One of the common characteristics that binds breached organisations is the lack of full network visibility. While most organisations will have some level of visibility, there will still be gaps, advanced persistent threats (APTs), and further complexities that allow criminals to gain a foothold within corporate networks. Considering the size and scope of most hybrid environments – consisting of a variety of disparate network elements including cloud, on-premise, OT, and virtual networks – it’s easy to see how blind spots develop which leave companies vulnerable to attack.
Gaining full network visibility means more than just being able to see all vulnerabilities, assets and network elements. When we talk about visibility, we should be talking about gaining insight that lets us understand network context. Visibility means more than just gaining a surface-level understanding of what exists within the security environment – it means that processes are in place to support the ongoing collection of data from network devices, security controls, assets, vulnerabilities and threats that will give security teams the clarity and focus that they need to form effective remediation strategies.
The need for heightened levels of network visibility is becoming more pressing as time progresses. Every year, we’re seeing tens of thousands of new vulnerability reports being published. And every year, organisations are adding more network elements into their environments as a result of digital transformation initiatives. The CISO and their team, already resource-stretched, are having to make daily decisions about how best to protect their organisation. In order to make the best use of their resources and to ensure that they’re remediating the right vulnerabilities, these decisions need to be based on data and insight that understands the context of their network environment. The margin for error is becoming so slim – nobody should want to leave any aspect of their security program up to chance.
What is Standing in the Way of Total Network Visibility?
The goal of achieving contextual visibility can be tricky. Organisations have already made concerted efforts to identify vulnerabilities within their environment by making significant investments in scanner technology. However, the conventional ‘scan and patch’ method used for vulnerability management is no longer sufficient. In rapidly changing environments, there are issues with the latency of scan results, and in organisations that have blind spots within off-limits network segments (including operational technology) and “unscannable” network devices, scanners do little to help improve overall security levels.
Of course, scanners are still useful. When they form part of a robust cybersecurity management programme that incorporates scanless assessments (which can normalize scan data, but also discover vulnerabilities without a scan in the segments and devices the scanner cannot access), they are a vital tool. Data gathered by scanners can be normalised and combined with a range of other data sets to provide a vulnerability register that is both exact and updated on demand without disruption to the network.
Another factor standing in the way of organisations’ ability to gain full network visibility is errors caused by disconnected data (or technology) and processes . In large, hybrid environments it’s inevitable that there will be greater levels of disconnect and, therefore, greater numbers of errors. This disconnect stems from the way that firms organise themselves: it’s commonplace for different teams to take responsibility for separate sections of the network. Security teams may manage one network area, operations a different one and DevOps/ DevSecOps another. This siloed system fosters an environment in which mistakes can easily slip through the net.
Despite every team having its own role, the processes that make up their everyday responsibilities should still aim towards one overarching objective. DevSecOps teams could have processes in place for “security in code”, but any alterations to services have the potential to affect the security of configurations and will require ongoing monitoring in case the risk status changes later down the road. Without maintaining an open dialogue with teams responsible for other business functions (like infosecurity, operations, IT, or incident response) it’s all too easy for mistakes to slip through the net. But if all teams are able to work with shared and comprehensive network visibility, they will be able to foster better communication and spot and fix any process disconnects in a timely fashion.
Understanding Exposure Should Not be Underestimated
Companies’ remediation strategies are often based on CVSS scores; where critical or high–severity vulnerabilities are identified within their infrastructure; it is only logical that their remediation will be prioritised above medium–severity flaws. However, it should not be assumed that a medium–severity CVSS score equals medium risk. Attackers are aware that a growing volume of medium–severity flaws can remain unpatched in a company’s environment for a long time, which is why they frequently seek to maximise on medium–severity vulnerabilities.
In 2019, vulnerabilities with a medium-severity CVSS were found to account for 40% of all new reports. This percentage share is a rise on the previous year when medium vulnerabilities represented a just third (34%) of total reports, according to Skybox Security’s Vulnerability and Threat Trends Report 2020.
Now, organisations are caught between a rock and a hard place. If they were to follow the current way of working, in order to remediate every medium–severity vulnerability within their company as well as all critical and high–severity flaws they would need to employ more people and dedicate more funds and manpower to even be able to scratch the surface; considering the ongoing skills crisis, this simply wouldn’t be possible.
With contextual visibility, they can assess actual risk – not just baseline severity - by understanding vulnerabilities in relation to the asset that hosts them and the placement of assets in the network topology, surrounding security controls and threat origins. Such a thorough understanding of exposure empowers security teams to refine their remediation strategies so they know that they are remediating the right vulnerabilities first, regardless of severity level.
Using Visibility as a Business Driver
Organisations which have contextual network visibility in place see the benefits every day. They are able to understand and reduce the size of their attack surface. They can mend some of the fragmentation which exists within their hybrid environments. They will have been better positioned to react swiftly to the new security challenges thrown up by the COVID-19 crisis: by having a better understanding of their network, they are able to react quicker, to be more flexible and be confident in their emerging strategies.
They also have a stronger basis to better support their organisations’ ongoing digital transformation initiatives, knowing that they have strong foundations that will help them to avoid breaches, achieve control and streamline vulnerability management as and when new network elements are introduced. The benefits of contextual network visibility in relation to improving vulnerability management practices are clear – the question that organisations now need to ask themselves is how they’re going to get there.
Author: Ron Davidson, VP R&D and CTO, Skybox Security