Addressing the challenge of cybersecurity infrastructure fragmentation [Q&A]
When threat actors evaluate a company's attack surface, they're not thinking in terms of organizational silos. They're probing for the right combination of vulnerabilities, misconfigurations and identity privileges.
It follows that security organizations shouldn't be operating in silos either. Defenders risk playing into the hands of attackers as organizations struggle with reactive and siloed security programs. Having a sprawl of point tools generates heaps of fragmented data but offers few insights.
To truly reclaim power and prevent cyber attacks, organizations need full visibility into all assets and exposures, extensive context into potential security threats, and clear metrics to objectively measure cyber risk. But how do they do that? We spoke to Bernard Montel, EMEA technical director and security strategist at Tenable, to find out.
BN: How have infrastructure changes affected the way we secure networks?
BM: The infrastructure that underpins organizations today is only vaguely recognizable from three years ago. The defined perimeter no longer exists with Internet-facing assets not just commonplace, but essential for organizations in the modern business world. When we think of traditional network security, the goal has always been to fortify the perimeter to prevent threats outside of the network from getting in. However, the way we work today means this approach is no longer feasible. The perimeter is pervious, the devices we use are evolving and organizations are adopting hybrid infrastructure combined of on-prem and cloud. Underpinning all of this is connectivity.
In response, the security industry has squarely focused on creating point solutions that hone in on specific aspects of cybersecurity. The result? A hodgepodge of technologies that all serve a bespoke function but don't allow organizations to see the full scope of their risk exposure and lack context to chart a path forward.
BN: What has the industry done about this?
BM: To try to address this the industry has churned out products with the aim of bringing together all these disparate pieces. For example, XDR takes data from point products in an effort to identify attacks as they're happening. This activity-driven approach does not give organizations the upper hand because security teams get trapped in an endless cycle of responding to active breach notifications. The issue is that organizations that rely solely on activity data lack a complete picture of their security posture and thus cannot quantify risk.
Organizations need a way to assess the efficacy of their preventive programs as well in order to have a complete picture of their exposure -- essentially the inverse of XDR.
BN: What needs to change in order to break this cycle?
BM: Today's security tools do a great job of identifying everything wrong in the environment, but lack the necessary information needed to address what really matters.
Understanding the impact of cyber incidents requires business and security leaders to work in conjunction with each other. Security needs to understand the larger mission of the organization and safeguard the tools and assets that enable staff to complete business critical activity, while also ensuring important data is safe-guarded.
Traditional vulnerability management focuses on the act of enumerating flaws in software that could be exploited (CVEs). Exposure management extends beyond this by providing additional context like who is using the system, what they have access to, how it's configured, etc. There is more to proactively securing an environment than patching software. Exposure management enables cybersecurity teams to operationalize their preventive security programs, which in turn also allows organizations to clearly explain the effectiveness of their security program.
BN: How is Tenable approaching this?
BM: As an exposure management platform, Tenable One provides customers with data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies -- including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications. This analytics not only gives organizations a complete picture of their environment and its weaknesses, but maps how a breach could happen, providing actionable intelligence to tangibly reduce risk.
Organizations that can anticipate cyber attacks and communicate those risks for decision support, will be the ones best positioned to defend against emerging threats. By examining cyber risk based on departmental or operational units allows collaboration among different constituencies, which saves time, improves investment decisions, supports insurability and drives improvement over time all while tangibly reducing risk to the organization. Simple really.