Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/23/2008
09:43 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Focus On Managing Risk, Not Gruntwork

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the "criticals" and pass on the "lows."

Last year, CERT tallied more than 7,000 publicly disclosed vulnerabilities. Who has time for that much patching?

In fact, many organizations may find, when all mitigating controls -- firewall rules, network segmentation, IPS devices, etc. -- are taken into account that they actually may want to patch a couple low-risk vulnerabilities on a machine managing highly classified data. Or, maybe patching one or two at-risk systems in the DMZ ensures the rest of the infrastructure is secure -- because all of those security controls mitigate the other unpatched systems. And the rest of the patching can wait for a little while, at least until the patches have been tested.

That level of management sure beats the heck outta wrangling up a dozen admins to run vulnerability scans, and then rush out untested patches for several hundred systems. I can think of about a thousand ways I'd rather spend my budget.

Yet, it goes without saying that today's networks are just too complex to make those kinds of decisions off-the-cuff. There are too many network connections, segments, servers, and firewall rules for any mere mortal to configure in their head. That's where risk modeling software, from vendors such as Skybox Security step in.

I profiled a credit union, WesCorp, a number of years ago when Skybox Security was just starting out. I had been interviewing that company's CISO (at the time it was Chris Hoff, now chief architect of security for Unisys) about vulnerability scans and patching. He explained how he was able to better manage his patching processes by modeling the actual risks those vulnerabilities created and weigh their severity against the actual business value his systems. I'd never heard of such a capability before, and was quite intrigued. The eventual story is available here.

Essentially, Skybox's Skybox View risk management platform enables organizations to model their risk through analytical and predictive threat and vulnerability analysis. Basically, the software works by creating a virtualized representation of the network. And then analyzing where potential attack vectors against, say, unpatched systems, may exist. It can do this by amassing an enormous amount of data about the current network architecture and security defenses in place. This model also can be used to simulate what-if scenarios that detail how your risk posture might change along with planned network changes.

Today, to get updated on how companies are using Skybox View, I spoke with Bill Geimer, program manager for Newington, Va.-based technology provider Open System Sciences. Open System Sciences provides the U.S. Agency for International Development (USAID) many of the services the agency, which has systems spread throughout about 100 countries, needs for its risk management program and to maintain FISMA compliance.

Geimer explained how Skybox View helps him and his team to grab information from all of its point security and networking products (which consists of thousands and thousands of devices) as well as daily network security assessments. Every day Geimer gets a report that details what systems have changed, and what systems may need to be patched.

Most important, Geimer explained how it is now possible for the entire security team to "be in tune with anything that changes our risk and to respond accordingly."

There aren't many organizations today that can make such a claim, and mean it. But that's what Geimer was able to achieve.

I don't know for sure, but I'd bet five years ago when Skybox first hit my radar, the company had fewer than a dozen customers. Today, it has more than 125, including some big names: AstraZeneca, Barclays Capital, British Energy, Cisco, Citi, Merrill Lynch, Reuters, Visa, and others. Its channel also has grown quite impressively, and now includes partners such as BT, Cable and Wireless, FishNet, IBM, VeriSign, and Wipro.

In June the company plans to release an update to its risk-management platform. The new version will add a Web-management interface, make it easier to map compliance reports to the Payment Card Industry Security Standard, and add additional operating system support, as well as include support for virtual firewalls and routers.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14483
PUBLISHED: 2020-08-13
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to corr...
CVE-2020-11733
PUBLISHED: 2020-08-13
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has access to an SSH restricted shell, can achieve root access via shell metacharacters. The attacker can then, for example, read sensitive files such as appliance admin configura...
CVE-2020-13281
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
CVE-2020-13286
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
CVE-2020-15925
PUBLISHED: 2020-08-13
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.