Automated Security Audit with Tufin: In-Depth Analysis and Benefits

In today’s world, where cyber threats are multiplying at an incredible rate, manual security policy management and security audits are becoming risky. Errors caused by human factors (misconfigured firewall rules, forgotten accounts, incorrectly configured security policies), delays in incident response, and the complexity of tracking all changes in network inventory make organizations vulnerable to attacks that exploit vulnerabilities in open ports, unauthorized access to sensitive data, and compliance violations (failure to comply with PCI DSS requirements when storing credit card data, violation of GDPR when processing personal data). The solution to this critical problem is Tufin, a Security Policy Management (SPM) platform that automates security audit, policy management, and risk management processes, ensuring continuous protection of your network.

What is Automated Security Audit and Why is it Needed?

Automated security audit is a process in which software, such as Tufin SecureTrack, regularly scans your network infrastructure, analyzing firewall configurations, network devices, and other security elements. This allows you to identify configuration errors, vulnerabilities, and deviations from established security standards such as PCI DSS, NIST, HIPAA, and CIS benchmarks. Instead of relying on manual checks, which are time-consuming and prone to errors, automated auditing provides continuous monitoring and timely detection of problems. SecureTrack uses various data collection methods, including APIs, SSH, SNMP, and CLI parsing, to obtain device configuration information. The data is normalized and stored in a centralized database, providing a unified view of the security policy.

Benefits of Automated Security Audit:

• Improved Efficiency: Audit automation reduces the time and resources spent on security auditing, freeing up your specialists to focus on more important tasks.
• Improved Visibility: SecureTrack provides interactive topological network maps that display traffic flows and rules that determine access. This allows you to analyze the impact of changes on security policy and identify potential risks.
• Risk Reduction: Identifying vulnerabilities and configuration errors before they are exploited by attackers reduces the risk of attacks and data breaches.
• Simplified Compliance: SecureTrack generates pre-configured reports for various compliance standards, including PCI DSS, NIST, HIPAA, and GDPR. The reports contain information about the current state of network security and recommendations for eliminating identified inconsistencies.
• Improved Change Management: Security change management with Tufin ensures that all changes to the network infrastructure comply with security policies and do not create new vulnerabilities.

How Tufin Automates Security Audit

Tufin Orchestration Suite is a comprehensive platform that automates network security audit, policy management, and risk management processes. It consists of several key components, including Tufin SecureTrack, Tufin SecureChange, Tufin SecureApp, and Tufin Stalker.

Tufin SecureTrack: Continuous Monitoring and Analysis

Tufin SecureTrack is the core of the Tufin platform and provides continuous monitoring and analysis of your network infrastructure. It collects configuration data from firewalls, network devices, and other security elements, analyzes this data for configuration errors, vulnerabilities, and deviations from established security policies.

Key Features of Tufin SecureTrack:

• Policy Discovery: SecureTrack uses machine learning algorithms to automatically discover security policies by analyzing traffic flows and firewall rules. This allows you to quickly and accurately identify existing policies and identify anomalies.
• Risk Analysis: SecureTrack uses a continuously updated vulnerability and threat database to assess the risks associated with identified vulnerabilities. Risk is calculated based on various factors, including the severity of the vulnerability, the likelihood of exploitation, and the potential damage.
• Risk Visualization: Security risk visualization allows Tufin SecureTrack to visualize risks on a network map, making it easier to understand and prioritize security remediation tasks.
• Reporting: Automatic report generation allows Tufin SecureTrack to create detailed reports on the state of your network security, making it easier to pass audits and confirm compliance.
• Integration: SecureTrack supports integration with a wide range of devices, including Check Point (R80+), Cisco (ASA, Firepower), Fortinet (FortiGate), Palo Alto Networks (Panorama), Juniper Networks (SRX), and others. A complete list of supported devices and versions is available on the Tufin website.
• Zones: SecureTrack allows you to segment the network into zones, which simplifies security policy management and access control between different network segments.

Tufin SecureChange: Security Workflow Automation

Tufin SecureChange automates security workflow processes related to changes in the network infrastructure. It allows you to automate change request, approval, and implementation processes, ensuring that all changes comply with security policies and do not create new vulnerabilities. Requests can be created both through the interface and programmatically via API.

Key Features of Tufin SecureChange:

• Change Request Automation: Tufin SecureChange automates the change request process by providing users with a simple and convenient interface to request changes to the network infrastructure.
• Approval Automation: Tufin SecureChange automates the change approval process, routing approval requests to the appropriate individuals and ensuring compliance with all necessary rules and procedures.
• Implementation Automation: SecureChange uses APIs and CLI scripts to automatically configure devices. It can create, modify, and delete firewall rules, objects, and other configuration parameters.
• Change Audit: Change auditing allows Tufin SecureChange to track all changes made to the network infrastructure, providing full transparency and accountability.
• ITSM Integration: Tufin SecureChange integrates with ITSM systems such as ServiceNow, Jira, Remedy, allowing you to integrate security change management processes into existing IT service management processes.
• Automatic Change Validation: SecureChange provides functionality for automatically validating changes before they are implemented, allowing you to identify potential risks and prevent errors.

Tufin SecureApp: Application Policy Automation

Tufin SecureApp allows you to automate the definition and application of security policies for applications, ensuring the protection of business-critical applications and simplifying their access management.

Tufin Stalker: Finding Obsolete and Unused Policies

Tufin Stalker helps detect obsolete and unused firewall rules that can pose a security threat and complicate policy management. Stalker analyzes traffic logs and rule configurations, identifying inactive rules that can be safely removed.

Technical Details and Use Cases of Tufin

For technical specialists, it is important to understand how Tufin works “under the hood” and how it can be used to solve specific security problems. Let’s consider a few examples.

Integration with Firewalls and Network Devices

Tufin supports integration with a wide range of firewalls and network devices from leading manufacturers such as Check Point, Cisco, Fortinet, Palo Alto Networks, and others. Integration is carried out via APIs, SSH, SNMP, and other protocols. This allows Tufin to collect data about device configurations, analyze them, and make changes in automatic mode.

Example 1: Check Point API Integration

For the Check Point firewall, Tufin uses the API (for example, show-objects, show-access-rulebase) to obtain information about rules, objects, groups, and other configuration parameters. The integration allows you to extract data about Source, Destination, Service, Action, and other rule attributes. It then analyzes this data for configuration errors, such as overly permissive rules or unused objects. If problems are detected, Tufin can automatically create a change request, which will be sent for approval to the security administrator. After approval, Tufin automatically makes changes to the firewall configuration, eliminating the problem.

Configuration Analysis and Vulnerability Detection

Tufin uses powerful algorithms to analyze firewall and network device configurations and identify vulnerabilities. It checks configurations for compliance with security best practices, such as the principle of least privilege, network segmentation, and protection against known CVEs.

Example 2: Detecting a Risky Firewall Rule

Suppose SecureTrack discovers a firewall rule that allows traffic from all IP addresses (0.0.0.0/0) to port 22 (SSH) for an internal server. SecureTrack identifies this rule as risky because it potentially allows attackers from anywhere in the world to try to gain access to the server via SSH. SecureTrack may recommend restricting the rule, allowing access only from certain trusted IP addresses or networks.

Risk Management and Compliance

Tufin helps organizations manage risks and ensure compliance with various security standards such as PCI DSS, NIST, and HIPAA. It provides the necessary tools for network inventory, risk analysis, security reporting, and workflow automation.

Integration with SIEM and Vulnerability Management Systems

Tufin integrates with SIEM and Vulnerability Management systems, such as Splunk, QRadar, and Qualys, to improve visibility and coordination between different security systems. The integration allows you to exchange information about vulnerabilities, incidents, and other security events, which allows you to respond to threats faster and more effectively.

Example 3: Splunk Integration

Tufin can transmit information about security policies, configuration changes, and identified vulnerabilities to Splunk. Splunk can use this information to correlate with other security events (for example, detecting malicious activity, intrusion attempts) and identify suspicious activity. For example, if Tufin detects a change to a firewall rule that opens access to a critical system, this information is sent to Splunk, which can trigger an alert and warn security administrators.

Example 4: Using SecureApp to Automatically Define Policies for Applications

SecureApp can automatically determine the necessary rules for accessing an application by analyzing traffic flows and dependencies between application components. For example, for a web application, SecureApp can automatically create rules allowing access to the web server on ports 80 and 443, as well as to the database on the corresponding port. This greatly simplifies the process of defining and implementing security policies for applications.

Tufin API

Tufin provides an extensive API that allows you to automate various security policy management tasks, integrate with other systems, and create your own tools. The API allows you to programmatically obtain information about network configuration, firewall rules, security policies, and changes, as well as perform actions such as creating new rules, modifying existing ones, and running reports.

Benefits of Using Tufin for Automated Security Audit

Implementing a Tufin solution for automated security auditing provides many benefits that go beyond simply reducing time and resources. Tufin helps organizations improve their overall security posture, reduce risks, and ensure compliance with regulatory requirements.

Key Benefits:

• Improved Visibility and Control: Tufin provides complete visibility into your network infrastructure and network security policies, allowing you to see what’s happening on your network in real-time and control all changes. For example, SecureTrack provides interactive network maps that show all devices, connections, and rules configured on them.
• Risk Reduction: Tufin helps identify and eliminate vulnerabilities and configuration errors before they are exploited by attackers, reducing the risk of attacks and data breaches. For example, Tufin can automatically detect rules that allow access to critical systems from untrusted sources and suggest solutions to eliminate them.
• Improved Efficiency: Tufin automates security audit, security change management, and risk management processes, freeing up your specialists to focus on more important tasks. For example, SecureChange automates the change request, approval, and implementation process, reducing the time it takes to make changes to the network infrastructure.
• Simplified Compliance: Tufin helps organizations ensure compliance with various security standards such as PCI DSS, NIST, and HIPAA by providing the necessary tools for security reporting and workflow automation. For example, Tufin can generate reports that show how your network complies with PCI DSS requirements and identify areas for improvement.
• Improved Collaboration: Workflow helps improve collaboration between different teams, such as security, network, and application teams, ensuring that all changes to the network infrastructure comply with security policies and do not create new vulnerabilities.

Tufin Architecture

Tufin Orchestration Suite has a modular architecture consisting of several core components: SecureTrack, SecureChange, SecureApp, and Stalker. These components interact with each other and with external systems via APIs. The central element is a centralized database that stores all information about network configuration, security policies, and changes. The architecture allows you to scale the system to support large and complex network infrastructures.

Scalability

Tufin supports horizontal and vertical scaling, which allows you to adapt the system to the growing needs of the organization. You can add additional servers to process more data and requests. The Tufin database can also be scaled to store the growing volume of information.

Fault Tolerance

Tufin provides fault tolerance mechanisms, including component and database redundancy. In the event of a failure of one of the components, the system automatically switches to a backup component, ensuring business continuity.

Licensing and Cost

Tufin offers various licensing models, including licensing based on the number of devices, the number of users, and functionality. The cost of implementing Tufin depends on the size and complexity of the network infrastructure, as well as the selected components and services.

Comparison with Competitors: FireMon, AlgoSec

Tufin competes with other security policy management solutions such as FireMon and AlgoSec. Tufin stands out for its integration with a wide range of devices, powerful automation capabilities, and a user-friendly interface. FireMon has strong risk analysis and regulatory compliance capabilities. AlgoSec offers a more comprehensive solution for security policy management and workflow automation.

Conclusion

Tufin offers a comprehensive platform for automating security audits and managing security policies, which can help organizations reduce risks, increase efficiency, and ensure compliance with regulatory requirements. With broad integration with various devices, powerful automation capabilities, and a user-friendly interface, Tufin is an excellent choice for organizations seeking to improve their security posture.