038
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
Tickets opened in a CRM system can be automatically synchronized with security
provisioning workflow handled by the Management Layer
Network management systems can provide network topology and asset inventory
information that can be used for defining security policy
SDN APIs are used to ensure that network flows between protected segments are
directed through appropriate enforcement points
Rule Hygiene
Security configuration rules tend to grow in volume over time. System administrators frequently
make changes to support new users, hosts, applications and interactions, but rarely inform
security managers of decommissioned systems. Besides impacting control performance, large
configuration sets increase the risk of errors that could disable required protections.
Policy automation can be used to ensure accurate security policy by alerting administrators of
common errors and automatically adjusting and fine-tuning policies:
Redundant rules
may be created when administrators make a change without
checking whether the corresponding rule already exists
Orphaned rules
refer to entities that no longer exist. In addition to taking up
space in the configuration rule set and impacting performance, orphaned rules
pose a risk if addresses or identities are reused for other purposes. Orphaned IPS
signatures might protect against vulnerabilities in applications or application
versions that are not installed within the protected segment. For example,
industrial control-specific IPS protections are likely relevant only for certain
organizations and can be omitted elsewhere
Shadowed rules
are inactive because they are overridden by other higher-
priority rules. For example, a rule that authorizes the CFO to access a finance
system might be redundant if it exists in conjunction with a parallel authorization
for the entire management group. Certain rules which were meant to be exceptions
may be overruled by more general rules, in which case their priority should be
adjusted accordingly
Temporary rules
that empower an interaction should be associated with an
expiration date and should be removed automatically once that date has passed
Compliance violations
can be identified automatically when security policy
configurations violate industry regulations (e.g., PCI DSS, HIPAA and NERC
CIP). For example, an interaction that requires encryption could be allowed in
plaintext due to a configuration error
