By: Hadi Jaafarawi, Managing Director, Middle East, Qualys
As pressure builds on the region’s security operations centres to decipher telemetry and chase down threats in increasingly complex environments, it is worth noting that much of their difficulty lies in visibility. Even the most dedicated CISO cannot protect what they cannot see. Digital assets, therefore, must be properly catalogued so that cybersecurity teams can get accurate views of devices, applications, and network topologies.
Such views will differ from those of the IT team, which has its own priorities. For security professionals, asset inventory will be less about software support and licenses and more about potential entry points and vulnerabilities. Therefore, security teams should not be left to rely on secondhand asset inventory data from IT.
The main underlying security benefit of accurate asset management is the ability to triage threat data. Now that multi-cloud and hybrid workplaces are adding multiple layers of complexity to technology stacks, security teams can be overwhelmed with alerts. By thoroughly profiling every element of the network and applying some basic automation, threat hunters can compile a more manageable to-do list, one that ensures clarity and purpose. Some items may be quick wins, such as simple software patching or reconfiguration. Others may be more complex but require immediate action because of the potential harm they could cause. And others may be trivial and can be ignored.
A foundation for VMDR
Under the right policies, automated processes can watch for new risky assets or existing ones that cross a threat threshold when they undergo changes. Once asset inventories are compiled, organisations can deploy VMDR (vulnerability management, detection, and response) systems to police them. But policies, inventories and the automation that governs them must be tightly integrated as a single solution. As sound as software policies are, if the automated tool is a bolt-on, telemetry may not flow to the tool in a reliable format. And automation is vital to achieve the reduction of alert fatigue that security teams seek.
So, when we combine comprehensive views with global inventories into a unified platform, we start to see an ideal environment take shape. Arduous and routine tasks are automated while highly trained professionals are routed to where their talents can add the most value. The rich views delivered by this ideal setup empower security teams with contextual information that allows them to make better decisions and take more effective action in real time.
According to the top cybersecurity official in the UAE government, the country was hit by a 250% increase in cybercrime in 2020, compared with the previous year. New environments are encouraging bad actors to act badly, and the region’s security teams need to be adequately armed to defend their digital perimeters. Being able to detect the big threats in real time requires the dialing down of white noise that results from complexity, and VMDR is a great tool with which to accomplish this. It is time to reimagine our security postures with security teams in mind.
No hiding place
The right VMDR platform will support both agent-based and agentless data collection, automatically profiling known assets, and initiating background processes to scan for unknown assets. Ideally, no asset should escape its gaze, whether that element is on premises, in the cloud, part of a software container, an element of operational technology, or integrated into an Internet of Things ecosystem.
Following the formulation of an asset inventory, teams will have access to normalised, categorised, information, allowing contextual views of each asset. Are they routers, printers, PCs, or mobile devices? Do they use databases? On what hardware are they running? Synchronise this information with a configuration management database (CMDB) and teams will get access to another layer of context, owner, location, and status, such as whether the asset is live or part of a staging environment. All of this allows proper correlation, leading to more accurate tracking of the health of each digital asset.
Get asset management right and rich information will flow to where it can be leveraged to the greatest benefit. Security teams will be able to use white and blacklisting to get a view of policy compliance across the enterprise and quickly identify unauthorised processes and applications. They will also be able to automate the detection of end-of-service applications and make informed decisions about their future.
Risk assessment and compliance
Additionally, the ideal asset platform will give a view of which active assets can be seen by the public Internet, and automatically assign risk metrics to components based on attribute profiles. This greatly oils the gears of compliance, because rich, visual reports on risk factors can be obtained on demand. And it increases the quality of response, allowing beleaguered teams room to breathe and work. Being able to control the workflow and frequency of your alerting system means organisations can design threat postures that are relevant to their operating models.
And response itself can be automated. When the alerting system has been optimised to the satisfaction of security leaders, they can automate actions such as reconfiguring or uninstalling applications or tagging new assets for vulnerability profiling.
Once the optimised asset-management platform is built, that is when residing in the cloud becomes an advantage. Information can be shared across devices and locations in real time, allowing always-on detection and response. And with the pressure of alert fatigue lifted, the talents of human security specialists can finally be leveraged to optimal effect.