The challenge to prevent hackers from breaching assets and malware from gaining a foothold is escalating and is getting increasingly difficult. Getting ahead starts with a comprehensive and actionable measure of true security risk. Get the white paper to learn:
Every battlefield commander understands the strategic necessity of reliable intelligence. Winning battles depends on accurate understanding of enemies, their tactics and goals, weighing risks against potential damage, and deploying resources to mitigate or neutralize threats. Gathering information is just a starting point; more importantly, is any of it relevant or meaningful? Within all the chatter and noise, effective commanders discern the one percent of useful intelligence and follow through with action.
The ongoing struggle to prevent hackers from breaching assets and malware from gaining a foothold requires a vulnerability management strategy that begins with a comprehensive measurement of security risk. Organizations must examine the entire IT stack, including the operating system, network, applications, and databases. The cycle of discovering assets, capturing and processing vulnerability data, identifying actual risks, testing and prioritizing mitigation tasks, and verifying effective controls grows more complex with every new technology that adds convenience but multiplies risk of a breach or incident. These new technologies include dynamic, virtualized environments and services outside traditional physical IT infrastructures, such as virtualized, cloud-based services and social networking.
Rapid7 addresses the need for dynamic, in-depth risk management with Security Risk Intelligence, a holistic approach to minimizing risk (Figure 1). It is based on a unified solution set that includes vulnerability management, penetration testing, and best practices. Security Risk Intelligence helps organizations detect vulnerabilities, prioritize risks, and validate threats in a closed-loop system.
Beginning with an understanding of the need for effective risk management followed by a definition of the elements of risk, this discussion presents the advantages and strategic value of Rapid7 Security Risk Intelligence for your environment and illustrates its operation.
Attacks are smarter, sneakier, and easier to perpetrate than ever. The Verizon report found that “96 percent of breaches were avoidable through simple or intermediate controls,” that 50 percent of records breached used some form of hacking, and 49 percent of records breached incorporated use of malware. Incidents investigated during 2010 presented “the largest caseload ever; it was also extremely diverse in the threat agents, threat actions, affected assets, and security attributes involved.”
Security professionals struggle to reduce risk with limited staff and budget. To achieve effective risk management, they must abandon the limitations and expense of traditional, reactive approaches in favor of a proactive, data-driven investment model. They must overcome several challenges: interpreting massive amounts of data, monitoring dynamic assets, incorporating both compliance and security into best practices, moving beyond traditional “scan-and-patch” approaches to implement security best practice programs, and trusting conventional prioritization methods beyond their scope.
Data through a fire hose. Most security policies address some form of vulnerability management. Security professionals depend upon accurate assessments to determine whether intervention is necessary and implement proper steps for mitigation or remediation. There is no problem obtaining data: security devices and scanners generate terabytes of it. The challenge is interpreting data: identifying those specific vulnerabilities that truly represent a clear and present risk to security.
Security operators need solutions that help them distinguish the danger signals from the noise. For example, a mission-critical Web server may have ten known vulnerabilities, but which of those ten present genuine risk? Vulnerability management solutions should identify and dismiss seven of those attacks as “noise” and flag the other three as “signals” that require their attention.
Dynamic assets, static tools. Virtualization is re-defining how IT operations build and deliver services, but vulnerability scanners have not kept up. Traditional scanners provide a snapshot that goes obsolete within hours or minutes within a virtualized environment where VMs go online and offline or change hosts all day long. Virtualized environments—and the risks they present—are constantly changing, and scanners need a continuous discovery feature that tracks these changes as they occur.
Compliance does not equal security. Another challenge is the perception that attaining compliance (e.g., PCI, HIPAA, NERC, FDCC) reduces risk to acceptable levels. A breach of an asset unrelated to compliance can lead to the compromise of assets deemed compliant. Organizations spend billions of dollars on security solutions to address compliance, but most of them do not focus on deploying those solutions for maximum benefit beyond compliance.
Risk reduction encompasses more than “scan-and-patch.” Many enterprises trust that “scan-and-patch” methods keep them secure. Patching inherently keeps hackers ahead, because vendors typically issue patches in responseto hacking incidents. While patching remains an important security step, security professionals need a variety of proactive solutions and best practices to put them ahead of hackers and malware.
Conventional risk prioritization doesn’t tell you enough. For example, many enterprises rely solely on CVSS scores to define thresholds for mitigation. These base CVSS metrics measure only the potential risk (likelihood plus impact) of a given vulnerability, not requiring temporal or environmental metrics to calculate it’s score. As such, base metrics CVSS scores do not consider the whole context of the identified vulnerability to the organization. Consider two vulnerabilities: one with a base metric CVSS score of 9 that is not exploitable, versus one with a CVSS score of 5 that is exploitable. A CVSS score of 9 may prompt a network operations manager to prioritize the fix of that vulnerability over the vulnerability with a score of 5. However, when the local environment is taken into consideration, and it becomes known that the higher CVSS scored vulnerability is not exploitable, while the lower vulnerability is, then it becomes obvious that the exploitable vulnerability should take priority.
For example: MS10-022: “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” has a CVSS score of 7.6. This score is deceptively low, because this particular vulnerability is exploitable by a malware kit. Rapid7 Metasploit software can exploit it. The actual risk associated with this particular vulnerability is greater than its CVSS score indicates and the Rapid7 Real Risk score of 867 (out of a total of 1000) more accurately reflects the severity of this particular vulnerability.
The battlefield commander relies upon useful intelligence to help determine the most effective way to deploy assets and forces. The commander needs to understand the advantages and limitations associated with terrain: desert or forest, mountains or plains; where the enemy is most likely to attack: by air, water, or land, across a field or bridge; what the enemy wants to accomplish: blow up the bridge or cross it and blow up a munitions depot; predict the consequences of a potential enemy incursion; and what to do to win the battle.
On the IT battlefield, security professionals need to measure the likelihood that a given vulnerability will be exploited and the potential impact such an exploit would cause. It is the security professional’s mission to identify the critical vulnerabilities, quantify unacceptable risk levels, and then decide what, if anything, to do. It is impractical, and unnecessary, to attempt to remediate every vulnerability listed on a scan report. Most vulnerabilities present low risk for various reasons. Perhaps the asset is non-critical, or it is not exploitable by a malware kit, or compensating controls, such as a firewall, protect it.
Security professionals measure risks using four parameters: Exposure, Likelihood, Impact, and Mitigation (see Figure 2 below). A combination of automated and expert risk intelligence methods qualifies and quantifies actual risk. Automated risk intelligence is vulnerability scanning with a solution such as Rapid7 Nexpose. Expert risk intelligence is penetration testing with a solution such as Rapid7 Metasploit. The depth and breadth of these methods determines the success of the risk assessment and mitigation process. Following is a chart of questions associated with each parameter, followed by a list of capabilities that will support security professionals in their quest to answer those specific questions.
Every IT security professional knows that the battle to protect IT resources and data is fully engaged. In its 2011 Data Breach Investigations Report, Verizon studied 761 data compromise incidents that occurred in 2010, compared to just over 900 total breaches studied between 2004 and 2009. Verizon reported that of all breached records, 50 percent involved some form of hacking and 49 percent included use of malware.