Risk Visibility and Management:
How IT Security Teams Can Enable Speed With Control
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.ra...
Upcoming SlideShare
Loading in...5
×

Risk Visibility and Management: How IT Security Teams Can Enable Speed With Control

507

Published on

As fast as organizations move, IT security needs to move even faster. There are constant pressures to streamline operations and safeguard valuable assets while keeping up with a deluge of new technologies and maintaining usability for employees, partners, vendors, investors, and more. The critical capability to balance this need for speed with demand for security is visibility. Learn more here.

To download a free Nexpose demo, click here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
507
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Risk Visibility and Management: How IT Security Teams Can Enable Speed With Control"

  1. 1. Risk Visibility and Management: How IT Security Teams Can Enable Speed With Control
  2. 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The world rotates around the sun at a speed of 67,000 miles per hour. That can feel slow when compared to how fast organizations need to move to stay ahead of the competition, meet customer and constituent demands, and adhere to constantly evolving regulations. As fast as organizations move, IT security needs to move even faster. There are constant pressures to streamline operations and safeguard valuable assets while keeping up with a deluge of new technologies and maintaining usability for employees, partners, vendors, investors, and more. The critical capability to balance this need for speed with demand for security is visibility. What does it mean to have visibility in the context of IT security? Why does it matter? And how does it impact an organization’s ability to be adept and move with speed? Visibility in the context of security is: • Getting the full picture - Seeing all the information related to an organization’s IT infrastructure risk, user risk (risks that are posed to an organization from the users themselves), and the threats most relevant to the business. It starts with something as seemingly simple as discovering all of the devices and assets deployed in an organization. It then goes deeper by also revealing the vulnerabilities of those assets, the risks, and the value. • Gaining relevant insight - Having the ability to filter out and focus on what matters specifically to an individual organization’s environment in accordance with its risk tolerance, the threats it’s likely to face, and the current state of its security posture. Relevant also means giving context to the visibility by identifying vulnerabilities that are exploitable as part of eliminating the noise. When an organization gains visibility into its real security posture and can easily and systematically validate that risk, decision making and risk management become easier. With useful information, security and operations teams can take meaningful, swift, and efficient action to strengthen security while still moving ahead with new technologies, new processes, and new business strategies. IT security then becomes proactive and instrumental in supporting forward motion in the business and business initiatives. Why Now? Change has never happened faster and the “consumerization of IT”—an environment in which business users often make decisions about technology and infrastructure—never more prevalent. Consider this fact: “It took 15 years, from 1996 to Q3 2011, to reach 708 million smartphone devices, but then it took only one year for another 300 million to come online,” says Scott Bicheno, senior analyst at Strategy Analytics. According to Ovum’s Multi-market BYOD Survey, October 2012, “57.1% of Full Time Employees use their personal smartphone or tablet for work in some capacity,” and yet “79% of all BYOD usage is still unmanaged today.” With the expanding network perimeter and unmanaged devices, threat evolution shows no sign of slowing down. While many of the challenges are similar, each organization needs insight and information that are very relevant to its specific situation. With this visibility, the organization can prioritize actions and move fast in a secure way. Security professionals can have speed with control. “Speed has never killed anyone, suddenly becoming stationary…that’s what gets you.” —Jeremy Clarkson, English broadcaster, journalist, and writer who specializes in motoring, co-presenter on the BBC TV show Top Gear
  3. 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Fast can be safe as long as: 1. Security teams have visibility into all assets and users on the network, including virtualized assets, databases, and mobile devices. 2. One has the ability to constantly look ahead and monitor vulnerabilities and conditions at any time. 3. Risk is validated and easily prioritized for decision making. 4. Safety and mitigating controls are in place. 5. There are good, clean information hand-offs with operational teams who need to maintain equipment and infrastructure, and train users. 6. An organization can respond quickly when issues arrive to mitigate risk and get things back on track. 7. Security teams have easy-to-use tools to be more productive. Context: The Evolving IT Security Function Given the above, IT security is at a crossroads: The nature of the job has changed, the source of threats is expanding, and the characteristics of what needs protecting are evolving. Unfortunately, the solutions security pros have been using haven’t always kept pace with this evolution. Often, the tools they have are focused on yesterday’s threats, don’t give them visibility into new technology, like virtual machines and cloud-based infrastructure, and are ill-suited to deal with user impact including bring-your-own-device (BYOD). Organizations need the right tools and processes to gain visibility into the evolving threats and the vulnerabilities of their organization in order to manage risk while moving fast. There are three key areas into which an organization needs visibility to manage and reduce risk: IT risk, user risk, and threats. IT Risk Situation Network complexity continues to increase. Developments such as virtualization, the cloud, and the looming migration to IPv6 are not only a challenge for IT teams, but represent completely new threat vectors from a security perspective. Assets that used to be more static and managed within an organization’s own data center now are constantly shifting—moving from data center to private cloud and from virtual machine to virtual machine. Business is increasingly driven by real-time supply chains that include new partner and supplier ecosystems, and internal and outsourced development teams leveraging web services. These dynamic configurations can change on the fly, depending on specific projects or initiatives, making it very challenging for IT and security teams to keep up.
  4. 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Solution: Visibility across entire infrastructure Gain insight into the organization’s entire IT risk including its network, operating systems, web applications, databases, mobile devices, and cloud and virtual environments. New technologies are less daunting if they—and the risks they might pose now and on an ongoing basis—can be seen. Better visibility is the foundation of prioritized risk management because what isn’t seen or known can’t be managed. Contextual visibility means being able to validate risks and vulnerabilities and prioritize them easily based on exploitability, asset value, and relevant risks. Contextual visibility delivers: • Insight into the entire IT environment. • Simple and powerful capabilities to analyze and prioritize risk. • Clear and specific remediation plans. User Risk Situation Users today are technologically savvy. They’re bringing their own devices and downloading applications, and are empowered to meet their personal IT needs—and that can bring challenges for IT security. BYOD is becoming the norm rather than the exception. 59% of organizations now report that they support personally owned smartphones in some form. Knowing which devices and users are on the network is becoming increasingly difficult. Organizations that don’t enable that choice and flexibility will fall behind in productivity and attracting an energized and motivated workforce. Yet, even without BYOD, users are the fundamental weak links that most often introduce risk into an organization. They are the target of malicious attacks because hackers see them as an easy path into an organization. Solution: Security awareness among users and the ability to see all of their devices that touch an organization’s infrastructure Identify known and unknown users who are accessing the network with their mobile devices. Know which vulnerabilities and risks are associated with those devices and all clients on the network. Find out the users’ security IQ by testing their susceptibility to social engineering tactics and ability to penetrate the organization’s network via mobile devices. Better visibility delivers empowerment with control including: • Visibility into all user devices and the risks they pose. • Clear assessment of user susceptibility to social engineering. • User risk containment 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information. Source: Infosecurity Magazine
  5. 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Threats Situation There has been a continual evolution in threats including new malware that is much harder to detect. Businesses are facing threats from many different corners. Some businesses are targets of advanced persistent threats because they have assets with high value to a large number of people such as intellectual property, monetary assets, or specialized information assets. It’s not only individuals who are perpetrating the attacks. Nation states are trying to steal intellectual property so that they can fuel their growth. Activists are trying to wreak havoc for their own purposes. The danger is insidious and growing. Opportunistic individuals have figured out ways to make money off of assets, and they’re casting a wide net in drive-bys hoping they can get something of value such as user names or information about a business that they might be able to sell. Every organization is different—and each organization needs to know which of these threats poses the greatest risk to its own security in order to balance risk with security investment and priorities. For most organizations, advanced persistent threats are not the biggest risk. Attacks of opportunity continue to constitute the largest percentage of attacks, indicating malicious actors are finding plenty of easy targets. According to the 2012 Verizon Data Breach Investigations Report, “79% of victims were targets of opportunity. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.” Sometimes old vulnerabilities persist on a network, or configurations change inadvertently. Continuous monitoring and defense testing are required for organizations that are moving fast. Solution: Insight into an organization’s relevant threats Identify, prioritize, and address threats that are most likely to impact a specific business. Know which threats pose the highest risk based on the organization’s IT environment, users, and assets. Don’t neglect simple hygiene or assume remediation is in place. Better visibility delivers security investments that stop real threats including: • Continual testing of control effectiveness against threats. • Mass-market malware and exploit remediation. • Automated control and configuration verification. Malicious or criminal attacks are the most expensive cause of data breaches and are on the rise. In 2011, 37% of data breach cases involved malicious attacks and averaged $222 per record. Negligence accounted for 39% of reported breaches. Source: 2011 Cost of a Data Breach: United States, Ponemon Institute and Symantec, March 2012 Most data breach victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack; 79% of victims were targets of opportunity, and 96% of attacks were not highly difficult. Source: 2012 Data Breach Investigations Report (DBIR), Verizon Business, April 2012
  6. 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Pillar Situation Solution IT Risk • Increasing complexity of IT • Consumerization of IT • Real-time supply chains Visibility into relevant risks across the entire infrastructure including: • Physical, virtual cloud assets • Validation, prioritization based on real risk • Easy-to-follow remediation advice User Risk • BYOD • Exploitable by malicious attacks • Social engineering Visibility into security awareness across users and all of their devices that touch an organization’s infrastructure. Better visibility delivers empowerment with control including: • Visibility into all user devices, operating systems, and vulnerabilities • Understanding users’ susceptibility to attacks • User risk containment Threats • Continuous evolution of threats • Threats now more malicious, harder to detect • Old threats still not mitigated Insight into an organization’s relevant risks to radically improve the ability to stop real threats including: • Testing effectiveness of security controls against threats • Automated control and configuration verification • Prioritized remediation against real threats What Is The Impact? The risks associated with these three areas are intertwined, and they affect each other. Security professionals need to see, know, and stay on top of their current state. They must maintain visibility into changes happening across IT environments, users, and threats. They need: • Tools to keep up and give them visibility into physical and virtualized assets whether they are in the data center or in the cloud including operating systems, applications, databases, networks, video conference equipment, mobile devices, configuration settings, and more • Visibility into user activity and weak links • Insight into current and emerging threats that are likely to impact their business (versus those that are unlikely to impact them) • The ability to put all of this into context, to easily assess and prioritize risks, and to deliver clear, specific remediation plans based on those risks The bottom line: Only when IT security teams have visibility into IT risks, user risks, and threats can they start to quantify, prioritize, and manage their risk—because no one can manage what can’t be seen.
  7. 7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Security Re-Imagined For too long, security has been incorrectly viewed as a potential hindrance to business speed and productivity. But with clear visibility and the right tools, security can be proactive. Savvy CISOs and security executives are leading the way to a new vision—Security Re-Imagined. To excel, organizations need to move fast with control. IT security should be seen as part of an entity’s ability to move forward rather than as a roadblock that is holding the organization back out of fear of resultant risks. To get there, you have to start with better visibility. Better Visibility Visibility into the here and now, including the latest technology and latest threats. +Better Risk Management The ability to validate and prioritize risk based on relevant threats, and to communicate with operations in clear, simple terms about what needs to be fixed, how, and by whom. =Speed with Control Complete visibility combined with powerful yet simple risk management lets organizations move forward with more confidence: Security Re-Imagined delivers speed with control. Speed with control provides a proactive approach to security. This new security model means: 1. Having visibility into risk that is real, not theoretical, for an organization’s environment to fuel effective vulnerability management 2. Assessing and monitoring the risks associated with new technologies to support moving forward with confidence 3. Providing reports and online dashboards that show how to simply and clearly fix the issues to prevent breaches 4. Driving collaboration with the IT team and delivering the specific information it needs to succeed 5. Having contextual insight into IT risk and the information needed for meaningful dialogue about risks and investment with organizational leaders
  8. 8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Recommendations In order to move forward, organizations must focus not only on the here and now, but also on the future. Most of the security solutions available today are focused on yesterday’s threats and traditional IT infrastructure. Many solutions throw too much information at security professionals, much of which is irrelevant to their environment. These products send scan data with no filter and cannot prioritize based on an organization’s specific context. They don’t cover the latest technologies such as IPv6, virtualization, and mobile assets. They don’t focus on the relationships between IT security and IT operations, or foster the collaboration needed to affect security posture. IT security needs a solution that provides visibility into the risks of today and tomorrow. Look for the following key functionality: Key Functionality Why It’s Important An understanding of all the assets in the organization (IT and user) It is very difficult for organizations to discover their entire infrastructure. Often there are assets being monitored by security and other assets monitored by IT—and some, such as BYOD mobile devices, might be completely unmanaged. Having a consolidated view of all the assets is a critical foundation. This includes visibility into what OSes are being run, as well as what applications, configuration settings, databases, and more. Asset organization for easier management, filtering, and exception handling People should have visibility into the asset groups they manage (databases, operating systems, applications), and receive clear and simple information about risks and how to mitigate them. Ability to assess and expose user-related risk through social engineering Users pose the highest risk to organizations. IT security must be able to easily assess and measure this important risk vector. End-to-end assessment of true, exploitable vulnerability across breadth and depth of threats to save time and increase productivity Vulnerabilities are not always exploitable. A company may have mitigating controls in place. Look for tools that allow you to easily validate risks that are exploitable to eliminate proven mitigated risks from reports and more so you can focus on more important issues. Clear risk prioritization to inform remediation and risk management efforts Prioritize risk based on prevalence, exploitability, severity, and more. Actionable information to speed mitigations and fuel collaboration between security and IT Security professionals can’t spend their time chasing all the vulnerabilities they find—they need to focus on what poses a real risk to their systems. In addition, they must be able to give clear and concise remediation advice to IT. They must be able to: • Filter and prioritize vulnerability information by a variety of criteria, including asset group ownership • Give detailed, credible remediation advice about risks that have been validated by penetration tests Integrated risk management and risk validation solutions To have fully realized IT security, these solutions should talk to one another and support continuous iteration and innovation. Information from the outside world A viable solution should be supported by a community of security users and researchers to gain visibility into what’s happening out in the field and how attackers’ tactics are evolving.
  9. 9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Conclusion In order to be successful today and tomorrow, organizations need to move fast—but without introducing unnecessary risk. Visibility into the complex and evolving world of IT is critical to combating evolving user threats. With integrated, complete risk assessment and management tools, IT security teams can empower themselves to move quickly with their organization. IT security professionals can move away from saying “no” to advancements, such as BYOD or cloud-based assets, because they know they’ll have the information they need to make the right decisions and to manage risks associated with these new technologies. As a result, IT security becomes part of the solution, saying “Yes—let me show you how we can move forward with better security.” With visibility, prioritized risk management, and better IT security collaboration, organizations can get the best of both worlds: Speed with control. It’s Security Re-Imagined. Security Re-Imagined Reactive  Proactive No  Yes Tactical  Strategic About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT infrastructure, users, and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by The Boston Globe. Its products are top rated by Gartner® , Forrester® , and SC Magazine. The company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http:// www.rapid7.com.

×