At Issue: The IT department agrees to buy a next-gen firewall, but it doesn't want to put it in-line, where it could really make a difference.
Action Plan: Keep reminding the IT admins that they are spending a lot of time following up on potential malicious activity that the firewall could nip in the bud.
We bought a next-generation firewall, as I had hoped we would. The real trick, though, was getting the IT department to take full advantage of all of its advanced functionality.
A few months ago, we put a loaner Palo Alto Networks firewall in place to monitor our corporate network as a proof of concept. I was psyched about how this firewall could give us much greater visibility into application data and aid us with threat detection and prevention, URL filtering and advanced malware analysis.
However, the IT department has always been responsible for firewall administration, while I have dictated policy and monitored events. And IT was nervous about putting the new firewall in-line -- meaning our advanced firewall wouldn't do anything more than block ports, just like the archaic firewalls I want to move beyond. Rather than throw my weight around and demand that the firewall be placed in-line, I decided to raise IT's consciousness by constantly barraging them with insights about how the next-generation firewall could make their lives easier if it were in-line.
Yes, I was going to be annoying.
This was fairly simple to do, since I was able to produce an abundance of evidence supporting my position that we should be blocking certain traffic. The problem with monitor-only mode is that when a security event indicative of malicious activity is discovered but not blocked, the IT department has to follow up.
Now, on a daily basis, an average of six PCs in my company are reported to be infected with malware. A PC might attempt to connect to a known botnet server. An employee might browse to websites that are inappropriate or, worse, represent a security or legal risk to the company. Servers, which shouldn't be put to personal use, might be connected to social media sites, raising the question of whether it was a system administrator doing something stupid or a piece of malware doing something malicious. Whatever the case, the IT administrators and the head of IT receive an email and have to act to track down the cause of the alert and make sure the machines that have been flagged are cleaned up.
If a PC is suspected of being compromised, the IT admin has to identify the user, ask the user a series of questions, determine the PC's patch status and the condition of the antivirus client, determine if there are any risky programs installed, and run a couple of malware-detection utilities. Doing all of this for a single PC can take more than an hour. In some cases, it takes much more time, since the PC has to be wiped and the operating system and standard enterprise applications then have to be reinstalled.
Sign up for CIO Asia eNewsletters.