Companies are challenged with protecting against attacks, safeguarding customer and corporate data in addition to complying with industry regulations. Well, you can’t defend what you don’t know, right?
This can be a big challenge when it comes to network visibility. Many organizations don’t have a true sense of all that is on their network. Often, there is a large gap of 20 percent or more in network visibility.
What I mean by this is not having a very clear understanding of the state of your network. How is it connected? How does it interact with partner or client networks?
There are several contributors to a decrease in network visibility, such as corporate change, a disappearing network edge, as well as unmanaged and unsecured devices.
When pieces of the business are acquired, divested or outsourced, it can lead to a visibility gap. As the network is growing and changing, making the proper changes to the network infrastructure can certainly be tricky. This is especially true if you have a large organization.
Additionally, with the growing trend toward cloud and virtualization, the network edge is becoming fuzzier and fuzzier. For anyone that has spent any time in front of a VMware console, for instance, you know how easy it is to spin up and spin down virtual machines influencing virtual routing.
Lastly, the lack of visibility introduced by wireless and mobile devices continuously on and off the network can create even more complexity. For instance, a native IPv6 device joining the network does not lend itself to giving clarity to network administrators at all.
Unfortunately, this network visibility gap is not decreasing and is actually increasing. According to the 2014 Global Threat Intelligence Report released earlier this year by NTT Innovation Institute, “Organizations lacking mature Vulnerability Life-cycle Management programs are four times more susceptible to attacks via exploit kits.” Organizations need a way to eliminate the problem of network unknowns and gain complete understanding of the network infrastructure. This is known as network situational awareness.
Network Situational Awareness
Network situational awareness represents the foundation of comprehensive vulnerability management, where the goal is to close the gap on network visibility. That means completely understanding how every connection, host and device in the enterprise is connected and interacting. From there, it’s easy to take that information and address vulnerabilities and risk.
There are three phases to network situational awareness:
- Discover: In this first phase, discover all the devices and infrastructure, the edges and boundaries, connections to the internet and partners, and understand how these connections are impacting the overall infrastructure.
- Comprehend: This phase is where the deeper assessment comes in with scoring and prioritizing vulnerabilities. There is also a fair amount of visualization and reporting.
- Mitigate: Finally, nirvana occurs in the third phase. Here, you reduce the risk and minimize the threat surface to prevent intrusion and data exfiltration. In this phase, your network is now in a good state where patches are rolled out as needed in a timely manner. You also have a better idea around what devices are most vulnerable and you are prepared to quickly address these vulnerabilities.
In a case study performed by Gartner on the knowledge gained by TXU Energy when it implemented its process-monitoring system, analysts found that “organizations that operationally implement applicable IT controls through a vulnerability management program will achieve the strongest security posture.”
We like to talk about this process in five steps:
- Validate Network Address Space: Discover the entire scope of the network IP address space in use with the environment, i.e. I’ve talked to this piece of the network, is it responding back? Is it reachable? Once you determine this you can make the corrections that are needed.
- Determine Network Edge: Next, understand what is yours and what is out there on the open Internet. For instance, determine if there is anything on the client or partner’s network that you may or may not access. Defining that edge informs you what belongs to you and what you’re responsible for versus what you are not responsible for.
- Discover & Provide Endpoints: Understand the presence of all devices on the network. For instance, this means going down to the details of your laptop and having knowledge into the type of laptop, the operating system running on that laptop and all the additional metadata associated with that laptop.
- Identify Vulnerabilities: Evaluate and comprehend network vulnerabilities for remediation. This means identifying who these devices are, what patch levels have been applied, which ones are missing and finally, what may need remediation.
- Mitigate Risk: Remediate risks in priority order with patches/changes or accept lesser risks. Set priorities and decide what the most important vulnerabilities are that you need to address.
Tripwire has integrated its Tripwire IP360 vulnerability management solution with Lumeta’s IPsonar network situation awareness solution. Through this partnership, IT organizations can achieve improved risk management, security and compliance across the entire enterprise network.
Tripwire IP360 Integration with Lumeta IPsonar
Information security professionals need a unified vulnerability management strategy that incorporates network situational awareness. Tripwire IP360 provides visibility into the devices and applications on your network, and uses that information to deliver the most complete vulnerability detection available. Tripwire IP360’s job begins with a clear definition of your network. Lumeta’s network discovery technology allows IPsonar to discover all of your organization’s connected network space, giving Tripwire IP360 the most complete starting point for deeper profiling.
With the addition of discovery data from IPsonar, Tripwire IP360’s reach can be extended to cover the complete enterprise, eliminating gaps in coverage that may leave the organization exposed. The Lumeta and Tripwire integration offers several benefits. You eliminate gaps in network intelligence. Once those gaps are properly assessed and mitigated, you have total visibility and control, which enhances security and reduces risk.
Tripwire and Lumeta have a large joint customer in the petrochemical industry. When they initially came to us they thought they had 300,000 IP addresses or devices under management, yet when IPsonar was implemented they actually found 328,000 devices out there, a 10% visibility gap. That introduced additional risk because they didn’t know these devices existed nor understand how they behaved on the network.
This petrochemical firm also found 125 unknown networks, which was an area of exposure because they didn’t know how these unknown networks are interacting with the enterprise. They also found 20 non-responding networks which are networks IPsonar went out and tried to target but for one reason or another, could not reach. This could occur because the network was severed or just unreachable at the time. Either way, it is an area they should be aware of and want to get under control.
What Does The Gap Mean For The Customer?
Both Lumeta IPsonar and Tripwire IP360 were deployed as stand-alone products for a number of years. As with any large organization, when you have an excess of hundreds upon thousands of IP addresses, there is a great deal of network change and complexity. That change and complexity was starting to outpace the policy and procedures this organization had in place for managing network changes and managing infrastructure.
Tripwire IP360 was doing a great job of managing the space that it was aware of. Still, there was that 10% gap of knowledge. IPsonar was able to address that through their various discovery methodologies. Through this integration IPsonar provided discovery information and intelligence into Tripwire IP360. From there, IP360 did an even better job of vulnerability management because it had a clearer view of the network. Now, the customer has a better idea of what their network is doing and they are doing a better job at managing vulnerabilities across the entire enterprise.
To learn more about this integration, download the data sheet.
Or request a demo of the integration.
- Change Doesn’t Have to be the Enemy of Security
- Leveraging Security Controls and Analytics to Protect Sensitive Data
- Attackers Are Using High-Profile Vulnerabilities to Evade Detection
- Vulnerability Management: Just Turn It Off! Part I
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock