Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Transcription

1 A Forrester Consulting Thought Leadership Paper Commissioned By Tenable Network Security February 2014 Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

2 Table Of Contents Executive Summary... 1 The Threat Landscape Overwhelms Traditional Vulnerability Management... 2 Organizations Struggle To Establish Effective Vulnerability Management Practices... 3 The Extended Enterprise Exacerbates These Vulnerability Management Challenges... 3 Continuous Monitoring: Born In The Federal Space, Expands Beyond... 4 Continuous Monitoring Delivers... 5 Transitioning To Continuous Monitoring... 6 Key Recommendations... 8 Appendix A: Methodology... 9 Appendix B: Endnotes... 9 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to [1-N08AQ1]

3 1 Executive Summary In December 2013, Tenable Network Security commissioned Forrester Consulting to assess the current state and effectiveness of vulnerability management. Despite having vulnerability management programs, organizations continue to be compromised. The purpose of this study was to assess the feasibility that continuous monitoring (CM) could address the myriad of challenges associated with traditional vulnerability management. Forrester Consulting assessed the adoption as well as benefits of CM implementation. Companies that have implemented CM have found measurable value for their vulnerability management strategy. Organizations that have adopted CM experience fewer challenges at each phase of the vulnerability management life cycle, ranging from discovery to scanning to remediation. In addition, leaders responsible for overall security operations realized this value the most and were much more confident in their security programs. Organizations that have implemented continuous monitoring are more than twice as likely to be satisfied with their vulnerability management approach compared to those that use periodic scanning. In conducting in-depth surveys with 180 US-based security leaders from verticals including financial services, government, healthcare, higher education, retail, and utilities/energy, Forrester found that CM was being adopted and organizations are finding value in its adoption. Those that have adopted CM have better visibility into their environments, enabling them to make informed decisions regarding the risks to their organization. Forrester s study yielded three key findings: Traditional vulnerability management doesn t address the challenges of the extended enterprise. Consumerization, mobility, and cloud are the hallmarks of the extended enterprise. Periodic snapshot vulnerability scanning fails miserably when trying to address the dynamic nature of today s extended enterprise environments. Vulnerability management is about more than just compliance, it should be a strategic part of your security program. Like it or loathe it, compliance is a necessary evil, but as the recent retail point-of-sales attacks demonstrate, it doesn t guarantee a company is free from compromise. Organizations that implement CM feel much better about their ability to meet compliance requirements, but more importantly they feel more confident in the overall security of their organizations.

4 2 The Threat Landscape Overwhelms Traditional Vulnerability Management scan can give a complete picture of the software risks present. However, organizations often space these scans so far apart that it affords hackers ample opportunity to discover and exploit known vulnerabilities. Vulnerability management (VM) has been a part of information security operations for a long time, and managing vulnerabilities and threats continues to be a top priority for security decision-makers: 86% of respondents rated it as their second highest IT security priority for the next 12 months. 1 To address this priority, security leaders have implemented a wide range of technologies and workflows to discover, scan, and remediate vulnerabilities as quickly as operational resources permit. For many organizations, the goal of VM is to identify and reduce the vulnerabilities attackers could exploit, lowering the company s overall risk of compromise. For other organizations, the goal of a VM program is to address the compliance requirements of a standard like the PCI DSS. Traditional VM relies upon vulnerability scanners that actively interrogate hosts seeking out vulnerabilities. The output of a vulnerability scanner is the virtual equivalent of reams and reams of paper that is sent off to an operations team for remediation. The traditional approach to vulnerability management shouldn t put you at ease because: Despite VM programs, breaches occur. Breaches are still a regular occurrence in organizations of all sizes and industries. With 1,460 publicly reported data breaches in 2013, it should be of no surprise that security professionals (especially CISOs) are worried about the threat landscape. 2,3 Consider the 2011 RSA breach all it takes is one unpatched vulnerability within an Excel sheet and an entire brand can be tarnished for years. Snapshot scans aren t frequent enough. Seventy percent of survey respondents indicated that their scanning frequency was monthly or less (see Figure 1). Enterprises that are compliance focused wait even longer between vulnerability scans. In fact, 20% of compliancefocused respondents conduct annual vulnerability scans only. How often does your organization scan? These scanning gaps are worrisome. Gaps in vulnerability scan times give attackers large windows of opportunity; 83% of those surveyed were worried about these gaps in scan time (see Figure 2). Assuming a security team has a complete inventory and risk classification of the organization s assets, a vulnerability FIGURE 1 70% Of Orgs Scan Once A Month Or Less How often do you conduct vulnerability scans across your organization? More than once a day FIGURE 2 Daily Weekly Monthly Quarterly Annually Base: 180 US security decision-makers Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December % Of Security Pros Are Concerned About Security Gaps Between Vulnerability Scans How concerned is your organization about security or compliance issues occurring between your periodic scans? Don t know 5 very concerned 1 not at all concerned 0% 0% 2% Base: 180 US security decision-makers % 15% 39% 44% Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December % 9% 18% 29% 32%

5 3 Organizations Struggle To Establish Effective Vulnerability Management Practices Vulnerability management programs must discover, scan, and remediate continuously and with enough speed such that attackers are presented with as small of an attack surface as possible. However, security professionals reported challenges with every step of the vulnerability management workflow, specifically: 74% experienced challenges with the overall VM program. One major challenge with VM programs that organizations face is staffing. Enterprises struggle with staffing the team from both a headcount as well as a skills perspective. In other Forrester research, we found that more than half of firms rate lack of staff as a challenge, and 48% find unavailability of security employees with the right skills as a major challenge, citing lack of security operations skills as the biggest pain. 4 77% experienced challenges with asset discovery. Discovery of all the organization s assets (including servers, employee corporate/personal devices, embedded systems, etc.) must take place in order to give a security team a complete picture of their environment before deciding which endpoints to scan. For the purposes of this report, Forrester defines endpoints as: workstations, servers, laptops, mobile devices, and tablets. The explosion of transient endpoints can make discovery challenging. You must have visibility into all of your assets; a false sense of security results from only assessing your known assets. The unknown assets could be your highest risks assets. 66% experienced challenges with vulnerability remediation. Vulnerability scans will often return large numbers of results; it is up to the security team to analyze and prioritize these results based on the risks posed to their organization. However, without a clear picture of these risks, many organizations struggle to accurately prioritize these vulnerabilities, ultimately leading to inefficiencies in their remediation practices. The Extended Enterprise Exacerbates These Vulnerability Management Challenges The extended enterprise is here and with it comes the increasingly fragmented network environment, populated with a widening range of devices placed outside of traditional IT s control. These include personal and corporate laptops, smartphones, tablets, virtual instances, and cloud resources. It should come as no surprise that today s organizations are highly mobile. In fact, 96% of organizations reported that at least a third of their workforces use mobile devices. The extended enterprise presents several unique challenges for VM: The more mobile, the more worried. It should be no surprise that our data shows that 54% of highly mobile organizations are particularly concerned with gaps in their vulnerability scans, compared with only 35% of those who self-describe as only being moderately mobile (see Figure 3). 79% experienced challenges with vulnerability scanning. Once a security team has completed the asset discovery phase, they must decide on a group of endpoints in which to actively scan. On one hand, if the group is too large, scans will likely overload their network and take much too long. On the other hand, if the group is too small, critical vulnerabilities are more likely to be missed. In another common scenario, a no scanning policy for mission-critical assets forces many organizations to unwittingly increase the likelihood of having highly available compromised assets. This results from availability requirements trumping security requirements. This occurs in scenarios where medical devices, industrial control systems, and key servers must maintain availability at all costs.

6 4 FIGURE 3 Highly Mobile Organizations Are Particularly Concerned With Security Gaps Between Vulnerability Scans FIGURE 4 Mobile And Virtual Assets Are Particularly Difficult To Pin Down What challenges do you experience with asset discovery? How concerned is your organization about security or compliance issues occurring between your periodic scans? We experience no challenges with asset discovery 23% 5 very concerned 54% 35% 29% We have devices (tablets, smartphones, laptops) that don t reside within our enterprise during discovery scanning 49% 4 33% 45% 29% We have virtual machines that may be dormant during discovery scanning 37% Our environment is too large to discover all assets in a reasonable time 27% 3 2 9% 18% 4% 1% 43% Highly mobile (N = 85) We aren t confident in our ability to discover all the assets within our environment 19% Moderately mobile (N = 88) 1 not at all concerned 0% Do not typically allow or embrace mobile technologies (N = 7) Base: 180 US security decision-makers Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December 2013 Base: 180 US security decision-makers Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December 2013 Endpoint discovery. Thirty-eight percent of respondents reported scanning challenges with off-network endpoints. When periodic scans are conducted, they miss endpoints not connected to the corporate network at that time. Likewise, when new mobile devices (laptops/smartphones/tablets) enter the network, some time may pass before they get scanned (if ever). This leads to major gaps in the security posture of the organization (see Figure 4). Virtual machine discovery. Thirty-one percent of respondents reported challenges associated with discovering offline virtual machines. Virtual machines present many of the same problems as mobile devices; if they are not spun up during a periodic vulnerability scan, they will likely not get scanned. Critical vulnerabilities could potentially go undetected for long periods of time in such a way if the virtual machine is never running at the same time as vulnerability scans are performed. You can discover it, but you can t scan. To further complicate matters, just because you are able to discovery an asset doesn t mean that you will be able to scan it. In some cases it could be a personally owned device that the security team won t have credentials to complete comprehensive scanning. Continuous Monitoring: Born In The Federal Space, Expands Beyond CM has its roots in the US government. The original concept was developed for agencies to provide FISMA auditors with real-time information regarding the state of their environments. NIST defines CM as a way of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. 5 NIST subsequently published guidance on CM. 6 Since then, the use of CM has grown beyond the government space. CM offers ongoing real-time assessment of the risks within an environment. For the purposes of the survey, Forrester defined CM as a strategy that represents a shift from static point in time security assessment to ongoing real-time assessment of the risks within an environment. The promise of CM resonated with survey respondents; 45% have implemented CM. Some of the drivers for CM adoption: 83% cited mobility as a driver for CM adoption. Security leaders are particularly concerned with the risks presented by mobile devices (laptops, smartphones, and tablets), especially when periodic vulnerability scanning is used. Many organizations turn to CM to ensure that their mobile endpoints are evaluated as they enter the network, thereby lowering their overall mobile threat surface and exploit risk.

7 5 80% cited protection against APTs as a driver for CM adoption. Reducing the number of vulnerabilities within an environment can significantly increase the cost of attack for those looking to launch APT-style attacks. However, CISOs and security leaders worry that traditional vulnerability scans will miss critical vulnerabilities that arise in between scans, leaving their organization exposed. For this reason, many organizations adopt CM in response to the threats posed by advanced or highly targeted attacks. 80% cited compliance as a driver for CM adoption. While federal agencies explicitly mandate the use of CM, even those organizations without CM regulations benefit from its use from a compliance standpoint. CM can make the process of compliance reporting much more streamlined for those organizations with periodic compliance mandates. Continuous Monitoring Delivers CM offers CISOs and security leaders a near real-time view into the security posture of their respective institutions. As security controls are implemented and tuned, CM can also lend insight into the effectiveness and operating state of these controls. We asked the 45% of respondents who had adopted CM to explain the benefits. Organizations that implemented CM were more than twice as likely to be satisfied with their vulnerability management approach compared to those who use periodic scanning. Broadly speaking, CM: Satisfies the CISO more than any other role. CISOs and security professionals responsible for all aspects of security are more likely to be satisfied with their CM when compared to their less-senior peers (see Figure 5). Considering their top-level priorities at protecting their respective organizations from APTs and data breaches, along with the additional protection CM offers against both of these, this is not surprising. Better equips organizations to deal with a mobile workforce. As new mobile devices connect to an organization s network, CM controls help to identify and evaluate the risks associated with these devices. In fact, 85% of those organizations using CM reported that it has given them the ability to discover new assets as they enter the network, leading to a more accurate inventory of assets. We also found that those that are responsible for mobile security feel more comfortable about CM s ability to help meet compliance requirements and also experience greater confidence in their organizations risk posture (see Figure 5). FIGURE 5 CISOs In Particular Feel Continuous Monitoring Gives Them A Better Security Posture To what extent do you agree with the following statements about your continuous monitoring implementation? (Those who answered strongly agree ) It has given us the ability to maintain an up-to-date inventory of assets and to discover new assets as they connect It has given us the ability to perform ongoing vulnerability assessments It supports better analysis, prioritization, and remediation of vulnerabilities It has given us better visualization and reporting capabilities It has helped us meet current regulatory and compliance demands and positioned us to meet future requirements It has given us greater confidence in the organization s risk posture I am responsible for all aspects of IT security Data security is a primary responsibility Application security is a primary responsibility Incident response is a primary responsibility Network security is a primary responsibility 43% 51% 51% 39% 53% 55% 22% 39% 48% 30% 22% 26% 33% 48% 48% 29% 29% 19% 31% 56% 50% 25% 19% 31% 35% 35% 45% 35% 25% 25% Mobile security is a primary responsibility 33% 61% 61% 39% 39% 28% Endpoint security is a primary responsibility 25% 50% 40% 25% 20% 20% Compliance and security auditing is a primary responsibility 22% 44% 44% 33% 19% 30% Vulnerability management is a primary responsibility 25% 38% 46% 29% 21% 21% Base: 81 US security decision-makers who have already have a continuous monitoring solution Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December 2013

8 6 Benefits all stages of vulnerability management. Those organizations that had adopted CM saw benefits at every stage within vulnerability management from discovery to scanning to remediation. Overall vulnerability management challenges improved 17 percentage points. Asset discovery challenges improved 15 percentage points. Vulnerability scanning challenges improved 11 percentage points. Remediation challenges improved 13 percentage points (see Figure 6). Benefits all verticals. A majority of retail, financial, healthcare, utilities, higher education, and government organizations reported numerous security benefits and higher overall confidence in their security postures after implementing CM. Benefits those with a risk-focused VM program the most. While some organizations may view vulnerability management as a necessary evil used to keep the auditors happy, those who view it strategically as a crucial component to their risk reduction efforts are more likely to be satisfied with CM. FIGURE 6 CM Adoption Reduces Vulnerability Management Challenges Transitioning To Continuous Monitoring The benefits of CM adoption are clear, and 30% of respondents who had not yet implemented CM are planning to in the next 12 months. The question remains: What does an effective CM program look like? To transition to a successful CM program an organization must: Complement traditional active scanning with passive monitoring. Passive monitoring is the anchor of a CM program, and 94% of survey respondents indicated that they were interested in complementing active and passive scanning (see Figure 7). The more strategic a company views itself, the more interest there is in combining the two approaches. Sixty-six percent of organizations that view vulnerability management as a strategic function are very interested in combining the two versus 40% of companies that view vulnerability management as mostly about compliance. 7 Understand passive monitoring must include vulnerability identification. The passive detection of vulnerabilities is a key requirement for a CM program. While there is certainly value in achieving network visibility alone, if you must then use active scanning to determine host vulnerabilities, you are creating operational friction and defeating the purpose of passive monitoring. Leverage a platform for CM. Staffing is a nearly ubiquitous challenge for security and risk leaders. Security organizations must maximize their limited resources and do more with less. To that end, enterprises should look for a platform that integrates their vulnerability management and SIEM capabilities. A platform with a single pane of glass for administration provides efficiencies that reduce operational friction. Not enough organizations understand the value of integrating their SIEM and vulnerability management programs, and this must change. Base: 180 US security decision-makers Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December 2013 Use CM to improve your detection capabilities. Realtime visibility can be used to prevent security incidents from becoming security breaches. You may not be able to stop a capable and well-resourced attacker, but you can leverage CM to identify them faster. Being able to passively detect malware and suspicious network behavior are key components of CM and result in the

9 7 reduction of critical metrics like time to detection and time to containment. Take advantage of CM for incident response. The realtime nature of passive scanning data should be invaluable to incident response (IR). IR teams should be able to leverage real-time data on compromised hosts versus static data from the last periodic scan, which as Figure 1 illustrates could be dated by as much as a month, a quarter, or even a year. Current data is critical when trying to understand the implications of a compromise. Make sure that you take full advantage of the real-time visibility that CM provides. Ensure availability doesn t trump visibility. In many verticals, resource availability is more important than any other requirement. Specialized equipment like industrial control systems and medical devices must remain online and cannot afford to be taken offline by active vulnerability scanning. This results in unknown risk to organizations, as they are blind to the vulnerabilities on these types of devices. Passive monitoring finally gives these types of organizations a better option. Sixty-five percent of respondents from utilities/energy indicated that they were very interested in passive scanning. Higher education at 60% and healthcare at 53% were next with high interest in passive scanning. FIGURE 7 Orgs Show Interest In Combining Active And Passive Scanning To Better Understand Risk How interested are you in complementing your vulnerability scanner with a passive scanning capability that provides real-time context about risks to your environment? Don t know 0% 5 very interested 53% 4 41% 3 3% 2 2% 1 not at all interested 0% Base: 88 US security decision-makers who plan to implement a continuous monitoring solution Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable Network Security, December 2013

10 8 Key Recommendations The leadership of the businesses, agencies, and institutions you work for want assurances that information risk is understood and in hand. One of the primary responsibilities of security and risk professionals is to minimize the uncertainty regarding risk to the point where management can make informed and effective decisions. A vulnerability management program fueled by CM is critical for addressing the risk questions organizations need answered. To enable this, you must do the following: Make the right investments. Don t get distracted by the latest information security silver bullet. Given the challenges that organizations face it is natural to want an easy button to solve your problems. There aren t any easy buttons, so you need to prioritize investments that provide visibility into risk. Understand your assets. CM provides visibility and visibility is the first requirement for understanding your assets. You cannot protect everything, so understanding your assets is mandatory for orchestrating your defense. Take a risk-based approach over compliance. As the recent retailer breaches continue to demonstrate, compliance doesn t equal security. If you focus your efforts on security your highest risk assets first compliance will occur organically.

11 9 Appendix A: Methodology In this study, Forrester conducted an online survey of 180 security leaders in the United States from financial services, government, healthcare, higher education, retail, and utilities/energy organizations to evaluate the current state and effectiveness of vulnerability management. Survey participants included security and risk decision-makers in manager, director, vice president or C-level positions. Questions provided to the participants included scan frequency, satisfaction with current approaches to vulnerability management, and challenges associated with asset discovery, vulnerability scanning, and remediation. The study began in November 2013 and was completed in December Appendix B: Endnotes 1 Source: Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence, Forrester Research, Inc., October 30, Source: CyberFactors ( 3 CISOs are more worried about breaches than any other role. 4 Source: Understand The State Of Network Security: 2013 To 2014, Forrester Research, Inc., January 6, NIST Special Publication : Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Source: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, NIST, September 2011 ( 6 Source: Evelyn Brown, NIST Publishes Draft Implementation Guidance for Continuously Monitoring an Organization s IT System Security, NIST Tech Beat, January 24, 2012 ( 7 66% of those orgs which view vulnerability management as strategic are very interested in combining the two versus 40% of those orgs which view it as mostly about compliance.