On Wednesday at RSAC, Mitch Greenfield of Humana led a session describing his team’s experience deploying a network visibility and access control system. The session, titled Avoiding the Five Stages of Grief for a Successful Visibility and Access Control Program, focused on an often-underestimated aspect of technology deployments – the impact on people.
Humana started the project to ask a simple, but often difficult question “What do we have on our network?” Its security team estimated 180,000 endpoints (including computers running different versions of Windows and macOS, IP phones, printers, etc.). While Forescout CounterACT® helped answer that question, the team underestimated the impact that information would have on the rest of the organization.
As Ellen Sundra, Forescout’s VP of Americas Systems Engineering, noted, “We underestimate the organizational change component. Technology is important, but getting an organization ready—the teaming, the setting of the policies, determining what to do with this new data—these are the things that people don’t think enough about.”
To look at the impact that a visibility and network access control program has on an organization, Mitch had fun with it by looking at it through the lens of the Five stages of grief.
Mitch described that the moment Humana turned on the Forescout device visibility platform, it started collecting interesting data. The Humana team didn’t anticipate the impact that having a number of unknown and often non-compliant devices on the network.
“No, that can’t be… We can’t have that on the network… This this can’t be here.”
“The system was consistently right, and we were consistently surprised by the results,” said Mitch. And when that data was shared with the network, data center and endpoint teams, denial was a common theme. This denial forced the security team to validate the results and they realized the system was right.
After the project kicks off and the organization starts working on a solution, we reach the anger phase. Per Mitch, “This is where the project can get out of control. The key is to not burn bridges with constituents and the rest of IT. There can be a lot of finger pointing – security vs networking vs compliance.”
Humana worked through this phase constructively, attempting to avoid alienating key constituents. “NAC is not a project, it’s an ongoing process that everyone has to be into and participate in.” A critical aspect is how the implementation team manages management. “No one wants to hear that their baby is ugly or that things are going wrong.”
Bargaining is the next phase of the deployment. This typically occurs after everyone is coming to grips with the data and the discovery of non-compliant situations.
The Humana team learned they were building a system that contained data that could help many other internal partners.
Mitch recommended finding more stakeholders outside of the security team and integrating into other systems across IT. “Other organizations could then see what value they would receive if they worked with us to deploy Forescout.” The Asset Management team, for example, wanted more real-time information about the devices under corporate control. Forescout gave them that information.
Ellen brought up the common frenemy situation between network and security teams. Forescout can help them find misconfigurations and inconsistencies in the environment and help network teams standardize and build more consistent configurations.
When looking at a network visibility and access control project holistically, it can be daunting and constituents can lose heart. Depression often sets in.
Mitch recommended focusing on small wins to move the project forward. “The team needs to focus on the positive outcome—the end-game results. The environment will be cleaner, more consistent, more orchestrated.”
Ellen noted that the most successful programs start with a “crawl, walk, run” methodology. Take each step. Build a foundation on visibility first, then later phases can add in more complicated network access control.”
Humana started with visibility and integration with networking tools, followed by implementing very basic network control and authentication. They then started looking at more complex uses cases like endpoint compliance posture.
Projects need partnership. The outcomes Humana was able to achieve wouldn’t have been possible if it weren’t for teams working together for the common good.
“We were constantly improving across the five phases. It helped us fix problems (misconfigurations, out-of-compliance machines, firewall policies, etc.). And most importantly, the project helped bring our disparate teams together,” recalled Mitch.
Acceptance of the solution will also enable greater efficiencies over time. As Ellen noted, in many deployments, once things start working and the system starts gaining acceptance, people become more comfortable with automation which will make the company faster, safer and easier.
If you couldn’t make the show, and still want to learn how to avoid the five stages of grief in your visibility and control project, we’ll bring the show to you. Take a test drive of Forescout in a live virtual machine environment with an expert who can walk you through a few real-life use cases like finding ransomware in your environment.