How Network Visibility and Context Simplifies Cybersecurity Management
Will Grove March 27, 2020
There’s a common thread that connects most organizations that suffer breaches: they lack total network visibility. Large, enterprise estates are comprised of several disparate network elements, including on-premise, OT, cloud and virtual networks. These hybrid environments are rife with process disconnect and have a number of dangerous blind spots.
Without full network visibility, security teams do not know what they are supposed to remediate or protect, which greatly increases the complexity of their workloads. As cybersecurity needs evolve and pressures placed on the CISO and their team increase, the need for visibility and insight that’s informed by internal and external threat context has become painfully obvious.
Why Network Visibility and Context are Key to Simplifying Cybersecurity Management
Disconnected processes are a leading cause of security errors. The potential for process disconnect increases within large, hybrid environments. This is primarily because separate teams are put in charge of different areas of the network. An increasing number of workplaces have security teams managing one network area, operations a second and DevOps/ DevSecOps a third. These silos make it very easy for mistakes to slip through the net.
Although each team has its specific function, the processes involved in their day-to-day tasks still need to point towards a common goal. DevSecOps teams may have procedures for “security in code” but any changes to services could impact compliance status and will need to be monitored for how their risk status may alter. This is why it’s so important to have complete network visibility. Without it, organizations are unable to identify and analyze their vulnerabilities. But with visibility, the CISO can break down operational silos and gain a true understanding of all ingress and egress points within their environment that will inform their ongoing strategies.
However, in isolation, full network visibility is only peripherally useful. While it’s great for organizations to be able to identify all of their vulnerabilities and assets, visibility by itself doesn’t inform strategy. This requires context: they need to know how exposed each vulnerability and asset is so that they can remediate the right vulnerabilities first. With this knowledge, security teams are able to eliminate guesswork, develop greater focus and gain certainty that they can defend their assets and work to reduce the size of their attack surface.
Barriers to Achieving Total Network Visibility
Of course, gaining context-informed network visibility is easier said than done. Businesses have already made a number of significant investments in scanner technology so that they can identify vulnerabilities within their environment. But the traditional ‘scan and patch’ approach to vulnerability management doesn’t cut it anymore. There are too many blind spots missed by scanners, too much time is taken between each scan, and too many network areas (including OT devices) cannot be touched by scanners.
This isn’t to say that scanners are no longer of any use. They are still invaluable as part of a robust cybersecurity management program that also includes scanless assessments. Data collected by scanners can be normalized and merged with other data sources to deliver an accurate and continuously updated vulnerability record.
Adding that additional layer of insight – understanding vulnerability and asset exposure – is easier than you might think. And any initial effort and resource dedicated to creating this deeper level of understanding will prove worthwhile when security teams can access a more nuanced understanding of which vulnerabilities within their environment pose the greatest risk.
The Importance of Understanding Exposure
In the recently published Vulnerability and Threat Trends Report 2020, it was revealed that vulnerabilities with a medium-severity CVSS score now account for 40% of all new reports. This percentage share is an increase on last year when medium vulnerabilities represented 34% of the total.
Organizations depend on CVSS scores to determine their remediation strategies; if they see that they have critical– or high–severity vulnerabilities within their infrastructure, they will instinctively choose to remediate these before any medium–severity flaws. But a medium–severity CVSS score does not equate to medium risk. An increasing mass of medium–severity flaws can sit unpatched within an organization’s environment for a long period; attackers know this, which is why medium–severity vulnerabilities are so attractive to them.
Which puts organizations in a difficult position. They lack the resources required to remediate every single medium-severity vulnerability within their organization on top of all critical- and high-severity flaws. But if they understand which vulnerabilities are most exposed, regardless of their severity level, then they can ensure that they are patched in time. Insight into exposure empowers security teams to create focused remediation strategies that will greatly limit opportunities for attackers.
Achieving context-rich network visibility has become a must-have. Hybrid security environments are only going to become more fragmented and the attack surface will continue to expand – just look at how most office-based organizations had to contend with a growing network perimeter when all employees started working remotely during the COVID-19 crisis as one example of how unpredictable the pressures placed on security teams can be. To avoid breaches, gain control, simplify cybersecurity management and be in a position to secure digital transformation initiatives, organizations need visibility. It’s now the bedrock of a successful security program.