At F-Secure we like to say that the best response to cyber threats is to foresee them. And indeed, the first layer of the defense in depth model that we’re going to explore is vulnerability management. This is the step where we correct weaknesses in the company network before they can be exploited.
In my previous post I likened vulnerability management to plugging the holes, fixing the weaknesses in a castle wall. The general idea of this still holds true, but actual analogy of a wall itself was more appropriate ten or fifteen years ago, when the network perimeter was more stable and defined. Back then, an IT admin only needed to worry about desktops, laptops and servers.
In contrast, today’s organizational IT assets can include virtual machines, cloud and on-premise devices and services, IoT devices, BYOD devices, and even operational technologies to take care of. The network perimeter is in flux, and securing it requires a different approach compared to years ago. Cyber security has grown considerably more complicated.
Lower your cost, raise your attacker’s cost
The great thing about vulnerability management is that it’s an opportunity to significantly lower the cost of security. It’s far less costly to deal with security before serious problems arise than during a crisis or incident recovery. After all, known vulnerabilities and their exploitation are still the root cause of most breaches. And the majority of exploits are based on vulnerabilities already known to security practitioners for at least a year.
Not only does vulnerability management lower costs for your organization, but it raises the cost structure for an attacker. This is exactly what we’re after. An attacker needs to be able to find a vulnerability, despite your company having a vulnerability management platform in place. Because you’re finding and fixing known critical vulnerabilities, the attacker needs to work harder. He or she must spend more time and money to find a way in. Should the intruder still manage to do so, if you’re fixing vulnerabilities and misconfigurations on internal-facing systems, he or she will encounter fewer opportunities for lateral movement.
What to look for in a VM tool
As the initial step in the modern cybersecurity defense program, a good vulnerability management platform, such as F-Secure Radar, offers first of all visibility. If you don’t know what you have, you can’t protect it. With the complexity of today’s network infrastructure, it’s all too common to have forgotten shadow IT assets lurking in dusty corners. It’s important to gain visibility into what kinds of devices and assets you have, and what their vulnerability status is.
Once we know what our attack surface looks like, we can begin to check for flaws in it. This is where scanning comes in – we scan systems and web applications for publicly known vulnerabilities. With Radar for example, we can scan systems such as web servers, firewalls, email servers and gateways, routers and switches, domain controllers, DNS servers, antivirus gateways, and workstations – and the software and operating systems on them. We can also check both commercial and custom web applications. New applications still in development can be scanned to catch vulnerabilities before they can cause problems later.
A solid vulnerability management platform will also include credible reporting, as well as a way to streamline the workflow. This means management of tickets, automation of scheduled scans, and assignment of vulnerabilities for prioritized patching.
In summary, rapidly changing, complex business IT environments lead to a broad attack surface. Only constant scanning and ruthless control can help you find vulnerabilities before anyone else does, lowering your security expenditures and raising the bar for attackers, making it harder to breach your business.
This is the second in a series of posts about the layers of defense in depth. Be sure to catch our next post on gateway protection.