How we handle security needs & ongoing security improvements. Part 2

2004-security.jpg

In the first part of this series, we briefly discussed Svitla Systems’ recently received SOC 2 certification and its relationship to our internal information security program. In this part, we will talk about our infrastructure improvements and the benefits they bring to our company and customers. Like many modern, nimble, and growing distributed organizations, Svitla takes advantage of public cloud infrastructure and many software-as-a-service solutions to virtually eliminate internal systems and their associated servers from our office networks. These systems traditionally require significant security protection and replacing them over time with SaaS solutions has made our network security simpler. The SaaS solutions also provide easier access for users across multiple offices and those working remotely, since they can connect directly over the internet. In general, this trend has reduced the need to monitor inbound network traffic from the internet or from other Svitla offices, since there is little on the office networks being accessed from outside. Security attention is now focused on the opposite path - traffic originating in the office network accessing outside resources. An equipment refresh this year, the deployment of NextGen Firewall (NGFW) devices, is addressing this growing need and adding other new capabilities as part of the upgrade, providing more visibility into outbound traffic on top of traditional inbound security protections. NGFWs provide quite a bit more functionality for security awareness and protection by going beyond simple protocol/port/IP address filtering to monitor traffic down to the packet level. The devices inspect both inbound and outbound packets to protect the network and ensure no malicious traffic originates from our offices. They also help prevent malicious responses like viruses and malware to outbound requests. The majority of outbound traffic today is HTTP/HTTPS and threats can be embedded within the packets sent and received via this protocol.  It is important that inspection also includes identity awareness for traffic to evaluate individual requests and determine the presence of a threat. An important consideration for us when acquiring these NGFW devices is accounting for future growth and sizing the devices appropriately. It is vital that each device can handle the higher activity level generated by a larger number of employees in the offices as they grow. The incremental cost now of a larger device with more memory and a faster CPU is lower overall than purchasing a replacement device or using multiple devices in the future. The idea is to avoid a situation where the traffic overwhelms the device and internet access comes to a halt.  The workarounds at that point are highly undesirable: reconfigure to limit what is inspected to reduce the work for the device - reducing security at the risk of increasing vulnerability, or bypass the device entirely! Both completely defeat the purpose of having the device in the first place. Therefore, we considered the current pace of growth and projected the size of each office about two years out, then chose the devices which would support the predicted increased traffic. We also chose to standardize these devices across all of our offices to make it much easier for our distributed team to provide support, particularly as we grow and add new locations. There is little need for “context switching” to an office-specific device from situation to situation, or learning a new device as a new one is put in service. The knowledge of how to configure a new device will already exist in the team and details on how to address particular situations will already be available at each location can benefit from the experiences and knowledge of the others. Training. In order for our internal IT to be able to fully support the new devices, they are being trained to use the interface, the configuration options and capabilities, and how to utilize them in our specific environments. We have rolled out a training program incorporating many resources from the hardware vendor’s training and certification resources. The team will refresh their knowledge of general information security, the cybersecurity landscape, and specific details on recent threats and how to mitigate them. This will pay dividends well beyond the support of the devices and improve our entire firm’s security posture, benefiting all of our customers. Additionally, non-security related benefits will be realized. One of the new devices was installed in an office earlier this year as a test, or proof-of-concept. It has already shown significant value, including some unexpected, non-security related benefits. The office has utilized a pair of internet service providers, each supplying significant bandwidth for our associates to use for their work, for quite a while. Internet performance was always good prior to adding the NGFW and rarely there were complaints about the internet. As a result, no difference in perceived speed or reliability related to upgrading the firewall device was expected. It really was not something we were even thinking of when we deployed the new hardware. So it came as a big surprise when performance went down and complaints about the internet became common in the first few days after the install. The key indicators of the problem were SSH sessions into remote resources, which became completely unstable and would not remain available for longer than a few minutes at a time. An investigation into the problem revealed that it was not an issue with the device itself, but the ISPs and the stability of their service. The device was switching WAN access periodically based on the latency and bandwidth available for each connection. Major fluctuations in these values caused the device to cycle rapidly between the providers. The configuration was revised to take this into account and the issue disappeared. Further, the previous firewall appliance was not as efficient as the NGFW and had performed even worse when handling these fluctuations, so a noticeable performance improvement was finally realized after the configuration changes to the new device. Svitla’s ongoing efforts to improve information security have been part of several different projects and decisions this year, including the equipment replacement upgrades described here. The standardization, performance improvements and additional security capabilities have already shown their worth, and this will only continue. In the next part of this series, we will discuss several customer-specific programs which we are now delivering based on using these new capabilities.