Risk Visibility and Management: How IT Security Teams Can Enable Speed With Control

Risk Visibility and Management:How IT Security Teams Can Enable Speed With Control

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

The world rotates around the sun at a speed of 67,000 miles per hour. That can feel slow when compared to how fast organizations need to move to stay ahead of the competition, meet customer and constituent demands, and adhere to constantly evolving regulations.

As fast as organizations move, IT security needs to move even faster. There are constant pressures to streamline operations and safeguard valuable assets while keeping up with a deluge of new technologies and maintaining usability for employees, partners, vendors, investors, and more.

The critical capability to balance this need for speed with demand for security is visibility.

What does it mean to have visibility in the context of IT security? Why does it matter? And how does it impact an organization’s ability to be adept and move with speed?

Visibility in the context of security is:

• Getting the full picture - Seeing all the information related to an organization’s IT infrastructure risk, user

risk (risks that are posed to an organization from the users themselves), and the threats most relevant to the

business. It starts with something as seemingly simple as discovering all of the devices and assets deployed

in an organization. It then goes deeper by also revealing the vulnerabilities of those assets, the risks, and

the value.

• Gaining relevant insight - Having the ability to filter out and focus on what matters specifically to an

individual organization’s environment in accordance with its risk tolerance, the threats it’s likely to

face, and the current state of its security posture. Relevant also means giving context to the visibility by

identifying vulnerabilities that are exploitable as part of eliminating the noise.

When an organization gains visibility into its real security posture and can easily and systematically validate that risk, decision making and risk management become easier. With useful information, security and operations teams can take meaningful, swift, and efficient action to strengthen security while still moving ahead with new technologies, new processes, and new business strategies. IT security then becomes proactive and instrumental in supporting forward motion in the business and business initiatives.

WhyNow?

Change has never happened faster and the “consumerization of IT”—an environment in which business users often make decisions about technology and infrastructure—never more prevalent. Consider this fact: “It took 15 years, from 1996 to Q3 2011, to reach 708 million smartphone devices, but then it took only one year for another 300 million to come online,” says Scott Bicheno, senior analyst at Strategy Analytics. According to Ovum’s Multi-market BYOD Survey, October 2012, “57.1% of Full Time Employees use their personal smartphone or tablet for work in some capacity,” and yet “79% of all BYOD usage is still unmanaged today.” With the expanding network perimeter and unmanaged devices, threat evolution shows no sign of slowing down.

While many of the challenges are similar, each organization needs insight and information that are very relevant to its specific situation. With this visibility, the organization can prioritize actions and move fast in a secure way. Security professionals can have speed with control.

“Speed has never killed anyone, suddenly becoming stationary…that’s what gets you.”

—Jeremy Clarkson, English broadcaster, journalist, and writer who specializes in motoring, co-presenter on the BBC TV show Top Gear

http://techcrunch.com/2012/10/16/mobile-milestone-the-number-of-smartphones-in-use-passed-1-billion-in-q3-says-strategy-analytics/


Fast can be safe as long as:

1. Security teams have visibility into all assets and users on the network, including virtualized assets,

databases, and mobile devices.

2. One has the ability to constantly look ahead and monitor vulnerabilities and conditions at any time.

3. Risk is validated and easily prioritized for decision making.

4. Safety and mitigating controls are in place.

5. There are good, clean information hand-offs with operational teams who need to maintain equipment and

infrastructure, and train users.

6. An organization can respond quickly when issues arrive to mitigate risk and get things back on track.

7. Security teams have easy-to-use tools to be more productive.

Context:TheEvolvingITSecurityFunction

Given the above, IT security is at a crossroads: The nature of the job has changed, the source of threats is expanding, and the characteristics of what needs protecting are evolving. Unfortunately, the solutions security pros have been using haven’t always kept pace with this evolution. Often, the tools they have are focused on yesterday’s threats, don’t give them visibility into new technology, like virtual machines and cloud-based infrastructure, and are ill-suited to deal with user impact including bring-your-own-device (BYOD).

Organizations need the right tools and processes to gain visibility into the evolving threats and the vulnerabilities of their organization in order to manage risk while moving fast.

There are three key areas into which an organization needs visibility to manage and reduce risk: IT risk, user risk, and threats.

ITRisk

Situation

Network complexity continues to increase. Developments such as virtualization, the cloud, and the looming

migration to IPv6 are not only a challenge for IT teams, but represent completely new threat vectors from a

security perspective. Assets that used to be more static and managed within an organization’s own data center

now are constantly shifting—moving from data center to private cloud and from virtual machine to virtual

machine.

Business is increasingly driven by real-time supply chains that include new partner and supplier ecosystems, and

internal and outsourced development teams leveraging web services. These dynamic configurations can change

on the fly, depending on specific projects or initiatives, making it very challenging for IT and security teams to

keep up.


Solution:Visibilityacrossentireinfrastructure

Gain insight into the organization’s entire IT risk including its network, operating systems, web applications,

databases, mobile devices, and cloud and virtual environments. New technologies are less daunting if they—and

the risks they might pose now and on an ongoing basis—can be seen.

Better visibility is the foundation of prioritized risk management because what isn’t seen or known can’t be

managed. Contextual visibility means being able to validate risks and vulnerabilities and prioritize them easily

based on exploitability, asset value, and relevant risks.

Contextual visibility delivers:

• Insight into the entire IT environment.

• Simple and powerful capabilities to analyze and prioritize risk.

• Clear and specific remediation plans.

UserRisk

Situation

Users today are technologically savvy. They’re bringing their own devices

and downloading applications, and are empowered to meet their personal IT

needs—and that can bring challenges for IT security. BYOD is becoming the

norm rather than the exception. 59% of organizations now report that they

support personally owned smartphones in some form. Knowing which devices

and users are on the network is becoming increasingly difficult.

Organizations that don’t enable that choice and flexibility will fall behind in productivity and attracting an

energized and motivated workforce. Yet, even without BYOD, users are the fundamental weak links that most

often introduce risk into an organization. They are the target of malicious attacks because hackers see them as

an easy path into an organization.

Solution:Securityawarenessamongusersandtheabilitytoseealloftheirdevicesthattouchanorganization’sinfrastructure

Identify known and unknown users who are accessing the network with their mobile devices. Know which

vulnerabilities and risks are associated with those devices and all clients on the network. Find out the users’

security IQ by testing their susceptibility to social engineering tactics and ability to penetrate the organization’s

network via mobile devices.

Better visibility delivers empowerment with control including:

• Visibility into all user devices and the risks they pose.

• Clear assessment of user susceptibility to social engineering.

• User risk containment

82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.

Source: Infosecurity Magazine

http://www.infosecurity-magazine.com/view/25232/pwc-2012-information-security-breaches-survey-preliminary-findings-report-continued-mobile-insecurity-/


Threats

Situation

There has been a continual evolution in threats including new malware that is much harder to detect. Businesses

are facing threats from many different corners. Some businesses are targets of advanced persistent threats

because they have assets with high value to a large number of people such as intellectual property, monetary

assets, or specialized information assets.

It’s not only individuals who are perpetrating the attacks. Nation states are trying to steal intellectual property

so that they can fuel their growth. Activists are trying to wreak havoc for their own purposes.

The danger is insidious and growing. Opportunistic individuals have figured out

ways to make money off of assets, and they’re casting a wide net in drive-bys

hoping they can get something of value such as user names or information

about a business that they might be able to sell.

Every organization is different—and each organization needs to know which

of these threats poses the greatest risk to its own security in order to

balance risk with security investment and priorities. For most organizations,

advanced persistent threats are not the biggest risk. Attacks of opportunity

continue to constitute the largest percentage of attacks, indicating malicious

actors are finding plenty of easy targets. According to the 2012 Verizon Data

Breach Investigations Report, “79% of victims were targets of opportunity.

Most victims fell prey because they were found to possess an (often easily)

exploitable weakness rather than because they were pre-identified for

attack.” Sometimes old vulnerabilities persist on a network, or configurations

change inadvertently. Continuous monitoring and defense testing are required

for organizations that are moving fast.

Solution:Insightintoanorganization’srelevantthreats

Identify, prioritize, and address threats that are most likely to impact a

specific business. Know which threats pose the highest risk based on the

organization’s IT environment, users, and assets. Don’t neglect simple hygiene

or assume remediation is in place.

Better visibility delivers security investments that stop real threats including:

• Continual testing of control effectiveness against threats.

• Mass-market malware and exploit remediation.

• Automated control and configuration verification.

Malicious or criminal attacks are the most expensive cause of data breaches and are on the rise. In 2011, 37% of data breach cases involved malicious attacks and averaged $222 per record. Negligence accounted for 39% of reported breaches.

Source: 2011 Cost of a Data

Breach: United States, Ponemon

Institute and Symantec, March

2012

Most data breach victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack; 79% of victims were targets of opportunity, and 96% of attacks were not highly difficult.

Source: 2012 Data Breach

Investigations Report (DBIR),

Verizon Business, April 2012


Pillar Situation Solution

IT Risk • Increasing complexity of IT

• Consumerization of IT

• Real-time supply chains

Visibility into relevant risks across the entire infrastructure including:

• Physical, virtual cloud assets

• Validation, prioritization based on real risk

• Easy-to-follow remediation advice

User Risk • BYOD

• Exploitable by malicious attacks

• Social engineering

Visibility into security awareness across users and all of their devices that touch an organization’s infrastructure. Better visibility delivers empowerment with control including:

• Visibility into all user devices, operating systems, and vulnerabilities

• Understanding users’ susceptibility to attacks

• User risk containment

Threats • Continuous evolution of threats

• Threats now more malicious, harder to detect

• Old threats still not mitigated

Insight into an organization’s relevant risks to radically improve the ability to stop real threats including:

• Testing effectiveness of security controls against threats

• Automated control and configuration verification

• Prioritized remediation against real threats

WhatIsTheImpact?

The risks associated with these three areas are intertwined, and they affect each other. Security professionals need to see, know, and stay on top of their current state. They must maintain visibility into changes happening across IT

environments, users, and threats. They need:

• Tools to keep up and give them visibility into physical and virtualized assets whether they are in the data

center or in the cloud including operating systems, applications, databases, networks, video conference

equipment, mobile devices, configuration settings, and more

• Visibility into user activity and weak links

• Insight into current and emerging threats that are likely to impact their business (versus those that are

unlikely to impact them)

• The ability to put all of this into context, to easily assess and prioritize risks, and to deliver clear, specific

remediation plans based on those risks

The bottom line: Only when IT security teams have visibility into IT risks, user risks, and threats can they start to quantify, prioritize, and manage their risk—because no one can manage what can’t be seen.


SecurityRe-Imagined

For too long, security has been incorrectly viewed as a potential hindrance to business speed and productivity. But with clear visibility and the right tools, security can be proactive. Savvy CISOs and security executives are leading the way to a new vision—Security Re-Imagined.

To excel, organizations need to move fast with control. IT security should be seen as part of an entity’s ability to move forward rather than as a roadblock that is holding the organization back out of fear of resultant risks.

To get there, you have to start with better visibility.

BetterVisibility

Visibilityintothehereandnow,includingthelatesttechnologyandlatestthreats.+BetterRiskManagement

Theabilitytovalidateandprioritizeriskbasedonrelevantthreats,andtocommunicatewithoperationsinclear,simpletermsaboutwhatneedstobefixed,how,andbywhom.

=SpeedwithControl

Completevisibilitycombinedwithpowerfulyetsimpleriskmanagementletsorganizationsmoveforwardwithmoreconfidence:SecurityRe-Imagineddeliversspeedwithcontrol.

Speed with control provides a proactive approach to security. This new security model means:

1. Having visibility into risk that is real, not theoretical, for an organization’s environment to fuel effective

vulnerability management

2. Assessing and monitoring the risks associated with new technologies to support moving forward with

confidence

3. Providing reports and online dashboards that show how to simply and clearly fix the issues to prevent

breaches

4. Driving collaboration with the IT team and delivering the specific information it needs to succeed

5. Having contextual insight into IT risk and the information needed for meaningful dialogue about risks and

investment with organizational leaders


Recommendations

In order to move forward, organizations must focus not only on the here and now, but also on the future. Most of the security solutions available today are focused on yesterday’s threats and traditional IT infrastructure. Many solutions throw too much information at security professionals, much of which is irrelevant to their environment. These products send scan data with no filter and cannot prioritize based on an organization’s specific context. They don’t cover the latest technologies such as IPv6, virtualization, and mobile assets. They don’t focus on the relationships between IT security and IT operations, or foster the collaboration needed to affect security posture.

IT security needs a solution that provides visibility into the risks of today and tomorrow. Look for the following key functionality:

KeyFunctionality WhyIt’sImportant

An understanding of all the assets in the organization (IT and user)

It is very difficult for organizations to discover their entire infrastructure. Often there are assets being monitored by security and other assets monitored by IT—and some, such as BYOD mobile devices, might be completely unmanaged. Having a consolidated view of all the assets is a critical foundation. This includes visibility into what OSes are being run, as well as what applications, configuration settings, databases, and more.

Asset organization for easier management, filtering, and exception handling

People should have visibility into the asset groups they manage (databases, operating systems, applications), and receive clear and simple information about risks and how to mitigate them.

Ability to assess and expose user-related risk through social engineering

Users pose the highest risk to organizations. IT security must be able to easily assess and measure this important risk vector.

End-to-end assessment of true, exploitable vulnerability across breadth and depth of threats to save time and increase productivity

Vulnerabilities are not always exploitable. A company may have mitigating controls in place. Look for tools that allow you to easily validate risks that are exploitable to eliminate proven mitigated risks from reports and more so you can focus on more important issues.

Clear risk prioritization to inform remediation and risk management efforts

Prioritize risk based on prevalence, exploitability, severity, and more.

Actionable information to speed mitigations and fuel collaboration between security and IT

Security professionals can’t spend their time chasing all the vulnerabilities they find—they need to focus on what poses a real risk to their systems. In addition, they must be able to give clear and concise remediation advice to IT. They must be able to:

• Filter and prioritize vulnerability information by a variety of criteria, including asset group ownership• Give detailed, credible remediation advice about risks that have been validated by penetration tests

Integrated risk management and risk validation solutions

To have fully realized IT security, these solutions should talk to one another and support continuous iteration and innovation.

Information from the outside world

A viable solution should be supported by a community of security users and researchers to gain visibility into what’s happening out in the field and how attackers’ tactics are evolving.


Conclusion

In order to be successful today and tomorrow, organizations need to move fast—but without introducing unnecessary risk. Visibility into the complex and evolving world of IT is critical to combating evolving user threats.

With integrated, complete risk assessment and management tools, IT security teams can empower themselves to move quickly with their organization.

IT security professionals can move away from saying “no” to advancements, such as BYOD or cloud-based assets, because they know they’ll have the information they need to make the right decisions and to manage risks associated with these new technologies. As a result, IT security becomes part of the solution, saying “Yes—let me show you how we can move forward with better security.”

With visibility, prioritized risk management, and better IT security collaboration, organizations can get the best of both worlds: Speed with control.

It’s Security Re-Imagined.

SecurityRe-Imagined

ReactiveProactive

NoYes

TacticalStrategic

AboutRapid7

Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT infrastructure, users, and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by The Boston Globe. Its products are top rated by Gartner®, Forrester®, and SC Magazine. The company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com.