A new year has started, giving InfoSec professionals the perfect opportunity to evaluate what’s working and what’s not in their organizations, and, filled with that early-January optimism, set out to do better.
In that spirit of improvement and renewal, Qualys is kicking off today a blog series that outlines helpful tips — not just flimsy resolutions — for ensuring data security and compliance throughout the year.
In this initial post, we’ll discuss the first three of the Qualys Top 10 Tips for a Secure & Compliant 2017, addressing the importance of IT asset visibility, proper management of vulnerabilities, and continuous monitoring.
Tip #1: IT Security Starts with Visibility
To remain competitive, enterprises must embrace digital transformation, which means adopting cloud computing, mobile devices, virtualization, and other emerging technologies like IoT. While good for business, digital transformation has upended traditional network perimeters, making it harder for organizations to have a comprehensive view of all IT assets, because:
- IT workloads once safely encapsulated in on-premises PCs and servers have been moved to cloud instances and made accessible via roaming laptops, cell phones, and tablets.
- Business functions that were previously offline or limited to internal networks are now widely exposed via the internet as web services to customers, partners, employees, and suppliers.
- Individual employees and entire business units are bypassing the IT department by using unapproved personal devices and apps for work.
Organizations that don’t know where their IT assets reside — whether on premises, in cloud instances or mobile endpoints — who controls them, and their associated security risks, are highly vulnerable to breaches.
Thus, InfoSec teams must regain visibility and control — the essential building blocks of strong security and compliance — to get an unimpeded, real-time view of their constantly changing and increasingly distributed and heterogeneous IT environments.
Specifically, it’s essential to have a continuously up-to-date IT asset inventory with granular details about services, file systems and registries that is easily searchable and is compatible with virtualized environments.
The importance of a comprehensive IT asset inventory has been well documented. For example, the first two of the Top Five Critical Security Controls from the Center for Internet Security (CIS) are: Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software.
But organizations still fall short. To cite just one example, 20 out of 24 large federal agencies polled recently by the U.S. Government Accountability Office (GAO) had incomplete application inventories.
This not only prevents them from streamlining their software portfolio for efficiency and cost savings, but also “presents a security risk since agencies can only secure assets if they are aware of them,” GAO noted in its report.
With legacy, on-premises security solutions unable to provide this type of visibility into these new hybrid environments, cloud-based asset inventory services can provide an attractive option.
Tip #2: Get To Your IT Vulnerabilities Before Attackers Do
New software vulnerabilities are disclosed constantly — amounting to thousands per year — and each one represents a potential attack vector for hackers. We read about the biggest data breaches in the headlines, but there are countless other exploits every day that don’t make the news.
Thus, organizations must know at all times which vulnerabilities are present in their OSes, applications, firmware and middleware; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly.
“Vulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. What’s worse, new vulnerabilities come out every day,” reads Verizon’s 2016 Data Breach Investigations Report.
Effective vulnerability management requires continuously identifying threats, monitoring changes in your network, discovering and mapping all your devices and software – including new, unauthorized and forgotten ones–, and reviewing configuration details for each asset.
Cloud-based vulnerability management solutions that provide global visibility into your systems’ vulnerabilities can be a good fit for organizations wanting to stay ahead of attackers.
Tip #3: Security Requires Continuous Monitoring
With digitalization blurring the traditional boundaries of IT perimeters and exposing more and more IT assets on the internet, it’s critical for enterprises to constantly monitor their networks. After all, you can be sure that hackers are likewise on the outside continually looking for vulnerabilities they can exploit to break into your systems.
That’s why InfoSec experts agree on the importance of continuous monitoring. “Continuous monitoring is quickly coming to the forefront as a key activity for the ongoing security of networks, systems and, by extension, enterprises,” reads the 2015 SANS Institute continuous monitoring report “What Are Their Vulnerabilities?”
In the 2016 report “Reducing Attack Surface: SANS’ Second Survey on Continuous Monitoring Programs,” published in November, SANS Institute concluded that “although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.”
To be in the group that’s doing continuous monitoring well, an enterprise must integrate a set of activities, tools and processes, such as asset and configuration management, host and network inventories, and continuous vulnerability scanning, down to the remediation workflow, according to SANS Institute.
This includes monitoring all systems and activities — at all times — for unauthorized changes, vulnerabilities, abnormal operation, needed patches and workarounds,” reads the report.
A cloud-based continuous monitoring solution can keep an eye on your global network from the cloud (like hackers do), and alert the appropriate people to critical security issues, like unexpected network changes.
Next week, we’ll continue this series with a post devoted entirely to Tip #4: The importance of prioritizing your remediation work so you don’t become overwhelmed by the plethora of vulnerability disclosures.