Putting Security Silos out to Pasture:

Best Practices Learned from Citi’s IT Security

Operations

2

“Complexity

is the worst

enemy of

security”

- Bruce Schneier

Navigating the Network Security Maze

What’s in the Network?

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

Source: Dangers of Complexity in Network Security, October 2012

3

55% of Midsize &

Enterprise firms

said complex

policies caused

a known breach,

outage or both

4

Complexity Leads to Risk

Caused a security incident 16.5%

Caused both a security

incident and a system outage 9.7%

Caused a system outage 29.1%

Had no known impact on security or

system availability

44.7%

Impact of Complex or Conflicting Security Policies, Midsize and Enterprise

Source: Dangers of Complexity in Network Security, October 2012

Siloed Security Management Just Makes it Worse!

5

• Reduced Business Agility

• Time-Consuming Audits

• Poor Change Control

• Inability to Meet SLAs

• Increased Network Security Management Costs

Inefficient & poor security policy management

SLOWS DOWN BUSINESS & IMPACTS YOUR BOTTOM LINE!

The AlgoSec Security Management Suite

6

Best Practices

to Align IT & the

Business through

Security Policy

Management

8

• General

• Global Operations and Engineering

• Global Information Security Standards (policy and technical)

• 24 x 7 x 365 Security and Networks Operations Centres

• Environment

• 1.2MM end points

• Large, global network

• 30 enterprise Internet facilities

• 1000 firewall end points not including management / IPS / Proxy

• 800 firewall changes (i.e. simple modification or the addition of

hundreds of rules) on average per month

An Introduction

9

• Background on the environment Pre-2004

• Regional Security Operations control of external connectivity

• No common criteria for establishing data access and connection

security controls – shared good practices

• Inconsistent application of solutions to the same requests

• No easily viewable auditing and logging capabilities for the process

• No real-time aggregated view of the “Relationships” and

“Connections” with various 3rd Parties

• No consistent process to determine status of the connection request

Complex, Segmented Environment

10

• Development of CCR

• Centralized relationship between business requirements, contractual

obligations and technical configurations

• Implemented to improve the end-to-end accountability of connections and to

minimize risk to data, operations and the brand

• All global Firewall and IP registration requests are analyzed by contractual

and risk obligations as well as technical requirements

• Continuous Enhancements of CCR

• Significant investment in NEW additional processes and development

• Finding owners and workflow

• Time to Market for requests was significantly slower

• Technical knowledge required in CCR (business and technical data)

• Rule base bloat

The Next Step…

11

• What did Citi look for in a solution and process?

• Customer-centric experience – workflow/updates/time to market

• Automate decision making in rules and risks

• Reporting

• Integration with existing Citi systems (change management)

• Overall performance of system compared to current tools

• What other key ingredients were involved?

• Senior sponsorship of a re-engineering program

• Metrics, metrics, metrics

• Process re-engineering

• Customer experience / business backing

How Citi Manages these Obstacles

12

• Comprehensive Market Evaluation of External Products

in the Security Policy Management Space

• Buy v Build Discussion

• Multi-firewall platforms, extending to ACLs, Proxy, etc.

• Existing tool would not scale and was very simplistic

• Stakeholders

• Communication and Clear goals defined and aligned to POC

• Tailored to the audience

• Obtained Business buy-in – significant impact on them

Strategic Internal Discussions

Copyright (c) 2007, Principle Logic, LLC - All Rights Reserved 13

The Decision: AlgoSec

13

• Why AlgoSec?

• Automated change management workflow with Fireflow and the

Active Change capability – end-to-end firewall rule history

• Very user-friendly and a good customer experience – both from

technical and business personnel

• Multiple platform vendor support with commitment on roadmap

• AlgoSec’s commitment to work with Citi – over 150 “asks” to date

• Ease of integration with Citi systems

14

• Process Re-engineering

• Measurable process metrics feed into overall program

• Do not shoe-horn a product into something that is flawed

• Business backing into improvements / metrics

• System and Application Integration

• CCR development initially not considered the end-to-end view

• The process highlights the systems integration required

• Customer Centricity

• The “business”, CCR team, Firewall Operations team, Audit and

Compliance, Network Engineering all use the solution differently

• Reporting – general reporting and customer-centric

• Automation

Lessons Learned & Considerations

Summary

• Firewall Policy Management for Dummies http://bit.ly/JOLT9r

• Firewall Management ROI Calculator http://www.algosec.com/roi

• Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval

Visit AlgoSec at Stand D51

Q&A and Additional Resources

16

Security Management. Made Smarter.

www.AlgoSec.com

Connect with AlgoSec on: