Forward Networks For Defensive Planning
Forward Networks likes to call its product a digital twin which is a fancy term for a model.
In this case, the model is of your network. Forward Networks collects configuration information from as many of your network devices as you will let it. It uses this information to build a model of what your network looks like. The more data the Forward Networks system has, the more accurate that model can be. At least in theory.
The glorified database is the least interesting part though. What is
interesting are the kinds of reports you can run on this database. You can ask
questions like "Is there TCP reachability from this PC here in corporate HQ to
this server in AWS us-west-1 on port 443?" or perhaps "Are routes in AS-nnnn
being advertised out through this egress node on the edge of the network?"
You can ask questions of the model instead of interrogating production, which is safer and possibly faster as well. You can also ask more complex questions, because all the data is in one place in a format that Forward Networks understands. Figuring out why you can't traverse from A to B in a network can be tricky. Is something broken if you can't? Or is it deliberate policy to stop accidents and miscreants?
Blast radius
One aspect of this modelling ability that I particularly liked seeing was the
concept of 'blast radius'. You could use Forward Networks' model to figure out
where an intruder could get to if they broke into webserver web-us-west-1-332.
As a defender, you can try to attack your own network, but only in the model,
not for real, so there's very little danger of you breaking something
important.
You could try all kinds of interesting scenarios in the simulation, quickly, and with low risk. And beyond discovering "yes, you can" or "no, you can't" you can also quickly understand why. Forward Networks can show you the specific lines of configuration on a firewall that are preventing you from successfully taking a given network path. Similarly, if you are able to traverse to somewhere you probably shouldn't be, you can figure out why, and what you'd need to change to stop it.
Which is the next great thing about models: simulations of a reality that doesn't actually exist.
Living in a simulation
Forward Networks model lets you run simulations of a potential future to see what might happen. Sure, you might stop an attacker if you change the Winnipeg firewall rules, but you'd also break the financial reporting app that the CFO uses. This is a great thing to find out before you've broken production and have to explain to the C-suite why they can't get their work done by end-of-quarter deadlines.
You don't just have to live in one simulation, either. You can have a whole bunch of them! A series of parallel universes that don't really exist, but potentially exist. Try out a few different ideas and see which one you like best!
I can see using Forward Networks' model as a handy augmentation to tabletop exercises where you play out a "what would we do if the finance database got infected with ransomware?" scenario. You could actually test out your "what if" plans to see if they're likely to work, and maybe discover that some of your assumptions are quite wrong. Think of it like a corporate D&D session with a really detailed map and figurines to move around as you roll to save vs. malware.
The map is not the territory
One note of caution, however: As statistician E. P. Box said "All models are wrong, but some are useful." We need to be very careful when using models of reality that we don't forget that they are just that: models.
This is one reason that Forward Networks is read-only. It doesn't have the ability to manipulate production directly, and that's a good thing. The model might be very good, but it can't contain everything. As some of my fellow delegates pointed out: the model contains only what has been modelled, what is usual. An attacker breaking in via a brand new vulnerability probably won't be in the model, because it deals with unknown quantities that the model can't know about.
We also have to be careful that the model might be wrong about what reality really does. Networks are complex and weird. Forward Networks will make it easier to understand, but the emergent complexity of large networks often defies human understanding. Some angry sand we tricked into doing binary maths probably won't understand it all, either.
But there is still plenty of useful work to be done within the constraints of what Forward Networks model does contain. Provided we remind ourselves that none of this is real, we can embrace what makes this unreality useful and leave the constraints of the physical world behind, even if just for a moment or two. There is lots of scope to do really interesting work in this simulated world.
I was a guest of GestaltIT/TechFieldDay at Cloud Field Day 16
See also
Related items
The Human Point Of Cyber Security
How do we deal with the human element of cyber security without losing our souls?
BMC Says Enterprises Need Tools To Manage Multi-Cloud
BMC Software adds multi-cloud features to Discover product for IT supply-chain management.
Data Control In A Multi-Cloud World
Do you control who can access your data, where and when? To design modern IT systems, it's a question you need to answer.