Click here to load reader
Upload
rapid7
View
481
Download
0
Embed Size (px)
DESCRIPTION
As fast as organizations move, IT security needs to move even faster. There are constant pressures to streamline operations and safeguard valuable assets while keeping up with a deluge of new technologies and maintaining usability for employees, partners, vendors, investors, and more. The critical capability to balance this need for speed with demand for security is visibility. Learn more here. To download a free Nexpose demo, click here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
Citation preview
Risk Visibility and Management:How IT Security Teams Can Enable Speed With Control
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
The world rotates around the sun at a speed of 67,000 miles per hour. That can feel slow when compared to how fast organizations need to move to stay ahead of the competition, meet customer and constituent demands, and adhere to constantly evolving regulations.
As fast as organizations move, IT security needs to move even faster. There are constant pressures to streamline operations and safeguard valuable assets while keeping up with a deluge of new technologies and maintaining usability for employees, partners, vendors, investors, and more.
The critical capability to balance this need for speed with demand for security is visibility.
What does it mean to have visibility in the context of IT security? Why does it matter? And how does it impact an organization’s ability to be adept and move with speed?
Visibility in the context of security is:
• Getting the full picture - Seeing all the information related to an organization’s IT infrastructure risk, user
risk (risks that are posed to an organization from the users themselves), and the threats most relevant to the
business. It starts with something as seemingly simple as discovering all of the devices and assets deployed
in an organization. It then goes deeper by also revealing the vulnerabilities of those assets, the risks, and
the value.
• Gaining relevant insight - Having the ability to filter out and focus on what matters specifically to an
individual organization’s environment in accordance with its risk tolerance, the threats it’s likely to
face, and the current state of its security posture. Relevant also means giving context to the visibility by
identifying vulnerabilities that are exploitable as part of eliminating the noise.
When an organization gains visibility into its real security posture and can easily and systematically validate that risk, decision making and risk management become easier. With useful information, security and operations teams can take meaningful, swift, and efficient action to strengthen security while still moving ahead with new technologies, new processes, and new business strategies. IT security then becomes proactive and instrumental in supporting forward motion in the business and business initiatives.
WhyNow?
Change has never happened faster and the “consumerization of IT”—an environment in which business users often make decisions about technology and infrastructure—never more prevalent. Consider this fact: “It took 15 years, from 1996 to Q3 2011, to reach 708 million smartphone devices, but then it took only one year for another 300 million to come online,” says Scott Bicheno, senior analyst at Strategy Analytics. According to Ovum’s Multi-market BYOD Survey, October 2012, “57.1% of Full Time Employees use their personal smartphone or tablet for work in some capacity,” and yet “79% of all BYOD usage is still unmanaged today.” With the expanding network perimeter and unmanaged devices, threat evolution shows no sign of slowing down.
While many of the challenges are similar, each organization needs insight and information that are very relevant to its specific situation. With this visibility, the organization can prioritize actions and move fast in a secure way. Security professionals can have speed with control.
“Speed has never killed anyone, suddenly becoming stationary…that’s what gets you.”
—Jeremy Clarkson, English broadcaster, journalist, and writer who specializes in motoring, co-presenter on the BBC TV show Top Gear
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Fast can be safe as long as:
1. Security teams have visibility into all assets and users on the network, including virtualized assets,
databases, and mobile devices.
2. One has the ability to constantly look ahead and monitor vulnerabilities and conditions at any time.
3. Risk is validated and easily prioritized for decision making.
4. Safety and mitigating controls are in place.
5. There are good, clean information hand-offs with operational teams who need to maintain equipment and
infrastructure, and train users.
6. An organization can respond quickly when issues arrive to mitigate risk and get things back on track.
7. Security teams have easy-to-use tools to be more productive.
Context:TheEvolvingITSecurityFunction
Given the above, IT security is at a crossroads: The nature of the job has changed, the source of threats is expanding, and the characteristics of what needs protecting are evolving. Unfortunately, the solutions security pros have been using haven’t always kept pace with this evolution. Often, the tools they have are focused on yesterday’s threats, don’t give them visibility into new technology, like virtual machines and cloud-based infrastructure, and are ill-suited to deal with user impact including bring-your-own-device (BYOD).
Organizations need the right tools and processes to gain visibility into the evolving threats and the vulnerabilities of their organization in order to manage risk while moving fast.
There are three key areas into which an organization needs visibility to manage and reduce risk: IT risk, user risk, and threats.
ITRisk
Situation
Network complexity continues to increase. Developments such as virtualization, the cloud, and the looming
migration to IPv6 are not only a challenge for IT teams, but represent completely new threat vectors from a
security perspective. Assets that used to be more static and managed within an organization’s own data center
now are constantly shifting—moving from data center to private cloud and from virtual machine to virtual
machine.
Business is increasingly driven by real-time supply chains that include new partner and supplier ecosystems, and
internal and outsourced development teams leveraging web services. These dynamic configurations can change
on the fly, depending on specific projects or initiatives, making it very challenging for IT and security teams to
keep up.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Solution:Visibilityacrossentireinfrastructure
Gain insight into the organization’s entire IT risk including its network, operating systems, web applications,
databases, mobile devices, and cloud and virtual environments. New technologies are less daunting if they—and
the risks they might pose now and on an ongoing basis—can be seen.
Better visibility is the foundation of prioritized risk management because what isn’t seen or known can’t be
managed. Contextual visibility means being able to validate risks and vulnerabilities and prioritize them easily
based on exploitability, asset value, and relevant risks.
Contextual visibility delivers:
• Insight into the entire IT environment.
• Simple and powerful capabilities to analyze and prioritize risk.
• Clear and specific remediation plans.
UserRisk
Situation
Users today are technologically savvy. They’re bringing their own devices
and downloading applications, and are empowered to meet their personal IT
needs—and that can bring challenges for IT security. BYOD is becoming the
norm rather than the exception. 59% of organizations now report that they
support personally owned smartphones in some form. Knowing which devices
and users are on the network is becoming increasingly difficult.
Organizations that don’t enable that choice and flexibility will fall behind in productivity and attracting an
energized and motivated workforce. Yet, even without BYOD, users are the fundamental weak links that most
often introduce risk into an organization. They are the target of malicious attacks because hackers see them as
an easy path into an organization.
Solution:Securityawarenessamongusersandtheabilitytoseealloftheirdevicesthattouchanorganization’sinfrastructure
Identify known and unknown users who are accessing the network with their mobile devices. Know which
vulnerabilities and risks are associated with those devices and all clients on the network. Find out the users’
security IQ by testing their susceptibility to social engineering tactics and ability to penetrate the organization’s
network via mobile devices.
Better visibility delivers empowerment with control including:
• Visibility into all user devices and the risks they pose.
• Clear assessment of user susceptibility to social engineering.
• User risk containment
82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
Source: Infosecurity Magazine
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Threats
Situation
There has been a continual evolution in threats including new malware that is much harder to detect. Businesses
are facing threats from many different corners. Some businesses are targets of advanced persistent threats
because they have assets with high value to a large number of people such as intellectual property, monetary
assets, or specialized information assets.
It’s not only individuals who are perpetrating the attacks. Nation states are trying to steal intellectual property
so that they can fuel their growth. Activists are trying to wreak havoc for their own purposes.
The danger is insidious and growing. Opportunistic individuals have figured out
ways to make money off of assets, and they’re casting a wide net in drive-bys
hoping they can get something of value such as user names or information
about a business that they might be able to sell.
Every organization is different—and each organization needs to know which
of these threats poses the greatest risk to its own security in order to
balance risk with security investment and priorities. For most organizations,
advanced persistent threats are not the biggest risk. Attacks of opportunity
continue to constitute the largest percentage of attacks, indicating malicious
actors are finding plenty of easy targets. According to the 2012 Verizon Data
Breach Investigations Report, “79% of victims were targets of opportunity.
Most victims fell prey because they were found to possess an (often easily)
exploitable weakness rather than because they were pre-identified for
attack.” Sometimes old vulnerabilities persist on a network, or configurations
change inadvertently. Continuous monitoring and defense testing are required
for organizations that are moving fast.
Solution:Insightintoanorganization’srelevantthreats
Identify, prioritize, and address threats that are most likely to impact a
specific business. Know which threats pose the highest risk based on the
organization’s IT environment, users, and assets. Don’t neglect simple hygiene
or assume remediation is in place.
Better visibility delivers security investments that stop real threats including:
• Continual testing of control effectiveness against threats.
• Mass-market malware and exploit remediation.
• Automated control and configuration verification.
Malicious or criminal attacks are the most expensive cause of data breaches and are on the rise. In 2011, 37% of data breach cases involved malicious attacks and averaged $222 per record. Negligence accounted for 39% of reported breaches.
Source: 2011 Cost of a Data
Breach: United States, Ponemon
Institute and Symantec, March
2012
Most data breach victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack; 79% of victims were targets of opportunity, and 96% of attacks were not highly difficult.
Source: 2012 Data Breach
Investigations Report (DBIR),
Verizon Business, April 2012
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Pillar Situation Solution
IT Risk • Increasing complexity of IT
• Consumerization of IT
• Real-time supply chains
Visibility into relevant risks across the entire infrastructure including:
• Physical, virtual cloud assets
• Validation, prioritization based on real risk
• Easy-to-follow remediation advice
User Risk • BYOD
• Exploitable by malicious attacks
• Social engineering
Visibility into security awareness across users and all of their devices that touch an organization’s infrastructure. Better visibility delivers empowerment with control including:
• Visibility into all user devices, operating systems, and vulnerabilities
• Understanding users’ susceptibility to attacks
• User risk containment
Threats • Continuous evolution of threats
• Threats now more malicious, harder to detect
• Old threats still not mitigated
Insight into an organization’s relevant risks to radically improve the ability to stop real threats including:
• Testing effectiveness of security controls against threats
• Automated control and configuration verification
• Prioritized remediation against real threats
WhatIsTheImpact?
The risks associated with these three areas are intertwined, and they affect each other. Security professionals need to see, know, and stay on top of their current state. They must maintain visibility into changes happening across IT
environments, users, and threats. They need:
• Tools to keep up and give them visibility into physical and virtualized assets whether they are in the data
center or in the cloud including operating systems, applications, databases, networks, video conference
equipment, mobile devices, configuration settings, and more
• Visibility into user activity and weak links
• Insight into current and emerging threats that are likely to impact their business (versus those that are
unlikely to impact them)
• The ability to put all of this into context, to easily assess and prioritize risks, and to deliver clear, specific
remediation plans based on those risks
The bottom line: Only when IT security teams have visibility into IT risks, user risks, and threats can they start to quantify, prioritize, and manage their risk—because no one can manage what can’t be seen.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
SecurityRe-Imagined
For too long, security has been incorrectly viewed as a potential hindrance to business speed and productivity. But with clear visibility and the right tools, security can be proactive. Savvy CISOs and security executives are leading the way to a new vision—Security Re-Imagined.
To excel, organizations need to move fast with control. IT security should be seen as part of an entity’s ability to move forward rather than as a roadblock that is holding the organization back out of fear of resultant risks.
To get there, you have to start with better visibility.
BetterVisibility
Visibilityintothehereandnow,includingthelatesttechnologyandlatestthreats.+BetterRiskManagement
Theabilitytovalidateandprioritizeriskbasedonrelevantthreats,andtocommunicatewithoperationsinclear,simpletermsaboutwhatneedstobefixed,how,andbywhom.
=SpeedwithControl
Completevisibilitycombinedwithpowerfulyetsimpleriskmanagementletsorganizationsmoveforwardwithmoreconfidence:SecurityRe-Imagineddeliversspeedwithcontrol.
Speed with control provides a proactive approach to security. This new security model means:
1. Having visibility into risk that is real, not theoretical, for an organization’s environment to fuel effective
vulnerability management
2. Assessing and monitoring the risks associated with new technologies to support moving forward with
confidence
3. Providing reports and online dashboards that show how to simply and clearly fix the issues to prevent
breaches
4. Driving collaboration with the IT team and delivering the specific information it needs to succeed
5. Having contextual insight into IT risk and the information needed for meaningful dialogue about risks and
investment with organizational leaders
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Recommendations
In order to move forward, organizations must focus not only on the here and now, but also on the future. Most of the security solutions available today are focused on yesterday’s threats and traditional IT infrastructure. Many solutions throw too much information at security professionals, much of which is irrelevant to their environment. These products send scan data with no filter and cannot prioritize based on an organization’s specific context. They don’t cover the latest technologies such as IPv6, virtualization, and mobile assets. They don’t focus on the relationships between IT security and IT operations, or foster the collaboration needed to affect security posture.
IT security needs a solution that provides visibility into the risks of today and tomorrow. Look for the following key functionality:
KeyFunctionality WhyIt’sImportant
An understanding of all the assets in the organization (IT and user)
It is very difficult for organizations to discover their entire infrastructure. Often there are assets being monitored by security and other assets monitored by IT—and some, such as BYOD mobile devices, might be completely unmanaged. Having a consolidated view of all the assets is a critical foundation. This includes visibility into what OSes are being run, as well as what applications, configuration settings, databases, and more.
Asset organization for easier management, filtering, and exception handling
People should have visibility into the asset groups they manage (databases, operating systems, applications), and receive clear and simple information about risks and how to mitigate them.
Ability to assess and expose user-related risk through social engineering
Users pose the highest risk to organizations. IT security must be able to easily assess and measure this important risk vector.
End-to-end assessment of true, exploitable vulnerability across breadth and depth of threats to save time and increase productivity
Vulnerabilities are not always exploitable. A company may have mitigating controls in place. Look for tools that allow you to easily validate risks that are exploitable to eliminate proven mitigated risks from reports and more so you can focus on more important issues.
Clear risk prioritization to inform remediation and risk management efforts
Prioritize risk based on prevalence, exploitability, severity, and more.
Actionable information to speed mitigations and fuel collaboration between security and IT
Security professionals can’t spend their time chasing all the vulnerabilities they find—they need to focus on what poses a real risk to their systems. In addition, they must be able to give clear and concise remediation advice to IT. They must be able to:
• Filter and prioritize vulnerability information by a variety of criteria, including asset group ownership• Give detailed, credible remediation advice about risks that have been validated by penetration tests
Integrated risk management and risk validation solutions
To have fully realized IT security, these solutions should talk to one another and support continuous iteration and innovation.
Information from the outside world
A viable solution should be supported by a community of security users and researchers to gain visibility into what’s happening out in the field and how attackers’ tactics are evolving.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Conclusion
In order to be successful today and tomorrow, organizations need to move fast—but without introducing unnecessary risk. Visibility into the complex and evolving world of IT is critical to combating evolving user threats.
With integrated, complete risk assessment and management tools, IT security teams can empower themselves to move quickly with their organization.
IT security professionals can move away from saying “no” to advancements, such as BYOD or cloud-based assets, because they know they’ll have the information they need to make the right decisions and to manage risks associated with these new technologies. As a result, IT security becomes part of the solution, saying “Yes—let me show you how we can move forward with better security.”
With visibility, prioritized risk management, and better IT security collaboration, organizations can get the best of both worlds: Speed with control.
It’s Security Re-Imagined.
SecurityRe-Imagined
ReactiveProactive
NoYes
TacticalStrategic
AboutRapid7
Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT infrastructure, users, and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by The Boston Globe. Its products are top rated by Gartner®, Forrester®, and SC Magazine. The company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com.