Inaccurate Data Creating a False Sense of Security

Larry Hurtado, President & CEO, Digital Defense, Inc.

The efficacy of any information security infrastructure is wholly dependent on the accuracy of the underlying security intelligence. Faulty data can lead those responsible for security toward action–or inaction–that ultimately creates vulnerabilities with far-reaching, sometimes devastating, consequences on the business.

“The resulting gap between the ‘static security solution’ and the changing infrastructure is compounded over time, undermining the usefulness of the vulnerability data provided”

In today’s threat environment, the security risks to all organizations have dramaticallyincreased. As a result, there is a renewed commitment to establishing a healthy security ecosystem based on a holistic view of endpoints, as well as the in-house and third party applications running on them. Many CIOs and CSOs look to vulnerability management providers to deliver this end-to-end view of the infrastructure with a focus on identifying the weak points that leave an organization exposed to hackers and various attacks. But like a physician examining an MRI, a security professional trusts that the picture painted by a vulnerability management solution is accurate, and takes action—or does not—based on that picture.

It’s critical that the picture be based on accurate data points despite the complexity and evolution of the network infrastructure, and the ever evolving nature of the threats. The vulnerability management system must be accurately identifying current threats and potential threats, and enabling that information to be shared across the organization’s multi-vendor security applications.

Previously, information security technologies operated within their own silos, providing specific value, but not taking advantage of information from the organization’s multiple other tools. However, within the last five years, many organizations have realized the benefits of bringing together information from these traditionally separate solutions, and creating a more integrated security ecosystem.

While there is no such thing as a “one size fits all” information security ecosystem, nor does any one vendor offer companies a complete solution to solve all security use cases, companies are working to integrate more. Vendors are announcing key integrations with other security vendors to solve some common use cases. Additionally, most vendors offer Application Programming Interfaces (APIs), allowing their solutions to be integrated with complimentary security tools. In most cases, an organization must evolve their ecosystem based on their own threat and risk models as well.

Unfortunately, these IT teams are also working with a potentially fatal flaw in some vulnerability management solutions that can go undetected until an incident occurs and exposes the shortcoming. This fatal flaw is made more likely by the increasing complexity of today’s heterogeneous networks and multi-vendor security infrastructure.

The problem stems from the simplified algorithmsinterwoven within pattern-matching algorithms located deep within the foundational core of most automated vulnerability management products. Many of these productsassume the networks they are scanning are static, when in fact they are not. As time passes, the underlying networks that these vulnerability solutions are supposed to measure and protect inevitably shift and change.The resulting gap between the “static security solution” and the changing infrastructure is compounded over time, undermining the usefulness of the vulnerability data provided. We call this issue network drift.

You can quickly see how this problem is exacerbated as organizations must evolve their ecosystem based on their own threat and risk models. That’s not to suggest we stop evolving our networks. Keeping pace with current technologies inside and outside security is crucial to any business. Instead, the answer lies in selecting a vulnerability management solution capable of finding security weaknesses as the landscape continually changes. It’s a critical capability. Otherwise, not only is the vulnerability management system not performing its job, but worse yet, all the associated security applications that are functioning based on the (faulty) vulnerability data, are ineffective.

The harsh reality is that the findings portrayed within the “asset views” of the vulnerability management systems used by most organizations (including many Fortune 500 enterprises) are far less accurate than we once believed due to the problem of network drift. Organizations are using inaccurate information to guide their security decisions, and integrate it with their security enforcement technologies within their security ecosystem.

The primitive algorithms found within the inner workings of somevulnerability managementsolutions, supplied by even the largest of the vendors in the space, are seriously limited, and cannot correctly track findings in the presence of the dynamic network changes common to many enterprises. As a result, an organization using such solutions must take extreme care, not be misled by the risk profile portrayed by these products, and instead must question the matching technology used within these platforms and take action to avoid a false sense of security or the chasing of phantom problems.

Integrating security solutions to protect an evolving infrastructure, when done right, is a positive step toward better security overall. When accurate data is brought together, it can help companies create  better pictures of their network and catch and remediate real and problematic security flaws before they become real breaches.