Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Full IT Visibility Requires Business Risk Context

Full IT Visibility Requires Business Risk Context

Having a full, continuously updated and detailed understanding of all IT assets is one of the holy grails for security teams. To achieve it, we must first understand what “visibility” truly entails, how it’s more than just identifying what’s out there and knowing which challenges must be addressed.

If we looked at the starting point of any Information Security framework or best practice over the last 20 or so years, we’d find the initial phase to be “discovery” or “identify” or “understand” or some variation thereof. Collectively, what they’re all saying is that we can’t protect what we don’t know we have. Or more pointedly, we can’t start to make good decisions about how and where to protect our environments if we don’t know what we have. Having broad visibility into what assets are part of our overall infrastructure is the key, fundamental piece of any successful security program.

Despite this being widely accepted and acknowledged, most security practitioners will tell you that getting to that state of complete visibility is still painfully difficult. Security teams implement a wide array of tools, spend a great deal of time integrating data sets from asset management systems and other potential sources of truth, and yet, few will say they feel confident that they truly understand their environment. Why is that? For the most part, it boils down to two key considerations that aren’t being addressed when organizations try to understand their environments:

  • Are you actually looking for and identifying all of your assets, or just the ones you think you know about?
  • Do you understand the context of assets as it pertains to security findings, risk and impact to your organization?

First and foremost, reaching total visibility means identifying and assessing all of the technical assets in your environment, and not just the “easy” ones that are familiar to most IT and security teams. While starting with servers, workstations, network infrastructure equipment and other traditional IT devices is an excellent practice, it’s an all too common situation that other assets are overlooked or completely missed. What else is there? Ask yourself if your team is identifying the following assets:

  • Databases
  • Web applications
  • OT / ICS / SCADA / Industrial IoT devices
  • Cloud infrastructure
  • Virtualization platforms
  • Containers
  • Cloud orchestration services
  • Infrastructure as Code (IaC) configurations
  • Active Directory / Credentials / Groups
  • Public-facing hosts / hostnames / records

The list can go on. While it may be viewed as being too difficult to identify these kinds of assets, they are still critically important to most businesses, are at risk from cyberattacks, and if compromised, will impact the financial and reputational well-being of the organization. If security teams are to take a meaningful first step toward better visibility and having a more complete understanding of our environment, then we have to get our arms around all of these assets as well as the more traditional ones we’re all familiar with. 

It’s for this very reason that Tenable has continuously broadened the tools available on our platform to be able to safely and properly identify assets like these and pull that data back to a single place. Identifying vulnerabilities and other security risks starts with being able to identify and understand the target. With that level of visibility, organizations are better positioned to understand where the greatest risks are within their environment and start taking the necessary steps to mitigate risk where it matters most.

Now, some organizations may have progressed to the point where they’ve become really good at gathering asset inventory data and have a good understanding of what their environment looks like. But, this is yet another place where it starts to fall apart. Having a lot of disparate data, usually spread out between several different repositories, means that security teams have to do a lot of transformation to not only get the information together into one place for better analysis, but they also need to figure out ways to normalize the information they’ve collected. After all, not every asset has an IP address or a host name. Code repositories won’t have the same identifiers as a container instance. Web applications might be identified by domain name or URL, but an industrial Programmable Logic Controller (PLC) may not even be attached to a known network. 

And it’s not just the base asset identifiers that are varied and complicated. Any type of vulnerability or security finding is going to be just as different and disparate, depending on the asset itself. A server may have an easily identifiable vulnerability that has an assigned CVE number, but an IaC misconfiguration won’t have any standard identifier at all. Web application vulnerabilities like SQL Injection and Cross-Site Scripting are more techniques than specific, consistently identifiable OS vulnerabilities. And in the world of Active Directory, underlying security problems stem from compromises to how AD functions and validates credentials across an entire enterprise, which are not things that are fixed by applying a missing patch. 

If your security team has been tasked with trying to understand the risks within the environment and make the decisions about where and what to mitigate first, where would you even begin when you’re not looking at things in an “apples-to-apples” sort of way? In reality, this type of disparate data isn’t even “apples-to-oranges”, and in fact, is much more like “apples-to-starships-to-penguins-to-adjectives”. Understanding the context behind assets and their security findings is key. We first must pull together all this information and normalize it in a way where there is a consistent and measurable way to understand the risk posed to the business by each of these findings. Then we can start to relate the various risk factors against each other and make the best decision we can about where the organization is most at risk, how much risk it presents, and what we need to do to mitigate it. Gathering data is difficult enough as it is, but even if you manage that part, you won’t get far if you can't focus on what’s truly important. You’ll be left with a lot of spreadsheets and databases to manage while still asking the same questions about where to begin.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year's threat landscape that security professionals can use to improve their security right now, and view the webinar "Exposure Management for the Modern Attack Surface: Identify & Communicate What's Most at Risk in Your Environment and Vital to Fix First."

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training