Want to know the worst best-kept secret in the cybersecurity industry?
We think we know what’s the network – but in reality – we’ve got no idea.
It’s nobody’s fault. No single event has led us to this point, but rather a series of unfortunate events and best intentions have led us to this point.
The overlapping and intersecting products that make up our security posture (the defensive efforts of a network ecosystem) and the multitude of events, actions, and anomalies that pollute our view on the space. All working together in a way that actually prevents us from understanding what is truly going on at a wire level.
This fact is – compounded by the proximity of our most sensitive devices to the outside world, and the disruption that they would face if compromised – added to that the number of threats to a network and the vulnerabilities in your most sensitive devices, and you have a perfect storm…
Assuming of course you’re not already in the sights of a dedicated threat agent.
Collected from across hundreds of our assessments from around the globe, sector by sector, and here at home in North America, we routinely see that the systems and sensors that are being deployed–while valuable and valid at the time–contain gaps and vulnerabilities that leave organizations more exposed than they realize.
So how do you get the ground truth to the CISO? When everyone knows that they’re working with only a piece of the information at best, and at worst, working with information that is dated, munged, or filtered by unavoidable bias?
It’s vital to understand what is really in your network by taking advantage of the MSO factor in all things related to your security posture.
It begins with a resilience assessment. To get to the real baseline of the network and grow it from there, you need to start with the ground truth. There’s no “right way” to start. Just like any activity that has merit, it requires dedication to get to a position of strength that everything else can rest on.
The four dimensions of Cybersecurity:
Device Risk:
To understand the risk that the nodes on your network present, it’s important to be able to assess them with a high degree of certainty. Unfortunately, as networks trend over time, devices can shift, and ports can change state. Ultimately, a single scan of a network run at one given point in time, does not necessarily compare to another point in time. This is another “Ghost in the Shell” that we regularly witness, and is a topic for its own post. Meanwhile, device information and the hook exposures and exploits that a threat agent might be able to interact with to successfully gain shell, root access, or subvert any number of given programs, remains an intrinsic portion of the overall cybersecurity posture of the network.
Device Telemetry:
Information and data transmission to the devices in the network provide a fundamental understanding of the network that not all systems can interpret, and more often than not, get wrong.
Interception of this information provides a glimpse into the world of what is happening at the wire level, and provides a vital aspect to the network that few tools can illustrate properly…if at all. Packet Traffic, NetFlow, and the entire spectrum of protocols and services that the underlying network relies upon to create safe, secure, and resilient network communications are a treasure trove of information. Sadly, many discard this information altogether, due to their saturation of unfounded information and alerts.
Device Health:
The best source of information that most tools leverage is the logging that occurs at the device and network level. This provides an abstraction of the workings of the network, without the volume of information that can be created by harnessing network information directly. This logging of information acts as a method of inventory of the actions, activities, and attributes that any number of functions have online at a given moment.
More often than not, this source of information is accurate and provides a level of insight without the need to harvest massive swaths of data to pursue rabbit holes as they appear on the system.
Device Activity:
This dimension stretches out over time. Not one single dimension is more noteworthy than this one. We have seen, through the use of our attack surface analysis platform, that node health and risks have evolved over time, simply by being able to perceive devices as they stretch out over the course of a day, week, month. As more interactions are captured, and more threats to the network make themselves apparent, it’s incumbent on our ability to perceive these threats in the trending analysis over their longevity.
By synthesizing this information in a single lens into the activities that are happening at a wire-level, we have to ensure we’re presenting this information in cures that are relevant to the operator, the administrations and the engineering teams. Doing so is essential for the business functions of the network and the entire security program. In this way, the individuals responsible for the day to day operations of the enterprise can remain confident that the information being provided is relevant to the continued resilience of the ecosystems that they and their customers rely on daily.
So maybe we don’t know what’s in our networks. Maybe we have dozens of competing systems and tools with various shades of the truth, and changing priorities.
But that doesn’t have to be the end of the story.
Built with MSO-enabled technology, military-grade Attack Surface Analysis platform CLAW by CybernetIQ is enabling SecOps teams around the globe to make sense of what’s in their networks. No more guessing which version of the truth has the least amount of fallacies. No more wondering what the gaps between your systems might be hiding. If you’re interested in learning more, let us blow your mind with a demo.
We promise you’ll be glad you did.