Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/23/2008
09:43 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Focus On Managing Risk, Not Gruntwork

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the "criticals" and pass on the "lows."

Last year, CERT tallied more than 7,000 publicly disclosed vulnerabilities. Who has time for that much patching?

In fact, many organizations may find, when all mitigating controls -- firewall rules, network segmentation, IPS devices, etc. -- are taken into account that they actually may want to patch a couple low-risk vulnerabilities on a machine managing highly classified data. Or, maybe patching one or two at-risk systems in the DMZ ensures the rest of the infrastructure is secure -- because all of those security controls mitigate the other unpatched systems. And the rest of the patching can wait for a little while, at least until the patches have been tested.

That level of management sure beats the heck outta wrangling up a dozen admins to run vulnerability scans, and then rush out untested patches for several hundred systems. I can think of about a thousand ways I'd rather spend my budget.

Yet, it goes without saying that today's networks are just too complex to make those kinds of decisions off-the-cuff. There are too many network connections, segments, servers, and firewall rules for any mere mortal to configure in their head. That's where risk modeling software, from vendors such as Skybox Security step in.

I profiled a credit union, WesCorp, a number of years ago when Skybox Security was just starting out. I had been interviewing that company's CISO (at the time it was Chris Hoff, now chief architect of security for Unisys) about vulnerability scans and patching. He explained how he was able to better manage his patching processes by modeling the actual risks those vulnerabilities created and weigh their severity against the actual business value his systems. I'd never heard of such a capability before, and was quite intrigued. The eventual story is available here.

Essentially, Skybox's Skybox View risk management platform enables organizations to model their risk through analytical and predictive threat and vulnerability analysis. Basically, the software works by creating a virtualized representation of the network. And then analyzing where potential attack vectors against, say, unpatched systems, may exist. It can do this by amassing an enormous amount of data about the current network architecture and security defenses in place. This model also can be used to simulate what-if scenarios that detail how your risk posture might change along with planned network changes.

Today, to get updated on how companies are using Skybox View, I spoke with Bill Geimer, program manager for Newington, Va.-based technology provider Open System Sciences. Open System Sciences provides the U.S. Agency for International Development (USAID) many of the services the agency, which has systems spread throughout about 100 countries, needs for its risk management program and to maintain FISMA compliance.

Geimer explained how Skybox View helps him and his team to grab information from all of its point security and networking products (which consists of thousands and thousands of devices) as well as daily network security assessments. Every day Geimer gets a report that details what systems have changed, and what systems may need to be patched.

Most important, Geimer explained how it is now possible for the entire security team to "be in tune with anything that changes our risk and to respond accordingly."

There aren't many organizations today that can make such a claim, and mean it. But that's what Geimer was able to achieve.

I don't know for sure, but I'd bet five years ago when Skybox first hit my radar, the company had fewer than a dozen customers. Today, it has more than 125, including some big names: AstraZeneca, Barclays Capital, British Energy, Cisco, Citi, Merrill Lynch, Reuters, Visa, and others. Its channel also has grown quite impressively, and now includes partners such as BT, Cable and Wireless, FishNet, IBM, VeriSign, and Wipro.

In June the company plans to release an update to its risk-management platform. The new version will add a Web-management interface, make it easier to map compliance reports to the Payment Card Industry Security Standard, and add additional operating system support, as well as include support for virtual firewalls and routers.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.