Full IT Visibility Requires Business Risk Context

Having a full, continuously updated and detailed understanding of all IT assets is one of the holy grails for security teams. To achieve it, we must first understand what “visibility” truly entails, how it’s more than just identifying what’s out there and knowing which challenges must be addressed.

If we looked at the starting point of any Information Security framework or best practice over the last 20 or so years, we’d find the initial phase to be “discovery” or “identify” or “understand” or some variation thereof. Collectively, what they’re all saying is that we can’t protect what we don’t know we have. Or more pointedly, we can’t start to make good decisions about how and where to protect our environments if we don’t know what we have. Having broad visibility into what assets are part of our overall infrastructure is the key, fundamental piece of any successful security program.

Despite this being widely accepted and acknowledged, most security practitioners will tell you that getting to that state of complete visibility is still painfully difficult. Security teams implement a wide array of tools, spend a great deal of time integrating data sets from asset management systems and other potential sources of truth, and yet, few will say they feel confident that they truly understand their environment. Why is that? For the most part, it boils down to two key considerations that aren’t being addressed when organizations try to understand their environments:

• Are you actually looking for and identifying all of your assets, or just the ones you think you know about?
• Do you understand the context of assets as it pertains to security findings, risk and impact to your organization?

First and foremost, reaching total visibility means identifying and assessing all of the technical assets in your environment, and not just the “easy” ones that are familiar to most IT and security teams. While starting with servers, workstations, network infrastructure equipment and other traditional IT devices is an excellent practice, it’s an all too common situation that other assets are overlooked or completely missed. What else is there? Ask yourself if your team is identifying the following assets:

• Databases
• Web applications
• OT / ICS / SCADA / Industrial IoT devices
• Cloud infrastructure
• Virtualization platforms
• Containers
• Cloud orchestration services
• Infrastructure as Code (IaC) configurations
• Active Directory / Credentials / Groups
• Public-facing hosts / hostnames / records

The list can go on. While it may be viewed as being too difficult to identify these kinds of assets, they are still critically important to most businesses, are at risk from cyberattacks, and if compromised, will impact the financial and reputational well-being of the organization. If security teams are to take a meaningful first step toward better visibility and having a more complete understanding of our environment, then we have to get our arms around all of these assets as well as the more traditional ones we’re all familiar with. 

It’s for this very reason that Tenable has continuously broadened the tools available on our platform to be able to safely and properly identify assets like these and pull that data back to a single place. Identifying vulnerabilities and other security risks starts with being able to identify and understand the target. With that level of visibility, organizations are better positioned to understand where the greatest risks are within their environment and start taking the necessary steps to mitigate risk where it matters most.

Now, some organizations may have progressed to the point where they’ve become really good at gathering asset inventory data and have a good understanding of what their environment looks like. But, this is yet another place where it starts to fall apart. Having a lot of disparate data, usually spread out between several different repositories, means that security teams have to do a lot of transformation to not only get the information together into one place for better analysis, but they also need to figure out ways to normalize the information they’ve collected. After all, not every asset has an IP address or a host name. Code repositories won’t have the same identifiers as a container instance. Web applications might be identified by domain name or URL, but an industrial Programmable Logic Controller (PLC) may not even be attached to a known network. 

And it’s not just the base asset identifiers that are varied and complicated. Any type of vulnerability or security finding is going to be just as different and disparate, depending on the asset itself. A server may have an easily identifiable vulnerability that has an assigned CVE number, but an IaC misconfiguration won’t have any standard identifier at all. Web application vulnerabilities like SQL Injection and Cross-Site Scripting are more techniques than specific, consistently identifiable OS vulnerabilities. And in the world of Active Directory, underlying security problems stem from compromises to how AD functions and validates credentials across an entire enterprise, which are not things that are fixed by applying a missing patch. 

If your security team has been tasked with trying to understand the risks within the environment and make the decisions about where and what to mitigate first, where would you even begin when you’re not looking at things in an “apples-to-apples” sort of way? In reality, this type of disparate data isn’t even “apples-to-oranges”, and in fact, is much more like “apples-to-starships-to-penguins-to-adjectives”. Understanding the context behind assets and their security findings is key. We first must pull together all this information and normalize it in a way where there is a consistent and measurable way to understand the risk posed to the business by each of these findings. Then we can start to relate the various risk factors against each other and make the best decision we can about where the organization is most at risk, how much risk it presents, and what we need to do to mitigate it. Gathering data is difficult enough as it is, but even if you manage that part, you won’t get far if you can't focus on what’s truly important. You’ll be left with a lot of spreadsheets and databases to manage while still asking the same questions about where to begin.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year's threat landscape that security professionals can use to improve their security right now, and view the webinar "Exposure Management for the Modern Attack Surface: Identify & Communicate What's Most at Risk in Your Environment and Vital to Fix First."