Author: Kevin Flynn - Sr. Manager, Product Marketing, Tenable
IT infrastructure often grows up with a company. New tools, applications, systems, and user profiles are bolted onto the greater whole as the need for them emerges, usually without being given much strategic consideration. Organizational silos spring up around these additions as teams discover that each new tool requires new skills to deploy and maintain. Before long, the entire operation can resemble a ramshackle old house onto which each generation of homeowner has attached a new room.
Threats lurk in the dark corners. Unforeseen vulnerabilities, aging tech, distributed data centers, network sprawl, greedy insiders, and gullible users thrive. With the components of enterprise IT infrastructure scattered and compartmentalized, it’s difficult for any one person or team to achieve holistic visibility into the entire network.
Lack of visibility makes it difficult to find these siloed threat vectors, and even tougher to address them once they are found. That’s because, in most cases, the tools and tactics available are only designed to tackle specific and unintegrated areas of concern. We often see security tools being deployed scattershot throughout the organization. We see teams in operations, applications security, DevOps, network security, machine learning, high performance computing teams, Security Operations Center (SOC), and auditing and compliance all pursuing and deploying their own discrete tools. And there is no shortage of security tools.
While these issues are nothing new, addressing them has never been more urgent as the attack surface continues to expand. In our work with IT and cybersecurity professionals, we often hear about the challenges of protecting all the isolated apps -- and the distributed computing and storage platforms -- in use throughout the enterprise. Operational technology (OT) and internet of things (IoT) devices introduce their own sets of problems, since these internet-connected solutions are often deployed outside the auspices of the IT organization.
In most cases, organizations end up integrating apps through APIs and putting a multitude of clouds under a single management platform purview in order to manage the lot of them at once. But even this approach is only a stopgap. It’s no substitute for a holistic cybersecurity strategy which emphasizes visibility across the network and applies granular insights about the threats that may be lurking among them, so organizations can effectively prioritize responses. We call this approach Cyber Exposure.
Cyber Exposure is an emerging discipline for managing and measuring cybersecurity risk in the digital era. Cyber Exposure transforms security from static and siloed visibility to dynamic and holistic visibility across the modern attack surface. It’s the foundation upon which to build a cybersecurity strategy that accommodates the entirety of the modern attack surface.
Building a holistic cybersecurity strategy using the discipline of Cyber Exposure enables you to answer each of these four questions about your organization at any point in time:
How secure - and exposed - are we? Answering this question requires visibility into all aspects of the organization's attack surface -- including cloud resources, containers, industrial control systems, and mobile devices, which may or may not be on the radar of IT. It involves taking inventory of where specific threats to your company exist. For example, if your organization is particularly diligent about deploying patches, then the latest Windows vulnerability may not be as big a concern as it would be for an enterprise that hasn’t patched its systems in seven years. By coming to terms with where your exposures are – or where they are likely to be – you reveal the larger picture of what’s at risk.
What should we prioritize? The answers to this question should be based on a combination of threat intelligence to understand the exploitability of the issue and asset criticality to understand the business context of the asset. Effective prioritization of vulnerabilities needs to take in the business context in order to optimize your efforts, resources, and budget. It enables you to zero in on protecting the vulnerable areas likely to cost your organization the most in terms of labor, penalties, time, recovery, and reputation. It also helps reduce alert fatigue, as you can then prioritize how your team responds to vulnerabilties based on how critical the affected assets are to your business and the likelihood a given vulnerability will be exploited.
How are we reducing exposure over time? Your ability to answer this question is a measure of your progress. You’ll need to identify the metrics and KPIs against which you’ll measure your efforts. Such metrics should be viewable by business unit, geography and asset type. The goal is to understand how your exposure profile is changing month to month, quarter to quarter, and year to year, so you can help your business-side colleagues and the c-suite understand whether the company’s investments in cybersecurity are paying off.
How do we compare to our peers? Answering this question forces you out of your company’s internal bubble to help you understand how your cybersecurity practices stack up against those of others in your field, as well as those in other industries. How your organization ranks against industry peers, and against best-in-class security, is an important dialogue for every Board of Directors to have to drive a more strategic discussion and help ensure the board is upholding their fiduciary responsibility in providing the proper risk oversight for the company. Cyber risk is no different than other business risks and should be managed and measured the same way.
Your ability to accurately answer these four questions is vital to understanding the total risk exposure and the effectiveness of your cybersecurity measures. But if you’re dealing with a heavily compartmentalized IT infrastructure, it may seem daunting to know where to even start moving toward a more holistic strategy.
Here are three tips you can begin using today to help you begin your journey toward a holistic cybersecurity strategy.
- From phishing to fishes, look deeper and broader for vulnerabilities. The next attack is likely to come from an unknown and unexpected direction. The infamous casino aquarium hack, where hackers grabbed 10 GB of data from a casino via the internet-connected sensors in a fish tank, is a perfect example. Indeed, given the fast-growing number of IoT devices and their accompanying opportunities for bad actors to enter, security teams will have to continuously update their list of vulnerabilities. But IoT devices are not the only hidden corners that need to be illuminated and secured against threats. Don’t forget about cloud services and cloud environments, containers, video surveillance systems, industrial control devices, point-of-sale fixtures, HVAC systems, and any other internet-connected system which is not typically handled by the IT/SecOps teams. For example, in September, Tenable researchers revealed their discovery of Peekaboo, a vulnerability potentially affecting hundreds of thousands of internet-connected cameras used in video surveillance systems. Make sure your security teams are truly looking everywhere and are armed with tools designed to sniff out vulnerabilities as they appear in new places.
- Not all assets are created equal. It’s imperative to know which assets are most critical to your business in order to respond the threats forcefully and appropriately. An iPad used by your company’s CFO may be a more high-value target than the iPad used at the reception desk to sign in visitors. Make sure you’re focusing on your most critical assets first. Take the time now to determine the criticality of each asset and rank its importance in terms of response times. Then update this information regularly. Asset tagging is a good place to start building an inventory of assets based on their criticality. Remember to include compliance requirements, such as GDPR, HIPAA, and PCI, as part of your asset criticality assessment.
- Prioritize remediation. Only a small percentage of the thousands of vulnerabilities disclosed every year are ever actually exploited. You need insight into which vulnerabilities are currently being exploited in the wild, along with early warnings about those likely to be attacked in the near future. Having access to this kind of information allows security teams to prioritize their threat response based on the criticality of the asset, threat intelligence, and probability analysis.