The three crumbling pillars of network security
Why is network security getting harder?
Access control, firewall and Intrusion Prevention Systems are failing to keep attackers from reaching vulnerable systems and network administrators have added as many layers beyond those as possible to no avail. This is a problem because successful attacks are often done with these solutions in place and being run well by capable people. It doesn't take an analyst to tell you that something about these common perimeter guards isn't getting the job done.
How hackers bypass network security
In all successful attacks hackers bypass the network security perimeter to exploit existing vulnerabilities inside the network. The fact that all hackers consider breaking the perimeter to be job #1 and that most refer to it as being a trivial achievement should be a wake up call to admins who think perimeter solutions are enough to maintain network security.
In fact, all the successful attacks you are reading about in the press are on networks whose admins (or large security teams) were doing their best to maintain a perimeter! This includes the recent break-ins at Fortune 500 companies and government departments that have large network security staffs and deep pockets. Apparently something about the focus on perimeter defense is not working. Yes, the well tended perimeter stops a great number of attacks but the fact is, they don't stop them all.
Setting aside political or financial high value targets that get targeted because they stand out, most attacks are done as a 'drive by'. Attackers rarely choose a target first and then spend time looking for a weakness in its network security. It is far easier to study up on a well known vulnerability, scan broadly for ANY network that has this weakness and then exploit it wherever found to gain access. From that beachhead hackers expand their control through the network and then look for the most valuable data they can steal or lock up and ransom.
Therefore, in order to better secure any network, these well known vulnerabilities must be found and fixed regardless of ANY set of perimeter defense solutions being in place. Vulnerability Assessment and Management (VAM) is the solution that achieves this goal.
Are security teams pressured to ignore vulnerabilities?
Technical, organizational, financial and cultural forces in network security have combined to push known vulnerabilities, the single most important factor regarding network security into the background.
- Technical: Vendors of network equipment and applications are under heavy pressure to release new products and versions - but little pressure to test them as severely as hackers will after their release. Thus the vendor of every app and host on the network generates a stream of updates to patch security issues. Even a modest size network has hundreds of applications and has (or should have) thousands of patches. The challenge: Each patch has the potential for creating issues when installed and must be tested before being rolled out. The result is that only some patches are installed and every network ends up with un-patched, known vulnerabilities. Hopefully none are severe or are on high value assets. In addition are security related configuration issues - another can of worms.
- Financial: Security is difficult to fund with any convincing proof of a return on the investment. Installing every possible patch into every single host is financially out of the question. The vulnerabilities left un-patched are hard to quantify in how they each contribute to network security and staff is simply not available to track down every missing patch.
- Organizational: Company executives want to see some evidence that the current security staff is 'doing something'. Thus you get 'security theater'. The perimeter solutions are resplendent with data about how many attacks were blocked and the 'increasing but deflected attacks' graphs they produce are fine evidence that security is on the job and working hard. On the other hand, reports to execs about finding and fixing serious vulnerabilities can be met with a 'Well isn't that your job anyway?'.
- Cultural: From the very earliest days of networking, network security has been fixed on a perimeter defense strategy. The arrival of smartphones, iPads and the cloud finally marked 'paid' to the idea that a perimeter can be held, or that it even exists. But still powerful is the siren song of new security technologies that say they will keep the bad guys away from the known, but unrepaired vulnerabilities they are looking for.
Given these factors, network security through the elimination of vulnerabilities has become just a compliance checkbox instead of being the front line defense strategy that the current state of security indicates it deserves. The truth is that the perimeter today is at each device itself.
VAM: The low man on the network security totem pole
Vulnerability Assessment & Management was the new kid on the network security block over a decade ago. It was a short and not terribly happy childhood. Early tools were complicated, cumbersome and ill suited for rolling into corporate networks. Those admins that did install what was then called just Vulnerability Assessment ran into the kiss of death for any security tool: huge reports filled with inaccurate results describing work to be done for which there were no resources to act.
Accuracy and network security
Accuracy has been the missing ingredient in many network security tools. Ask any admin who has tested several competing solutions side by side on a network. The variation in what each security tool discovers and reports is enough to keep one up at night. This applies to all tool families but particularly to VAM.
Inaccuracy in a firewall, antivirus or IPS is most often invisible. These systems can't stop what they don't know about. Yes this is a disaster waiting to happen, but while waiting for that disaster, it bothers no one. On the other hand an inaccurate, long VAM report is really irritating, sending network security staff searching high and low for things that don't exist. A VAM report that has a couple of errors in the first page is going to get tossed in the bottom drawer.
Most VAM systems sold today are now at 95% accuracy, which is a lot better than the early days. That still means one false positive for every 20 reported issues. And that is still enough to get the monthly VAM report relegated to the shred pile.
Breathing new life into VAM
VAM has grown up and at the same time federal and industrial network security standards are pushing for it as a component of constant monitoring. Our own solution, beSECURE, the Automated Vulnerability Detection System, has become a simple to install, easy to operate, complete tool that incorporates web application scanning and database scanning with the traditional network scanning duties. It assigns asset value and vulnerability severity and so gives admins an accurate idea of what MUST be done, what should be done and what might be done in the future if budget allows. And it does this with accuracy unmatched in the industry.
Accuracy beyond traditional VAM solutions
All but one of the leading Vulnerability Management solutions identify vulnerabilities primarily by checking host banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This is a false positive if an update was 'back ported' (common in Linux) or if server or application settings make access to the vulnerability impossible. Alternatively, a banner can report a version update is in place even if the server did not get rebooted. It is common in even high end VAM solutions to have 3% to 8% false positive results.
beSECURE goes beyond just checking for banners, it uses specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a specific vulnerability exists or not. This means that beSECURE is highly accurate, generating near-zero false positives and finding vulnerabilities that other solutions miss.
beSECURE accuracy means you can be certain that if a report says the network has a high risk on a high value asset, it actually DOES exist. You can also know, without a doubt, that when you are handling the risks discovered by beSECURE you are doing the best job possible to protect your network security.
Not all security issues or network assets are created equal
Management of vulnerabilities is recognizing that not all security issues are of equal severity and that not all network assets are equally valuable. Thus in the real world where IT budgets are never large enough to patch every single weakness, VAM will guide the way to applying whatever resources are available to the most truly serious weaknesses on the network.
beSECURE maps all the network assets (including servers, operating systems, network infrastructure, workstations, applications, phones, printers etc.) and prioritizes them based on their importance/criticality. A web or database server will be regarded as more critical than a printer server. It then examines each item on the network, and lists the vulnerabilities discovered. Each is assigned a severity rating based on an internationally agreed upon set of guidelines (CVE). beSECURE combines the importance level of the asset and the vulnerability risk level to produce an accurate mitigation strategy.
VAM as your next step in network security?
We hope you have already incorporated VAM into your network security strategy. If you are already using a VAM solution please seriously consider extending it to cover your entire network, including test servers, phones, printers, etc. If you don't have VAM installed on your network, now is the time. If you aren't happy with your current system or you would like more info on how to deploy one for the first time, we hope that you will drop us a note.
For more information please call, email or use the form on this page.