There’s an old saying that you can’t secure what you can’t see. While perhaps a bit cliché, it is an accurate statement that deserves inspection. It’s not a new topic, but with the proliferation of cloud services, remote working, and general IT sprawl, I wanted to share some thoughts.
New Names, Old Concept
There are a lot of old and new terms in security, but most of them have visibility at their core. Terms like cloud security posture management (CSPM), attack surface management (ASM), vulnerability management (VM), etc., go beyond visibility, but visibility is at the core of these offerings. Many cybersecurity frameworks have also recognized the importance of visibility. One of the best examples comes from the Center for Internet Security (CIS). Their controls are prioritized in the order of importance (as determined by a large committee of industry leaders). The top two priorities in the CIS Controls are “Inventory and Control of Enterprise Assets” and “Inventory and Control of Enterprise Software.” In other words – visibility! It’s worth noting that the CIS controls have been updated many times to reflect changes in the industry, but visibility has always been the top priority.
The Dead Horse is Officially Beaten – Now What?
What an odd idiom, but it seemed to fit. Let’s shift gears to talk about why visibility has become more challenging. The most significant change has been the migration of assets and services to the cloud, combined with the relative ease of doing so. Add in remote workers, and you have a recipe for confusion. The sprawl these changes have created means many organizations don’t know what services, applications, and devices exist in their extended environment.
Another often overlooked element of visibility is data visibility. So much effort is spent discovering “things” that we often forget the data (arguably the most essential asset for any organization). Any visibility strategy needs to include data discovery (and ideally classification).
I Found My Needle, Where is The Haystack?
There are multiple ways to approach visibility, and many of them overlap. My personal experience is that I generally see two extremes: organizations with minimal visibility, and those with so many tools collecting data that the overlap creates a new set of problems. The IT security industry is also converging in this space. For example, historically, vulnerability management platforms did a poor job of discovering assets outside a controlled domain (and if we knew the specific domains, we wouldn’t need the discovery tool). Then a new set of solutions entered the market, focused on providing visibility on a much broader scale. The vulnerability management platforms are now working to close that gap and incorporate those features themselves.
How to Avoid Analysis Paralysis
With so many options, it’s not a matter of lacking tools to help with visibility, but instead properly leveraging those tools to ensure complete detection while avoiding duplication to the degree possible. On our Resources page, Nexum has an entire series devoted to visibility. Rather than repeat what’s already well covered in that series, here are a few pointers for starting.
- At a high level, you can think of visibility in two contexts: inside-out and outside-in. Traditional approaches to visibility have focused on the inside-out approach (these were developed before the proliferation of the cloud). Now there’s an increased focus on outside-in (what an attacker could see from the Internet without logical or physical access to your environment). Both are important, and you mustn’t fall into the trap of only focusing on one aspect.
- Don’t neglect Internet of Things (IoT) devices in your visibility strategy. It’s easy to neglect IoT devices that might be sitting on a manufacturing shop floor, or even in the office environment. These devices are frequently unpatched (in fact some cannot be patched) and can represent a real threat to the overall environment. There are ways to mitigate this risk, but you first need to understand the connectivity of these devices.
- The concepts of ASM and CSPM are essential. In simple terms, they help to analyze your public-facing profile and how to ensure you’re aware of all potential access points and adequately secure them. While not exclusively focused on outside-in, they primarily play in that space and can complement an existing inside-out strategy.
- Don’t neglect this critical part of any security strategy. All the best tools and policies won’t help if you have systems, applications, or networks that aren’t known but provide connectivity back to company assets.
How are you approaching visibility? We’d love to hear success stories (or challenges) for this important but sometimes difficult concept.