ensuring strong security in your hybrid and cloud-native environments, Tufin delivers here as well. Because of the dynamic nature of cloud computing resources, Tufin’s ability to identify access and connectivity risks across hybrid and multi-cloud environments in real-time (including risky port configurations, high-risk access, or overly permissive rules) is essential. Tufin evaluates security controls against the organization’s security policy and industry benchmarks, and alerts when it identifies risk to be remediated.

And to proactively protect your cloud-native resources and workloads – which are often provisioned and configured using CI/CD processes and tools – Tufin enables you to implement security policy “guardrails.” Leveraging these guardrails, Tufin automatically and continually evaluates DevOps toolchain activity, and alerts when any cloud resource is attempted to be configured in a manner that violates security policy.

Importantly, because so many of today’s enterprise apps leverage both on-premises and cloud assets and services, it is critical that you evaluate and mitigate risk “end-to-end" throughout your heterogenous network environment. Tufin makes this achievable by providing both network and cloud teams a single solution through which to visualize network topology, identify risky configurations across their hybrid infrastructure, and leverage policy-driven change automation to ensure secure ongoing operations as your network evolves and grows.

Enabling Effective Incident Response

Tufin has built deep integrations with Security Orchestration and Automated Response (SOAR) solutions (including Cortex XSOAR, FortiSOAR, Swimlane, IBM’s Resilient, Splunk Phantom, or DFLab), and has indexed these “plug-ins” through the Tufin Marketplace. These packaged integrations enable highly effective incident analysis, impact analysis, and remediation processes. Leveraging Tufin, you can gain real-time understanding of how and where an attack originated, calculate the precise access a compromised asset had, create a ticket to contain/remove the compromised asset, and then restore full connectivity once the vulnerability is remediated.

CISA’s latest guidance is critically important for organizations hoping to assume an aggressive security posture during these challenging political times. At Tufin, our mission has always been to help the world’s largest organizations meet their security objectives effectively and efficiently, and we’re eager to assist our customers in applying CISA’s latest guidance. If you’d like to speak in more detail about your network security priorities, please feel free to reach out to our team of experts.