—
Many organizations have made significant, targeted investments in foundational security technology, but are still finding themselves running up against a series of brick walls when it comes to making lasting and meaningful improvements to their cybersecurity posture.
One of the pillars of a foundational cybersecurity toolkit is the vulnerability scanner. Enterprises often even have more than one. But scanners, working in isolation rather than concert with one another, are far from perfect. They can leave some critical blind spots during discovery, lack network context in prioritization and miss non-patch mitigation options.
SourceForge recently spoke with Sean Keef at Skybox® Security to talk about why the goals behind scanner investments are rarely realized. Keef also gives advice about how cybersecurity teams should work to bridge the security management gap left by scanners.
Q: Vulnerability scanners are a cornerstone of most, if not all, organizations’ cybersecurity toolkits – why aren’t they delivering the results that CISOs expect?
First, there are a lot of blind spots in vulnerability discovery. Mission-critical infrastructure is often too sensitive to scan or may be too high risk to be scanned with any frequency, if at all. Which makes reaching decisions about remediation problematic because you’re only seeing a portion of what’s vulnerable and missing some of your most important assets.
Then you have ‘non-critical’ parts of a network. These often won’t be scanned if they’re not deemed worth the cost. This means that the security team will be oblivious to any exposed vulnerabilities within these environments.
It’s also impossible to scan assets which aren’t known: if you have no visibility of cloud, outsourced, or virtualized networks, then you have no idea about their risk of exposure. Also, scanners can’t detect vulnerabilities on network devices like firewalls which are designed not to give up any information to reconnaissance like scanners. But a vulnerable, compromised firewall can render an entire layer of security ineffective.
Finally, scans are carried out infrequently, which leads to data stagnation. And there’s a lot of data as well: scanners alert on every single positive result, which leads to thousands, if not millions, of potential vulnerability occurrences.
Q: Which organizations need to worry most about scanners’ blind spots?
The bigger the organization, the more pronounced the shortcomings. When you have fragmented networks, and limited visibility of your security environment, a scanner won’t be able to come in and apply a magic plaster.
The organizations which should be most concerned are those with regularly off-limits network zones and especially operational technology (OT) networks common in critical infrastructure and manufacturing. OT prohibits the use of active scanners largely because of the physical danger these devices could cause if they malfunction due to scanner disruption. There are purpose-built, passive solutions to assess vulnerabilities in OT, but the results are often not incorporated or acted upon in the same way as corporate network vulnerabilities.
Q: Scanners play a big role in developing successful risk-reduction strategies. How can organizations make better use of them?
Helping organizations get the most out of their investments is key to what the Skybox® Security Suite can do. We’ve seen our method succeed at many of the largest organizations and government agencies — the most security conscious organizations in the world.
Skybox is vendor agnostic and provides out–of–the–box integrations with all major scanning vendors, so we integrate with the tools they’re already using. We provide a value-add to existing vulnerability solutions by automatically collecting, normalizing and merging scanning data and filling in scanner blind spots with our scanless vulnerability assessment technique: Skybox compares data collected from asset repositories and network sources with our analyst-backed Vulnerability Dictionary to identify vulnerability occurrences in the network — even on unscannable devices and zones.
The result of the collection, merging and scanless assessments is a centralized and comprehensive vulnerability occurrence list. But our prioritization method is what makes this data really useful.
Q: How should organizations approach the prioritization of vulnerability remediation?
Skybox draws insight from many disparate sources to facilitate multi-factor vulnerability prioritization. It simulates access on a model of the customer environment from a threat origin to vulnerable assets in order to pinpoint exposed vulnerabilities not protected by network security controls. This simulation lets you know which vulnerabilities are surrounded by compensating controls, and are therefore protected from potential attacks, and which vulnerabilities are exposed and need to be acted on.
Additionally, Skybox cross-references knowledge of vulnerability exposure with threat intelligence of available exploits. Doing so helps businesses to further hone their remediation priorities. Our intelligence feed also alerts customers to available patches as well as IPS signatures, and the model can be used to plan things like firewall rule changes to mitigate vulnerability risk if it can’t be patched right away.
Q: How can security teams maximize the impact of patches on risk posture?
When using multi-factor vulnerability prioritization, security teams are working with distilled insight drawn from their existing scanner technology that allows them to focus on patching the biggest risk vulnerabilities — those exposed and exploitable — before all others.
This approach reduces the time and resources needed for patching, as well as the overall patching that’s necessary, improves collaboration between all teams relevant to the vulnerability life cycle, and increases the likelihood of meeting risk-based SLAs via automated analysis and tracking.
About Skybox Security
Skybox provides the industry’s broadest cybersecurity management platform to address security challenges within large, complex networks. By integrating with 130 networking and security technologies, the Skybox® Security Suite gives comprehensive attack surface visibility and the context needed for informed action. Our analytics, automation, and intelligence improve the efficiency and performance of security operations in vulnerability and threat management and firewall and security policy management for the world’s largest organizations.