2020 has completely uprooted our lives. Many individuals have started working from home, which has led to organizations scrambling to address security vulnerabilities on their devices. The reason companies are working so hard to address these issues is to prevent attacks like those regularly seen in the news. Big names like Equifax, Target, and Sony have fallen victim to cyber attacks, but many other organizations are falling victim to “hackers” without any news coverage. Working remotely has opened Pandora’s box when it comes to accurately assessing the security posture of systems beyond the usual organizational boundary.
Organizations evaluate and mitigate cyber risks using well-established solutions, including network vulnerability scanning, antivirus (AV), Endpoint Detection and Response (EDR), and asset management systems. Maintaining these systems and ensuring complete coverage is a challenge for any organization in the best of times, but with the added complexity of a distributed workforce the task can seem daunting. Incomplete coverage in existing security tools caused by a shift in workforce location can lead to blind spots where risks remain undetected for extended periods of time.
The standard security controls deployed within the boundary of an organization increase the security of the business network. But we are starting to see a paradigm shift in how these controls are viewed. While security tools have always reacted to needs, now these controls are being viewed as fundamental building blocks of any good IT Hygiene program. However, IT security professionals face daily challenges, including blind spots in their tools, data overload, and communicating risk to decision-makers in a meaningful way. As the attack surface evolves, driven by digital transformation and resource allocation to the cloud, it is no longer enough to merely patch vulnerable operating systems and applications.
IT security leaders must know when they have an “unknown” risk — a risk that, while present, is not directly detected by a singular tool and surfaced in its operational context. They must understand the context in which a system or user is currently operating, and what risks that may pose. While many tools address singular aspects of this complex problem, they often leave leadership within an incomplete picture.
A security program can no longer be based solely on finding and patching vulnerabilities. Often, simple configuration changes can lead to unintended consequences and expose organizations to risks that were previously mitigated or protected by another mechanism. The dynamic nature of large organizations often creates a situation where blind spots in data allow the organization’s security posture to quickly “drift” or “rot.”
As noted in a recent SANS Institute survey, Effectively Addressing Advanced Threats: “Visibility of data, users, devices and the cloud environment are playing a critical role in how and whether security professionals can fight advanced threats effectively…While many tools such as security analytics are available to the security community, implementing them is dependent on understanding the organization’s environment.” In response to the survey, 48% said they lacked organizational insight into vulnerability blind spots generated by unmanaged devices or individuals with no geolocation data.
Blind spots are different for every IT organization, depending on risk posture and security program maturity. Therefore, finding and evaluating risks effectively requires an impact-based approach that uses both security tools and assessment methodologies. Without knowing and understanding the impact a risk may truly have on the environment, it is nearly impossible to adopt a risk-based security approach.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends that organizations use a multi-pronged strategy to find and address potential blind spots. This includes reviewing and comparing the output from vulnerability scanners, AV, EDR, and other IT management tools to ensure full coverage. Each of these individual solutions must have their outputs assessed against the larger overall security program to ensure that the “unknown” risks become known and addressed.
Risk analysis today is a complex process, and it will become more complex as organizations address the needs of their remote workforces. IT organizations face new and evolving threats to the growing attack surface beyond their boundary, as well as to existing on-premises and cloud resources. Communicating risks to the business — and remediating those risks in a timely manner — is now one of the most pressing challenges that security teams need to address. By starting with a risk-based security approach that leverages both existing security tools and the organization’s understanding of operational risks, IT security teams can begin their journey to holistically addressing blind spots and managing their risk.