- Network vulnerability
A flaw in computing environment or associated processes that can potentially be exploited by malicious actors
The circumstances around a vulnerability that shed light on its true nature
- Network risk assessment
A process to gain understanding of the risks to critical systems and sensitive data inside a network
- Indicators of Exposure (IoE)
Points in a network that adversaries
What is Network Vulnerability?
A network vulnerability is a weakness in a computing environment or its associated processes that can potentially be exploited by malicious actors.
But not all vulnerabilities in a network will be exploited, and in the real world, there is no way to prevent all vulnerabilities all the time. Security professionals need to understand how to realistically evaluate risk and which risks are worth focusing on.
Why is Network Vulnerability So Misunderstood?
Vulnerability is certainly part of any risk analysis, but the term has been blown out of proportion in most of the security and risk management space. This is partly due to the great job that the vulnerability management and patch management vendors have done in bringing vulnerabilities to the forefront of risk management activities. But there is more to risk than vulnerability.
We tend to focus on vulnerability because it’s easy to measure, and human nature believes that what can be measured can be managed.
On a practical level, that means a security leader can use graphs to make a persuasive argument that will gain budget and resources from non-technical C-levels. Everybody can connect a graph to the latest highly-publicized breach and approve an expense they believe will save their own business from being the subject of the next headline.
But to talk about risk without the context of threats, countermeasures, and other risk factors is just conjecture. Are vulnerabilities related to risk? Absolutely. Is there a direct correlation? Absolutely not.
The number of vulnerabilities is simply not a key metric. Even if a security team could find every single vulnerability, it wouldn’t have enough hours in the day to mitigate them all. And just because a vulnerability exists doesn’t mean it will be exploited, or that it can accessed by malicious actors, or that malicious actors would even think it was worth exploiting. So to truly measure risk, it is critical to measure more than just vulnerabilities. A more intelligent approach is needed.
Mitigate Network Vulnerability in 3 Phases
Many of today’s existing security technologies, including firewalls, IDP, proxies, and content filters, are implemented specifically to prevent a threat from reaching an asset.
Reachability is the ability of a threat to access a known vulnerability. A reachability analysis calculates how easily an attacker can reach assets and assesses the potential damage.
The analysis will examine questions such as which paths could be taken to reach the asset and whether multiple vulnerabilities or low-value assets could be used to reach a higher-value asset. An example of the latter would be an attack on a low-value asset (such as a data archive of obsolete R&D reports) in order to reach a high-value asset (such as live repository of business-critical R&D reports).
Know what is possible through simulation
Use simulations to trace possible paths that attackers might use to gain access to critical assets. This will help determine whether multiple exploits could be used in concert to penetrate the network, as well as to assess the potential impact on other parts of the network.
Recursive mapping and indexing can reveal potential attack paths, quantify the risks in the network, and reveal the steps to remediate indicators of exposure (IoEs).
Visual attack paths and zero-day attack graphs are particularly useful for assessing an attack’s impact, deciding how to prioritize patching, and adapting device rules to reroute access to devices that require immediate risk mitigation.
Score all attack simulations for risk and impact, and then re-score after making improvements. Use a tool that provides real-time visibility into risk posture based on each policy rule and asset. Another important capability is virtual patching, so systems can be “patched” and re-analyzed until the patch scenario that will return the greatest benefit is exposed.
Summary: 4 Key Stages of Simulation
- Calculate how easy it would be for an attacker to reach the network through different network hosts and internet-facing segments and assess the potential damage
- Trace the possible paths an attacker might use across the network layout and identify where to stop an attack using the least time and effort
- Build a zero-day attack graph for each potential vulnerability and prioritize applications according to the risk assessment
- Decrease exposure and enable mitigation of risk by tracing all potential traffic paths, identifying problematic routes, and implementing recommended adjustments to redirect access.
Use security policy to optimize firewall configuration
New computing models and platforms create a complexity gap that provides more opportunities for attackers to compromise a network. Most organizations rely on scans to protect their complex networks, but scans are not enough. Organizations need to know which exposures are reachable, accessible, and under what conditions.
When paired with risk analysis, network policies can pinpoint exposures before they are exploited. But often, this pairing fails to safeguard the network because of overly permissive and risky policies that actually introduce risk into network paths.
To stop implementing policies that introduce risk and to fix problems before they can be exploited, use a tool that optimizes the firewall configuration process by assessing and identifying rules that allow access to vulnerabilities and reveal how each asset is exposed and where it is accessible in the firewall policy.
- Pair vulnerabilities with network policy to uncover exposures, score network risk, and prioritize patches
- Combine vulnerabilities and network security policy to identify potential exploits
- See how each asset is exposed and how it is accessible
- Get a complete score of network risk
- Run attack and patch simulations
- Remediate exposures based on greatest impact.
Vulnerability is just one aspect of risk
Don’t stop assessing and measuring vulnerabilities. You do need to know where they are – but you also need to know what they mean, and that requires an understanding of their context. Are they reachable? Are they likely to attract an attacker’s attention? Are they worth an attacker’s effort? What will it take to mitigate them and is that worth your effort?
FireMon helps you address your vulnerabilities with risk-based products like Risk Analyzer. Risk Analyzer performs a topology-aware assessment of critical factors, including device rules, access routing and NAT, and prioritizes risks based on ease of reachability, value of underlying assets, and known patterns of existing attacks. By adapting device rules to reroute access, risks can be addressed immediately, complexity can be reduced, and time spent in patch remediation efforts can be saved.