This is Part 1 in a series on the use of security analytics in an enterprise
Everything connected to the internet can be hacked; everything is being connected to the internet; therefore everything can be hacked. You don’t need to be an expert in syllogisms to understand the increasing complexity of the attack surface — that is, the sum total of all the ways an organization can be attacked.
Not only are organizations’ networks incorporating more devices than ever before, their users are more mobile and their business approaches are ever-more shifting to the cloud.
With this complexity comes more opportunities for vulnerabilities to be exploited. The WannaCry ransomware attack in May 2017 that quickly swept across the globe took advantage of a vulnerability with a known exploit and available patch; yet many organizations failed to mitigate the vulnerability through the patch or otherwise.
According to a 2015 Verizon report, 97% of breaches are avoidable through standard controls. That number may have changed slightly, but WannaCry was a stark reminder of the struggle organizations face to understand and properly wield their security resources. At the root of this struggle is limited visibility of the attack surface.
Frequently, networking and security data exists in siloes, and stitching together this data to give it context is extremely complicated (if not impossible by manual processes). Another problem is the sheer volume of vulnerabilities present in a typical enterprise network, with more vulnerabilities announced every day. Deciphering the severity and exposure of these vulnerabilities requires layers of analysis.
Organizations often do not have or cannot dedicate enough people to the problem. To make matters worse, the threat landscape is constantly evolving, which means the job of finding and fixing vulnerabilities is never done, even if you have the manpower and processes in place.
Visibility and Context
To secure the organization, comprehensive visibility is the most important factor. This means visibility not just across physical IT networks, but also cloud and virtual environments, as well as operational technology networks such as industrial control systems where applicable. “You can’t fix what you can’t see,” says Avi Corfas, vice president of the Asia-Pacific region for Skybox Security. “It’s like trying to protect your home from a break-in when you can only see into one room. What are all the ways he can he get in? Where can he go once he’s inside? What can he escape with?”
To protect your enterprise data, you must have contextual understanding of your environment in order to effectively address threats. For example, you need to know the asset’s importance to the business and network functionality as well as its exposure. You need to have visibility to the network paths surrounding that asset, what vulnerabilities or security issues could create an attack path to that asset and what compensating controls can keep it safe.
Context is important in other areas as well, such as vulnerability management. For example, a vulnerability with a CVSS severity rating of “high” may not be as critical to your organization as another vulnerability rated “low.” Why? The “high” vulnerability may have compensating controls in place that block the attack path, while the “low” vulnerability may be exposed and/or leads to critical data such as financial or personal information.
The key point is that without the context of your entire network, you can’t make informed decisions about what is truly putting your organization at risk.
The exponential growth in cloud and virtual networks, mobile and IoT devices is expanding the attack surface by the day. With increased complexity, it’s not just about understanding individual components but also how they interact.
In upcoming installments, we will examine how you can gain visibility and control over the attack surface of your organization.
This is a QuestexAsia feature commissioned by Skybox Security