RedSeal

Actionable Vulnerability Management

What a Vulnerability Scan Can't Tell You

In today's world of IT security, vulnerability management is a major component of everyday operations. Vulnerability scans have become one of the favored tools of security professionals to identify vulnerabilities present within an enterprise. Also many industry and government regulatory standards, such as PCI and FISMA, either require a process for vulnerability management or explicitly dictate vulnerability scans at a specific interval, such as monthly or quarterly.

A vulnerability scan is an excellent solution for identifying vulnerabilities, but identification is only the first step. Without a comprehensive understanding of an enterprise's network, a vulnerability scan only provides a one-dimensional view of the enterprise's threat posture. The reports from a vulnerability scan usually contain thousands of vulnerabilities depending on the size of the enterprise and the number of hosts, but identifying which vulnerabilities are real threats is not something a vulnerability scan alone can accomplish. A vulnerability scan cannot identify, for instance, that the primary threat to the network is through the vulnerabilities on two hosts, which if breached, could allow a significant amount of access to the heart of the network. By focusing on 50 vulnerabilities instead of 1,000+, the enterprise could significantly increase their level of security. Correlating the network architecture and access policies is necessary to achieve a multi-dimensional view of the enterprise's threat posture. Finally, to effectively prioritize remediation efforts it is essential to measure the identified threats based on a variety of data including severity of the vulnerabilities found, the business value of scanned assets, and the amount of network access a host has to other hosts within the enterprise. A holistic approach to measuring one threat against another is an effective way to identify which threats pose a significant risk.

RedSeal complements the results of a vulnerability scan by providing the network contextualization and the holistic metrics for prioritizing remediation. By understanding the network topology, ACLs and filter rules, RedSeal is able to accurately identify which vulnerabilities are true threats. Then by combing the vulnerability scan data, network topology, and asset values, RedSeal generates a series of metrics that present a holistic solution for prioritizing and maximizing remediation efforts. To manually execute this approach would easily take weeks to months for most enterprises. By automating the entire process RedSeal is able to provide definitive answers in hours.

Threat Identification

A vulnerability scan is excellent for identifying the vulnerabilities within an enterprise, but it does not provide the next key step, threat identification. To identify which vulnerabilities pose a threat to the enterprise, it is necessary to have a full understanding of the network access policies: exactly what type of application traffic is allowed to and from all areas of the network. For example, your vulnerability scanner may identify a vulnerability of high severity on a web server, but if an upstream router or firewall is blocking traffic from threat sources to that web server then the vulnerability probably doesn't pose a high level of risk to your enterprise.

RedSeal identifies threats by automatically collecting network device (router, firewall, etc.) configuration data and host/vulnerability data from vulnerability scans, and correlating the two across the entire enterprise.

RedSeal reports which hosts are susceptible to attack based on the combination of known vulnerabilities and network access policies. Additionally, RedSeal draws from the Threat Reference Library of the unique knowledge which vulnerabilities, if exploited, could enable an attacker to leapfrog from the exposed host to other hosts deeper in your network. By understanding which vulnerabilities are leapfroggable, RedSeal can identify threat paths that would enable an attacker to gain access to high value resources deep within the network.

Prioritization and Remediation

Just as the results of a vulnerability scan can be daunting to prioritize with regards to remediation, so can the number of threats present. Ultimately, prioritization requires a holistic approach to correlating and measuring the data available, including the severity of vulnerabilities found, the business value of scanned assets, and the amount of network access a host has to other hosts. Identifying which hosts present the highest level of risk to the enterprise requires an understanding of how each host relates to all other hosts within the enterprise.

To assist enterprises with prioritizing their remediation efforts, RedSeal provides a set of risk metrics. The RedSeal analysis engine examines the network to determine what access each host has to all other hosts on the network. Also included is information about the general risk of each reachable host, which is based on severity of the vulnerabilities present and the business value of the host. This holistic approach results in the downstream risk (DSR) metric for each host. The DSR metric, which sums up the risk of all hosts reachable from the measured host, provides enterprises with a powerful tool for determining exactly which hosts and vulnerabilities pose the highest level of risk to the enterprise, and maximizes remediation efforts, ensuring no resources are wasted. No other solution in the industry offers a metric as comprehensive as the RedSeal Downstream Risk Metric.

The top ten hosts sorted by downstream risk provide users with an excellent prioritization list for their remediation efforts. In this example SSHServer1 poses a higher risk to the enterprise than any other hosts.

Finally, the RedSeal Threat Reference Library provides information on how to remediate vulnerabilities. Once the hosts with the highest DSR score are discovered, enterprises can use the available remediation data to remove the vulnerabilities from their network.

Conclusion

While a vulnerability scan is an important piece of vulnerability management, it is important to realize that an understanding of the network topology, the ability generate holistic metrics for prioritizing threats, and access to accurate remediation data is necessary to ensure that your efforts are effective at securing the enterprise. Identifying the threats that matter does not have to be a daunting task. By understanding the network topology, ACLs and filter rules, and correlating vulnerability scan data, RedSeal is able to accurately identify which vulnerabilities are true threats. This approach automates the entire process of what would otherwise be a very tedious and time-intensive workload. What would take weeks if not months to complete manually can be completed in minutes to hours using RedSeal.