In today’s rapidly evolving threat landscape, with a staggering number of known vulnerabilities and new ones emerging daily, it’s impossible to address every single security issue. So, how can organisations effectively protect their end users, customers, and data in the face of growing risks, especially in a hybrid and remote work environment?
The key is to start by mapping out your risk surface, gaining a clear understanding of the assets connected to your network at all times. We sought insights from two experts in the field – John J. Masserini, Senior Security Analyst at TAG Cyber, and Chris Goettl, Vice President of Security Product Management at Ivanti, to shed light on how organizations can determine their unique cyberrisk factors for prioritising vulnerabilities.
Below, we present excerpts from their conversation:
Discovering all endpoints, including the unknown, on your network
Chris Goettl: Leading cybersecurity frameworks, such as NIST, CIS, and others, emphasize the importance of discovery and asset management. This is because without knowledge of what exists in our environment, we cannot effectively secure it. Discovery serves as a foundational component of any robust security programme, employing active and passive methods to connect to various data sources and gather comprehensive information about your environment.
Through engagement with customers and security surveys, Ivanti has found that most organizations have a significant 20-30% gap in their understanding of the devices managed within their environment. By examining multiple data sources such as endpoint management, asset management, and endpoint protection solutions, along with procurement records, it becomes evident that a substantial portion of the environment remains unseen.
It is crucial for cybersecurity frameworks to stress the inclusion of discovery because failure to identify these blind spots leaves organizations vulnerable to threat actors.
Mitigating risks associated with unknown IoT devices in your IT environment
Chris Goettl: Unknown IoT devices can introduce various risks to your IT environment. For instance, even seemingly harmless devices like light bulbs have been leveraged in widespread Distributed Denial of Service (DDoS) attacks. These devices may also possess vulnerabilities that enable remote manipulation, such as turning on heating elements to the point of causing a fire. Another example is medical IoT devices used in hospitals, which, if compromised, could allow eavesdropping on conversations, disrupt critical operations, or physically obstruct pathways.
Each device, regardless of its perceived benign nature, carries potential risks. Discovery plays a vital role in identifying these devices, enabling organizations to segment and manage them accordingly. While patching may not always be feasible for such devices, understanding their presence is crucial for effective risk management.
The role of asset information in prioritizing patching
John Masserini: Knowing what assets exist forms the foundation of a vulnerability management programme. However, the next step is to evaluate the criticality of these assets in terms of their impact on revenue streams.
Regardless of the patching program employed, decisions revolve around the acceptable level of downtime and the revenue generated by the affected devices. By understanding the criticality of devices to the business lines, organizations can develop risk metrics for effective risk-based vulnerability management. A business impact analysis, commonly used in business continuity programs, proves valuable in this regard, providing insights into the risk posed by applications and environments.
In the pursuit of optimal security, it’s important to strike a balance between desired outcomes and practical limitations. By determining the minimal acceptable standard for downtime and aligning it with revenue considerations, organisations can tailor their patching strategies accordingly. Different devices within the infrastructure carry varying levels of criticality, necessitating a thorough evaluation and risk analysis.
Achieving an effective risk-based vulnerability management strategy relies on a combination of asset discovery and risk analytics derived from business impact analysis (BIA). These elements serve as a solid foundation for long-term risk management.
Understanding your network assets is the initial step in prioritising your security efforts. Adopting a risk-based approach to vulnerability management ensures that attention is directed towards the most vulnerable areas. Asset discovery plays a crucial role in identifying all devices, even those hidden from plain sight.