Table of Contents

Executive Summary 1
1. The Cybersecurity Landscape 2
The Role of the Network in Cybersecurity 2
Trends Affecting Network Security 4
A Common Cybersecurity Framework 5
2. Best Practices for Network Security 7
Enable Visibility Across Network Infrastructure 7
Implement Network Automation 10
Promote a Culture of Collaboration 13
3. Applying Network Automation to Security Workflows 15
Protecting the Network 15
Detecting and Responding to Cyberattacks 19
Enhancing Collaboration Across Teams 20
4. Achieving Continuous Cybersecurity 22
Continuous Network Hardening 22
Continuous Threat Response 23
Conclusion 25
 Executive Summary
"There are two types of
companies: those that
have been hacked and
those who don't know
they have been hacked
- John Chambers,
" for most organizations isn’t if they’re going to be breached, but
Executive Chairman,
Cisco
01 | Executive Summary
Network security is a dynamic art, with dangers appearing as
fast as black hats can exploit vulnerabilities. While there are
basic “golden rules” which can make life difficult for the bad
guys, it remains a challenge to keep networks secure. John
Chambers, Executive Chairman of Cisco, famously said “there
are two types of companies: those that have been hacked, and
those who don’t know they have been hacked”. The question
how quickly they can isolate and mitigate the threat.
In this paper, we’ll examine best practices for effective
cybersecurity – from both a proactive (access hardening)
and reactive (threat isolation and mitigation) perspective.
We’ll address how network automation can help minimize
cyberattacks by closing vulnerability gaps and how it can
improve incident response times in the event of a cyberthreat.
Finally, we’ll lay a vision for continuous network security, to
explore how machine-to-machine automation may deliver an
auto-securing and self-healing network.
netbraintech.com |
 1. The Cybersecurity Landscape

Technology is more vital to business than ever, requiring organizations to

become more digitally advanced. But as reliance on technology increases,
so must an organization’s security posture. Failure to do so, could result in a
costly data breach like the ones we’ve seen play out in the news many times
before.

The Role of the Network in Cybersecurity

The focus of this paper is aimed at network security, to illustrate how networks
should be designed and configured to achieve security best practices and
how network teams can react effectively to security threats. Let’s first take
a step back to examine how network security differs from cybersecurity and
information security (also known as InfoSec).

Information security aims to ensure that all data, whether physical or digital,

20%
is protected from unauthorized access. Cybersecurity, a sub-domain of
InfoSec, aims to protect only digital data (e.g. computers and networks) from

The number of DDoS unauthorized access or damage. As a sub-domain of cybersecurity, network

attacks has increased by
more than 20% in the last
year, and attack throughput
has reached 160 Gnps.
Source: Gartner
security aims to protect any data that is being sent through devices in your
network, ensuring that information is not intercepted or changed along the
way. In other words, whereas cybersecurity includes protection of data at rest,
network security focuses on data in motion, including encryption, remote
access considerations, 802.1x solutions, certificates, etc. The role of network
security is to protect an organization’s IT infrastructure from any type of cyber
threat such as:

• Viruses, worms, and trojan horses - Malicious software which

targets and damages PCs and end systems.
• Denial of service attacks - Methods which make a machine or
network resource unavailable to its intended users by disrupting services.

02 | The Cybersecurity Landscape netbraintech.com |

 • Zero-day vulnerabilities - Holes in software which are exploited by
hackers before a vendor becomes aware and hurries to fix them.
• Spyware and adware - Software that aims to gather information or
asserts control over a device without the consumer's knowledge.

Network security teams must implement hardware and software policies to

protect their infrastructure and detect emerging threats before they infiltrate
the network or compromise the organization’s data. There are several
components to network security which work in harmony. The most common
components include:

• Firewalls which typically use state tables to operate at layer-3 and

layer-4 to block unauthorized traffic while permitting authorized
communication.
• Anti-virus software which protects computers and end systems
from viruses.
• Intrusion detection systems (IDS) which alert administrators when
Average Cost of someone is trying to maliciously compromise an information
Data Breach system.

$3.62M
• Intrusion prevention systems (IPS) which perform anomaly
detection, application filtering, and deep packet inspection to detect
and prevent vulnerability exploits. Unlike IDS, IPS is placed in line with
- 2017 Cost of Data Breach
Study, Ponemon Institute the network to actively analyze traffic and take automated actions to
block malicious traffic.
• Virtual private networks (VPN) which create a safe and encrypted
connection over a less secure network, such as the internet.

When the security of your network is compromised, the priority should be to

isolate the attacker and mitigate the threat as quickly as possible. The longer
the attacker stays in your network, the more time they have to steal your
confidential data. According to Ponemon Institute’s 2017 Cost of Data Breach
study, the average total cost of a data breach is more than $3.62 million,

03 | The Cybersecurity Landscape netbraintech.com |


56%
of respondents* assumed
their organization has been
breached or will be soon.
*Survey conducted by the SANS
institute in 2016
04 | The Cybersecurity Landscape
excluding catastrophic or mega data security breaches. The most effective
method of lessening the total cost is by removing the attackers from your
network as soon as possible – in other words, stop the bleeding.
Trends Affecting Network Security
Growing use of mobile devices and software-as-a-service (SaaS) make
securing the network more challenging than ever. Faster network connections
and more remote users are forcing security teams to consider where and
how to provide protection. Further, traffic now flows in every possible direction
due to the transition from monolithic (single application per server) to a tiered
application approach, with diverse traffic patterns. The following trends will
continue to impact network security policies and strategy.
1. The proliferation of IoT
The Internet of Things has broad implications for consumer devices,
but many IoT devices are permeating the enterprise as well. Today,
document scanners, medical devices, badge scanners, lab equipment,
thermostats, and even coffee makers have an IP address. That means
that network teams need to identify, track, and secure those devices
which are often inherently insecure. Many use only port 80, insecure (or
no) passwords, or are hardcoded to use only the 192.168.0.0/24 address
space.
2. Mobile networks, VPNs, BYOD, and roaming users
Today’s employees connect from anywhere, accessing services from
iPads, Android phones, tablets and laptops. Many of those devices are
employee-owned even as organizations start to push back on BYOD
(“Bring Your Own Device”) to take back security control. Still, there
remains a large group of personal devices accessing corporate resources
which is wreaking havoc on security teams. Your network strategy needs
to consider how to secure access across a plethora of platforms over an
expanding network perimeter.
netbraintech.com |
 3. The move to the cloud
Enterprises are adopting private, public, and hybrid cloud services at
increasing rates. This trend presents a big challenge for network security,
as traffic can go around traditional points of inspection. Other challenges
include the ability to traverse international borders, compliance
considerations, cloud infrastructure churn (VMs moving and changing
as needs change), containerization, and a general lack of visibility. While
cloud services are developing their own security models, they will need to
harmonize with your own strategy.

4. Targeted attacks and persistent threats

Advanced persistent threats, or APTs, have become a standard of
cybercrime. For years, network security capabilities such as web
filtering or IPS played a key part in identifying such attacks, after the
initial compromise. As attackers grow bolder and employ more evasive
techniques, network security must integrate with other security services
to detect attacks.

A Common Cybersecurity Framework

To better address the dynamic risks of cybersecurity, President Barack
Obama issued Executive Order 13636, “Improving Critical Infrastructure
Security,” on February 12, 2013. This policy called for the development of a
cybersecurity framework – a set of industry standards and best practices to
help organizations manage cybersecurity risks. Organizations will have unique
risks – different threats, vulnerabilities, and risk tolerances – so how they
implement this framework will vary. Here, we will identify the basic functions of
that framework’s core, which will in turn help guide the recommendations of
this paper.

1. Identity - Understand the business context, including resources

that support critical business functions, and the related cyberse-
curity risks. This enables an organization to focus and prioritize its
efforts to align with business needs. Outcomes of this function

05 | The Cybersecurity Landscape netbraintech.com |

 assessment, and governance.

2. Protect - Ensure delivery of critical infrastructure services.

This function supports the ability to limit the impact of a potential
cybersecurity event. Outcomes of this function include access
control, awareness and training, data security, and maintenance.

3. Detect - Develop and implement the appropriate activities to

identify the occurrence of a cybersecurity event. This function
enables timely discovery of cybersecurity events. Outcomes
include anomalies and event detection, continuous security
monitoring, and detection processes.

4. Respond - Take action regarding a detected cybersecurity event.

This function supports the ability to contain the impact of
a potential threat. Outcomes include response planning,
communications, analysis, mitigation, and improvements.

5. Recover - Restore any capabilities or services that were impaired

due to a cybersecurity event. This function supports timely
recovery to normal operations to reduce the impact from an
attack. Outcomes include recovery planning, improvements, and
communications.

IDENTIFY PROTECT DETECT RESPOND RECOVER

Asset management Access control Anomalies and Response planning Recover planning
events
Business environment Awareness and training Communications Improvements
Security continuous
Governance Data security monitoring Analysis Communications
Risk assessment Information protection Detection process Mitigation
and procedures
Risk management Improvements
strategy Maintenance

Protective technology

Figure 1: Basic Functions of the Cybersecurity Framework

06 | The Cybersecurity Landscape netbraintech.com |

 It’s worth noting that the functions outlined above are not intended to lead
to a static end state. Rather, they should be performed concurrently and
continuously to provide an operational culture that addresses the dynamic
cybersecurity risk. It is important to measure the state of cybersecurity
ongoing, through audits and assessments. The following sections look at the
slice of these functions that pertain to network security in particular.

2. Best Practices for Network Security

Tools and technologies play a critical role in a security plan. Perhaps even
more important, however are the methods and processes which govern the
way these technologies are deployed, provisioned, and managed. Networks
are vastly complex systems and the methods to secure them make them
even more difficult to manage. If a firewall policy is not configured properly,
or an IDS is not properly tuned, it can create a point of vulnerability.

Network and security teams must work in harmony to ensure the

network is properly protected, considering the evolving landscape and
ongoing release of new vulnerabilities. To understand where the network
is vulnerable requires deep visibility and significant analysis. The same
requirements exist when the network is under attack – network and
security teams must work together as quickly as possible to isolate and
mitigate the attack to minimize time spent troubleshooting manually.

Enable Visibility Across Network Infrastructure

As humans, we rely on pictures and diagrams to help us understand complex
systems. The ability to visualize complex sets of data is therefore critical
for teams to consume information. Network visibility can refer to many
things. In this paper, we define network visibility as the ability to visualize and
conceptualize a network’s topology (including connections to firewalls, VPNs,
and other security technologies), design (including security policies and

07 | Best Practices for Network Security netbraintech.com |

 configuration), and live performance characteristics (including device and
interface health). Further, teams with visibility into the history of their networks
– including a catalog of changes made over time – are better equipped to
diagnose issues, and mitigate threats, when they arise.

Network Diagrams

Expert
Knowledge What’s
connected
?
CLI
Have we
seen this
before?
How’s it
configured
Network ?

Visibility

What’s
changed? What’s
happening?

Change Performance
Logs Monitoring

Figure 2: Limitations of Network Visibility in an Enterprise Environment

Due to the complexity and dynamic nature of a network infrastructure,

visibility remains a challenge for many organizations. To understand the
challenges that come with limited visibility, it’s important to first look at the
tools and techniques traditionally used to conceptualize information. In
most cases, the methods to collect and analyze data are manual and labor-
intensive. With data visualization, there are two fundamental challenges: (1)
limited visibility – lacking depth or breadth of information, or (2) information
overload – too much data spread across systems, making it difficult to find
meaningful insights. Tools and techniques for traditional data visualization
include:

08 | Best Practices for Network Security netbraintech.com |


43%
of surveyed engineers said
that troubleshooting takes
too much due to the manual
nature of using the CLI
*Source: 2017 State of the Network
Engineer Survey
09 | Best Practices for Network Security
• Network diagrams
o Benefits: Diagrams provide a way for teams to visualize the
topology of their networks, helping them understand critical
devices and interconnections.
o Challenges: To create network diagrams, an engineer needs
to type show commands box-by-box to slowly build a list of
devices, how they’re connected, and how traffic flows. This takes
a tremendous amount of time and is error-prone. Even a good
set of documentation provides limited configuration data, such
as hostnames, and IP addresses. Even more frustrating is that
network diagrams are quickly obsolete if not updated frequently.
• The command line interface (CLI)
o Benefits: As a flexible and powerful user interface for network
management the CLI is a preferred tool by experts. Virtually any
topology, configuration, or performance data can be accessed
with knowledge of the right commands. For complex tasks, the CLI
can also be scripted to achieve automation.
o Challenges: The CLI limits the breadth of information a user can
analyze, because it is accessed one device and one command
at-a-time. The CLI comes with a steep learning curve since each
unique vendor and model has its own command structure and
syntax. Automation also requires a steep learning curve to achieve
with complex scripts.
• IDS/IPS/monitoring tools
o Benefits: The primary benefit of these tools extend beyond data
analysis, since the primary role of an IDS/IPS is to alert
administrators to suspicious activity or policy violations. These
tools also provide context into what part of the network may be
impacted by a particular threat.
o Challenges: Many organizations face information overload when
managing these systems. It is challenging to distinguish a real
threat from a perceived threat with such volumes.
netbraintech.com |

DISA Infrastructure
Daily Events
- Million Alarm
- 2,000 Trouble Tickets
- 800 Billion Security Events
- 22,000 Changes
10 | Best Practices for Network Security
• The minds of tribal leaders
o Benefits: Tribal leaders have vast experience with management
or oversight of their unique networks. They know the ins and outs
of the underlying design architecture and have “been there, seen
that” enough times to quickly respond to threats and outages. Their
knowledge is invaluable and they don’t generally require diagrams or
other visual aids, because they know the network so well.
o Challenges: If knowledge is centralized in the minds of a select
few then those tribal leaders become a single point of failure in the
event they are sick or hit by a bus. Knowledge hoarding also limits
the effectiveness of a team to handle large volumes of tickets and
secure the broader network.
With manual methods of documentation, disparate tools for data collection,
and knowledge siloed in the minds of experts, it remains extremely challenging
for network teams to decode complex enterprise network environments. It
is critical for teams to invest in tools which distill complex sets of data into
intuitive and actionable intelligence.
Implement Network Automation
The demand for network automation in cybersecurity is best summarized by
Major General Sara Zabel, Vice Director of the Defense Information Systems
Agency (DISA). With 4.5 million users and 11 core data centers, DISA’s
infrastructure generates about 10 million alarms per day, according to Zabel at
the Open Networking User Group conference in 2016. Approximately 2,000
of those become trouble tickets. DISA’s network is a big target for hackers,
logging 800 billion security events per day. Between countermeasures,
configuration fixes, and other updates, DISA makes about 22,000 changes to
its infrastructure every day. While DISA’s infrastructure represents an extreme
example, most networks struggle all the same with the volume of alarms and
tickets. Network automation is therefore mission critical in delivering services
to the business while improving predictability and reliability.
netbraintech.com |
 The biggest trend in network automation is software-defined networking
(SDN) which brings programmability to the provisioning of network services.
SDN is often referred to as control plane programmability. A second
category, workflow automation, aims to make network operations more
agile, predictable, and efficient. Many organizations are in their infancy of
implementing workflow automation. As a result, most engineers still use
manual processes for managing key security workflows, such as verifying
network hardening policies and mitigating cyberattacks. In the context of the
cybersecurity framework, let’s examine these two broad workflows (proactive
and reactive) to identify areas where automation can improve efficiency and
agility.

IDENTIFY PROTECT DETECT RESPOND RECOVER

Figure 3: Proactive and Reactive Cybersecurity Workflows

Proactive Workflows: Protecting the Network

To protect the network, organizations must perform continuous
access-hardening. Network hardening is mandated by regulatory
bodies such as the National Institute of Health, Department of
Homeland Security, the FBI, the Federal Reserve Bank, or the FDIC.
Each body may have a unique compliance standard (e.g., PCI, HIPAA,
STIGS, etc.) but many of the underlying principles are common
between them and should be treated as a minimum best practice.
These standards require that network devices are configured to a
certain standard, that traffic is not permitted to restricted areas,
and that hardware is frequently patched to close vulnerability gaps.
In almost all cases, the process to validate such mandates or best
practices is extremely manual.
Because new vulnerabilities are being released frequently, and

11 | Best Practices for Network Security netbraintech.com |

 because networks are constantly undergoing change, the process to
access-harden the network is ongoing. For large networks with hundreds
or thousands of network nodes, it can take days to understand the impact
of a single vulnerability update from a vendor. When changes are made to
the network, security compliance may drift unless every network change
is properly validated. Security teams who define security standards often
struggle to enforce those standards across the network team.

Reactive Workflows: Detecting and Responding to Cyberthreats

Many organizations leverage IDS, IPS, or security information and event
management (SIEM) tools to alert administrators when someone is
trying to maliciously compromise the network. The steps that follow
an IDS alert, however are largely manual. The first two questions are
usually: “Where did the attacker penetrate the network?” and “What part
of the network is impacted?” For this, engineers need to first perform a
lot of manual work.
The first step is to trace the path from the breached endpoint,
commonly an end user’s computer or a public web server. This alone can
take hours. Next, teams need to understand the performance impact
to see if the attack is ongoing, and what is the extent of the damage. In
the event of a denial-of-service attack, which aims to render network
resources unavailable, engineers need to monitor network performance
characteristics, such as CPU, memory, and bandwidth utilization.
Not until teams have enough information, to determine which ports
the attack is originating from and what devices are affected, can they
shut down a port or add an access-list to mitigate the attack. Often
the attack compromises a computer, so being able to identify that one
device among the hundreds, thousands, or even tens of thousands of
devices on the network is extremely tedious.

Limitations of Scripts for Automation

It’s worth mentioning that scripts offer a method for engineers to
customize automation so that it may adapt to these workflows. But
scripting comes with a steep learning curve and most network teams

12 | Best Practices for Network Security netbraintech.com |

 lack this skillset. Further, even well-written scripts can fail to adapt to
multi-vendor and hybrid IT infrastructures. A script may be written
to collect and analyze specific data from a discrete device type, but
fail to work on a device from another vendor. This is a big problem
with automation since an engineer may need to look at Windows
devices, Linux devices, Cisco routers, Palo Alto firewalls, Aruba wireless
controllers, etc. - each with its own unique operating system and
command syntax. Customizing automation for each with a home-
grown tool is extremely difficult. While some tasks can be automated
with scripts, the majority of network hardening and threat response
workflows are still conducted manually.

Promote a Culture of Collaboration

As complex systems, enterprise networks are operated not by individuals but
by teams, often distributed geographically with different technical skills and
cultures. For example, it is common for a network security engineer to operate
on the network team and commonly interact with an Information Security
Officer within the Security team.

The ability of teams to work together effectively, therefore, plays a vital role
in network operations and security. To do so, teams must first commit to a
culture of collaboration. Next, teams must implement tools and processes
which enable frictionless collaboration. There are two areas where teams
should look to improve collaboration:

72%
of engineers cite lack of
1. Democratize Knowledge
Teams struggle to document and share knowledge. This limits their
ability to scale since they are bottle-necked with limited skills and abilities.
collaboration between
There are two types of knowledge in an organization: domain knowledge
network and security teams
as number one challenge and tribal knowledge. Doman knowledge refers to expertise which is
when mitigating an attack valuable both inside the organization and outside, for example knowledge
*Source: 2017 State of the Network
of security best practices or fundamentals of routing and forwarding
Engineer Survey
traffic. Perhaps more valuable is tribal knowledge, which is accumulated

13 | Best Practices for Network Security netbraintech.com |

 only after spending sufficient time within a team or organization. For example,
familiarity with the specific security policies or network design used within
a unique network. Organizations which lack a culture of collaboration have
pockets of knowledge stored inside the brains (or perhaps local hard drives)
of tribal leaders. Many IT organizations fail to implement tools and practices
which facilitate knowledge sharing of this kind.

2. Streamline Data Sharing

Teams struggle to share data effectively, which is crucial at the task-level,
where insights and conclusions are made as a team. Teams traditionally
communicate via web conference or email where the sharing of data
is clunky – usually in log files and data dumps. With these methods, it is
challenging for one individual to draw insights from another individual’s
data dump. By relying on manual methods of data collection and sharing
(e.g. box-by-box, screen scraping, or legacy home-grown scripts), teams
are less effective.

In a typical security incident, the network team is working with the application
team, Linux team, security team, and managers. With this level of cross-
function collaboration, it’s very important to have centralized information to
know what other teams in the department are doing. The ability of teams to
democratize knowledge and seamlessly share information is valuable both
during a cyberattack, but also for proactive network security. For the former,
teams must work effectively to isolate and mitigate the attack as soon
as possible. For the latter teams must share best practices to harden the
network and validate compliance.

14 | Best Practices for Network Security netbraintech.com |

 3. Applying Network Automation to Security Workflows

The increasing scale of networks, driven by trends such as IoT and cloud
computing, is driving the need for automation – it is now mission-critical for
network security. A comprehensive cybersecurity workflow includes tasks

30%
Of surveyed engineers
performed before, during, and after a cyberattack. Automation should be
applied at each phase.

said they are investing Before a cyberattack, automation is critical for network hardening, to
in network automation
fortify network assets and close vulnerability gaps. But should an attacker
technologies to enhance
network security penetrate the network, automation can help teams isolate and mitigate
threats quickly, to minimize damage. After an attack, automation can help
teams perform a post-mortem analysis, to identify ways to further protect
network assets against similar attacks in the future, and equip teams to
respond more quickly. This workflow therefore represents an ongoing cycle
from proactive, to reactive.

To support and enhance this existing workflow, automation must be

leveraged to provide teams with better visibility of their networks – to
understand where vulnerabilities exist, or what network assets are
compromised during an attack. Automation also plays a role in helping
teams collaborate effectively, to share knowledge and insights.

Protecting the Network

To help ensure ongoing compliance and adherence to security requirements,
automation should be applied to access-hardening workflows. The need
for automation is driven from the dynamic nature of security threats in
combination with the tendency for enterprise networks to undergo constant
change. Any workflow which requires an engineer to analyze the network and
validate a security requirement is ripe for automation. Here, we’ll identify four
such use cases.

15 | Applying Network Automation to Security Workflows netbraintech.com |

 Scenario #1: Assess impact of new vulnerabilities
Suppose a new vulnerability or security patch is released by a hardware
vendor which affects a specific device type. How do you know how
many devices are impacted in your network, and where they connect?
Automation can be applied to scan the network, map the relevant
devices, and to assess the impact. In the example below, a vulnerability
patch is released for a particular Cisco IOS software version. To assess
the impact, an engineer performs automation to overlay the software
version of each device in the map, and automatically highlight (in red)
the devices which need to be upgraded.

Figure 4: Visual Analysis of Security Assessment

16 | Applying Network Automation to Security Workflows netbraintech.com |

 Scenario #2: Validate security policies and access restrictions
Suppose you need to validate that traffic is allowed to flow where
it needs to, but restricted where it is forbidden. An example of this,
mandated by the PCI Security Standards Council, restricts credit card
data from being accessed by out-of-scope systems. The common
way to restrict that is through firewall policies. In larger organizations,
firewalls typically have many hundreds if not thousands of rules which
have accumulated over time (in many cases without proper remarks or
documentation). For these networks, firewall rule audits are a painful
aspect of a security audit. Automation can be applied to visualize key
traffic flows across your network, considering security policies which
inspect traffic at the port-level. Using this method, you can validate
traffic is allowed to flow where it should, and prohibited where it
shouldn’t.

Figure 5: Visual Analysis of Security Assessment

17 | Applying Network Automation to Security Workflows netbraintech.com |

 Scenario #3: Validate best practices and compliance
Suppose you need to validate and prove compliance – either for an
inhouse audit or to a regulatory committee. The process to verify and
document compliance is very manual and time-consuming. For large
networks with thousands of network devices, the ability to inspect
every configuration file to ensure they meet requirements may not be
feasible. Automation can be applied to perform this task and identify
policy violations, such as missing password encryption, enabled telnet
access, or unsafe SNMP community strings.

Figure 6: Visual Analysis of Security Assessment

Scenario #4: Guide engineers with security best practices

Suppose your organization’s security policy is governed by the security
team, but network changes are implemented by the network team.
How can the network team leverage the security best practices? And
how can the security team validate that each new change meets or
exceeds minimum security standards? With runbook automation,
the security team can digitize the best practices into executable
procedures. Each step in the runbook may validate a unique security

18 | Applying Network Automation to Security Workflows netbraintech.com |

 requirement. After each network change is implemented by the
network team, they can simply execute the runbook to safeguard
against non-compliance configurations.

Figure 7: Sample Security Assessment Runbook

Detecting and Responding to Cyberattacks

The first order of business when handling a security incident in progress is to
stop the bleeding. This initial attack remediation is of the highest importance.
Once your IDS or SIEM detects potentially malicious traffic, automation
should be applied to your diagnostic response. The diagnosis will help visualize
where the attacker penetrated the network and understand what other
network resources are impacted. Automation can minimize the process of
tracing the path, from hours to seconds.

19 | Applying Network Automation to Security Workflows netbraintech.com |

 Next, teams need to understand the performance impact to assess the
extent of the damage. Automation is critical here so that network engineers
have relevant information immediately without having to manually probe
network appliances one box at a time. This helps teams isolate the attacker
so they can then take proper action to mitigate the threat (e.g., by shunting
traffic, disabling ports, making policy changes, etc.).

In the example below, a denial-of-services attack path is mapped from the

attacker to the victim. Next, performance monitoring is enabled to help
engineers visualize the performance impact. In this example, bandwidth is
being actively bottlenecked (shown in red) across each hop in the path.

Figure 8: Isolate Cyberattack with a Triggered Diagnosis

Enhancing Collaboration Across Teams

There are three keys to productive collaboration: culture, process, and tools.
When teams work together to combat a cyberattack, knowledge must be
easily shared and so must key insights. Automation should play a role here to
provide a shared set of data which is visually accessible, including engineering
notes and observations. A visual interface, such as a map, may serve as a

20 | Applying Network Automation to Security Workflows netbraintech.com |

 shared analytics console, accessible across teams and disparate geographies.

Runbooks should be shared to guide more junior engineers with best

practices. Lessons learned from any given incident should then be applied to
improve existing runbooks, thereby enhancing existing automated responses.
The diagram below portrays how a shared analytics console helps engineering
teams get on the same page during an event, to isolate and mitigate an
attack. It also shows how workflows can be enhanced with lessons learned
from the event to improve threat response down the road.

Figure 9: Enhancing Existing Workflows with Automation

21 | Applying Network Automation to Security Workflows netbraintech.com |

 4. Achieving Continuous Cybersecurity

Just as the horse and buggy was supplanted by the automobile, automated
transportation continued to evolve. The automobile was eventually
enhanced with the automatic transmission, and today the next wave of
automation is ushering the autonomous (self-driving) car. The ultimate
goal of continuous automation is to eliminate human error and dramatically
increase efficiency. In Cybersecurity, continuous automation will reduce
both risk and impact of cyberthreats.

On the journey to a fully autonomous network, which is self-securing

and self-healing, there are important milestones. The previous section
discussed automation as a tool to reduce manual tasks and improve
collaboration between humans. This section explores an increasing
degree of automation, through machine-to-machine communication. We
will explore what is possible today by connecting automation platforms
together via API to trigger automation, both for proactive security
workflows as well as reactive.

Continuous Network Hardening

The goal of continuous network hardening is to achieve a network which has
a permanent state of security compliance. In many cases, compliance drift
is the result of non-compliant network changes. In other cases, this drift
may be the result of evolving threats (often released by a hardware vendor).
A network which is continuously automated will dynamically adapt to close
vulnerability gaps as they arise, in real-time.

As one example, imagine a rogue network change is detected by an event

management system. In response, the EMS sends an alert to the network
automation platform via API to perform a compliance check of the modified
configuration. The automation platform might respond with a map of non-
compliant devices. Also, in response another API may trigger the change

22 | Achieving Continuous Cybersecurity netbraintech.com |

 orchestration platform to close the security gap by auto-provisioning the
rogue device.

In another example, suppose a vendor bulletin issues an announcement for

a vulnerability of a certain firmware version. That announcement may trigger
the automation platform to perform an impact assessment to identify how
many devices with the known characteristic are deployed on the network. A
set of vulnerable devices may then be passed to the change orchestration
platform to perform the necessary patch or firmware upgrade automatically.

Network change detected

Event Management System

1
2
3 Trigger compliance Network Automation
4
5
validation Platform

New Vulnerability Released

Compliant
configuration
Vendor Bulletins
Trigger impact
accessment Change Orchestration

Continuous Network Hardening

Figure 10: Continuous Network Hardening via API Integration

Continuous Threat Response

Continuous automation is even more valuable during a cyberattack, when
the company’s protected data is vulnerable, and every second counts. Here,
automation can be auto-triggered upon event detection via IDS or SIEM. In

23 | Achieving Continuous Cybersecurity netbraintech.com |

 this example, the network automation platform is auto-triggered to perform
a diagnosis of the threat to validate and assess the impact. The result of
the diagnosis may then be passed to the change orchestration platform
for intervention. Based on the diagnostic data, various pre-defined security
policies and techniques may be applied to mitigate the threat.

Threat detected

IDS/SIEM Network Automation

Platform
Trigger
threat analysis

Threat
mitigation

Change Orchestration

Continuous Threat Response

Figure 11: Continuous Threat Response via API Integration

24 | Achieving Continuous Cybersecurity netbraintech.com |

 Conclusion

Network security must be ruthlessly prioritized to ensure

protection of business assets from the increasing volumes
of cyberattacks. In the face of these evolving threats, and the
growing complexity of enterprise networks, automation is
more mission-critical than ever. The benefits of automation,
- namely enhanced network visibility and improved cross-
functional collaboration – can be applied at each function of the
cybersecurity framework, from proactive to reactive.

There are varying degrees of automation which should be

considered depending on the scale of the network, and
your business’ risk profile. In its most basic implementation,
automation can be applied to individual tasks to reduce
tedious tasks. At the other end of the spectrum, continuous
automation may be achieved by connecting automation
platforms together via API with a clearly-defined set of rules
in between to eliminate human error and accelerate threat
response.

As the adoption of automation increases, network and security

engineers remain more important than ever. But the demands
of automation require that the skillsets of these teams adapt to
keep the network and business secure.

25 | Achieving Continuous Cybersecurity netbraintech.com |

About NetBrain Technologies, Inc.
Founded in 2004, NetBrain is the market leader in network
automation. Its ground-breaking platform leverages the power of
Dynamic Maps and Executable Runbooks to provide CIOs and network
teams with end-to-end network visibility and analysis across physical,
virtual, and software-defined networking environments.

Today, more than 1,800 of the world’s largest enterprises and

managed service providers use NetBrain to automate network
documentation, accelerate troubleshooting, and strengthen network
security—while integrating with a rich ecosystem of partners.
NetBrain is headquartered in Burlington, Massachusetts, with offices
in Sacramento, California; Munich, Germany; and Beijing, China.

For more information, visit https://www.netbraintech.com/.

NetBrain® and the NetBrain logo are registered trademarks of
NetBrain Technologies.

NetBrain Technologies, Inc. +1 800 605 7964

15 Network Drive info@netbraintech.com
Burlington, MA 01803 www.netbraintech.com