The Cisco 2015 Midyear Security Report – It’s not all doom and gloom
Reading the Cisco 2015 Midyear Security Report, the overall tone was very much along the lines of ‘the bad guys are innovating faster than the security community.’ This isn’t entirely unique to any security report, since most are purely reactive commentary on past transgressions. Anything looks bad when all you do is focus on the losses and the negative outcomes. And, let’s be honest, the companies putting out most of these reports have a lot to gain from companies wanting to buy more security products and services.
Buried within most of these reports are actually a lot of pieces of advice that, if followed, could dramatically enhance the security of any organization. So why not lead with that message? Well, I defer to the last comment above.
After reading the Cisco report one anecdote struck me as particularly easy for security teams to address. Cisco detailed that exploits of Adobe Flash vulnerabilities are increasing, and are regularly integrated into widely used exploit kits such as Angler and Nuclear. Adobe frequently updates its Flash Player, but many users are slow to apply the patches that would protect them from the vulnerability being exploited. Attackers are clearly taking advantage of the window between when the vulnerability becomes known and the patch solves the problem.
Why doesn’t Vulnerability Management solve the problem?
One would think that since there is a whole category of solutions in the market that scan endpoints for known vulnerabilities, it would be easy-peasy to keep endpoints updated and patched with the latest. Run a scan, identify the endpoints needing updated, patch them, and problem solved, right? The problem with this scenario is that scans only run periodically, patches fail, users’ inadvertently re-introduce vulnerable apps, and the enterprise is left wide open until the next scan is run. Plus, the scans report on applications that are installed but not used, resulting in reams of vulnerabilities that make it hard for an analyst to manage and prioritize.
Well what’s so easy to address then? Glad you asked.
Just run the scan continuously and monitor all endpoints so that the exact moment a system comes out of compliance you know and can respond. Continuous visibility that provides real-time alerting and extensive reporting is the new mandate as endpoint security is redefined and people realize the era of prevention- first is over. Leveraging the National Vulnerabilities Database (NVD), each application that is actually running a known vulnerability can instantly be recognized, security personnel alerted, and the patch applied. Further, solutions can look for suspicious activity from vulnerable applications, like sudden application crashes, which is a possible sign of an exploit attempt. Finally, they can also detect when a user’s system has not been rebooted since the last security patch was available.
So there is a glimmer of hope?
The good news about real-time endpoint visibility is that it works on any vulnerable application (not just Adobe Flash) because, as we all know, attackers will move from app to app to evolve their strategies. There are simple solutions to big problems. Security teams just need to be made aware that there is a better way of managing and securing their endpoints. It just takes the proper endpoint detection and response solution.