Antivirus, access control, firewall and Intrusion Prevention Systems are failing to keep attackers from reaching vulnerable systems and most network administrators aren't given the budget or time to add yet more layers. This is a problem because successful attacks are often done with these solutions in place and being run in a standard manner by capable people. It doesn't take an analyst to tell you that something about these common perimeter guards isn't getting the job done.
How Hackers Bypass Network Security
In all successful attacks hackers bypass the network security perimeter to exploit existing vulnerabilities inside the network. The fact that all hackers consider breaking the perimeter to be job #1 and that most refer to it as being a trivial achievement should be a wakeup call to admins who think perimeter solutions are enough.
In fact, all successful attacks are on networks whose admins (or entire security teams) were doing their best to maintain a perimeter! This includes the highly publicized break-ins at Fortune 500 companies and governments with large network security staffs and deep pockets. Apparently something about the focus on perimeter defense is not working. Yes, the well tended perimeter stops a great number of attacks but the fact is, they don't stop enough.
Setting aside political or financial high value targets that get picked because they stand our, the remaining attacks are almost always done as a 'drive by'. Attackers rarely choose a target first and then spend time looking for a weakness. It is far easier to study up on a well known vulnerability, scan broadly for ANY network that has this weakness and then exploit it to gain access. From that beachhead hackers expand their control through the network and then look for the most valuable data they can steal.
Therefore, in order to better secure any network, it appears that these well known vulnerabilities must be found and fixed regardless of ANY set of perimeter defense solutions being in place. Vulnerability Assessment and Management (VAM) is the solution that achieves this goal.
Is Security Pressured to Ignore Network Vulnerabilities?
Technical, organizational, financial and cultural forces in network security have combined to push known vulnerabilities, the single most important factor regarding network security into the background.
- Technical: Vendors of network equipment and applications are under heavy pressure to release new products and versions - but little pressure to test them as severely as hackers will test them after release. Thus every everything on the network generates a stream of updates to patch security issues. Even a modest size network has hundreds of applications and has (or should have) thousands of patches. The challenge: Each patch has the potential for creating issues when installed and must be tested before being rolled out. The result is that only some patches are installed and every network ends up up with unpatched, known vulnerabilities. Hopefully none are severe or are on high value assets. In addition are security related configuration issues - another can of worms.
- Financial: Security is difficult to fund with any convincing proof of a return on the investment. Installing every possible patch into every single host is financially out of the question. The vulnerabilities left unpatched are hard to quantify and staff is simply not available to track down every missing patch.
- Organizational: Company executives want to see some evidence that the current security staff is 'doing something'. Thus you get 'security theater'. The perimeter solutions are resplendent with data about how many attacks were blocked and the 'increasing attacks' graphs they produce are fine evidence that security is on the job and working hard. On the other hand, reports to execs about finding and fixing serious vulnerabilities can be met with a 'Well isn't that your job anyway?'.
- Cultural: From the very earliest days of networking and firewalls, network security has been fixed on a perimeter defense strategy. The arrival of smartphones, iPads and cloud based servers finally marked 'paid' to the idea that a perimeter can be held, or that it even exists. But still powerful is the siren song of new security technologies that say they will keep the bad guys away from the known, but unrepaired vulnerabilities they are looking for.
Given these factors, security through the elimination of network vulnerabilities has become more of a compliance checkbox than being the front line defense strategy that the current state of network security indicates it deserves. The truth is that the perimeter today is the device itself.
VAM: The Low Man on the Network Security Totem Pole
VAM was the new kid on the network security block 10 years ago. It was a short and not terribly happy childhood. Early tools were complicated, cumbersome and ill suited for rolling into corporate networks. Those admins that did install what was then called just Vulnerability Assessment ran into the kiss of death for any security tool: huge reports filled with inaccurate results.
Accuracy is the missing ingredient in many network security tools. Ask any admin who has tested several competing solutions side by side on a network. The variation in what each tool discovers and reports is enough to keep one up at night. This applies to all security tools but particularly to VAM.
Inaccuracy in a firewall, antivirus or IPS is most often invisible. These systems can't stop what they don't know about. Yes this is a disaster waiting to happen, but while waiting it bothers no one. On the other hand an inaccurate VAM report is really irritating, sending network staff searching high and low for things that don't exist. A VAM report that has a couple of errors in the first page is going to get tossed in the bottom drawer.
Most VAM systems sold today are now at 95% accuracy, which is a lot better than the early days. That still means one false positive for every 20 reported issues. And that is still enough to get the monthly VAM report relegated to the shred pile.
Breathing New Life Into VAM
VAM has grown up and at the same time federal and industrial network security standards are pushing for VAM as a component of constant monitoring. Our solution, AVDS has become a simple to install, easy to operate, complete solution that incorporates web application scanning and database scanning with the traditional network scanning duties. It assigns asset value and vulnerability severity and so gives admins an accurate idea of what MUST be done, what should be done and what might be done in the future to secure the network. And it does this with accuracy unmatched in the industry.
Accuracy Beyond Traditional VAM Solutions
All of the top end Vulnerability Management solutions identify vulnerabilities primarily by checking host banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This is not true if an update was 'back ported' (common in Linux) or if server or application settings make access to the vulnerability impossible. Alternatively a banner can report an patch is in place even if the server did not get rebooted. It is common in even high end VAM solutions to have 3% to 8% false positive results.
AVDS goes beyond just checking for banners, it uses specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a specific vulnerability exists or not. This means that AVDS is highly accurate, generating near-zero false positives and finding vulnerabilities that other solutions miss.
AVDS accuracy means you can be certain that if a report says the network has a high risk on a high value asset, it actually DOES exist. You can also know, without a doubt, that when you are handling the risks discovered by AVDS you are doing the best job possible to protect your network.
Not All Security Issues or Network Assets are Created Equal
Management of vulnerabilities is the recognition that not all security issues are of equal severity and that not all network assets are equally valuable. Thus in the real world where IT budgets are never large enough to buy every possible solution or patch every single weakness, VAM will guide the way to applying whatever resources are available to the most truly serious weaknesses on the network.
AVDS maps all the network assets (including servers, operating systems, network infrastructure, workstations, applications, phones, printers etc.) and prioritizes them based on their importance/criticality. A web or database server will be regarded as more critical than a printer server. It then examines each item on the network, and lists the vulnerabilities discovered. Each is assigned a severity rating based on an internationally agreed upon set of guidelines. AVDS combines the importance level of the asset and the vulnerability risk level, to produce an accurate mitigation strategy.
VAM as Your Next Step?
We hope you will incorporate VAM into your network security strategy. If you are already using a VAM solution please seriously consider extending it to cover your entire network, including test servers, phones, printers, etc. If you don't have VAM installed on your network, now is the time. If you aren't happy with your current system or you would like more info on how to deploy one for the first time, we hope that you will drop us a note.