Organisations are investing more than ever in cybersecurity tools, but many are struggling to achieve an accurate view of their IT estates. As a result, they are at risk from security gaps and blind spots that can be discovered and exploited by cybercriminals.
In this Q&A, Jon Abbott, CEO of ThreatAware, discusses why these visibility issues are still so common and how enterprises can start closing the gaps.
Q1. Why are so many organisations still struggling to get a complete view of their IT estate?
There are a few factors that have collided to make this a tough challenge. First, we have IT environments that are getting larger and more complex every day. The amount being spent on IT is continuously increasing and much of that investment is going towards assets like cloud infrastructure that makes IT environments harder to manage. Trends like BYOD and hybrid working have made it even more difficult.
Meanwhile, asset management practices are generally failing to keep up with this expansion. Security teams often rely on periodic audits on Excel spreadsheets or point-in-time scans with practices that are highly manual and inefficient.
As a result, asset inventories are either outdated or were never accurate to begin with, which means more devices are connected to the corporate network but outside the security team’s scope. These are the “unknown unknowns” – systems and devices that the IT and security teams don’t even know are missing.
We often find that companies have as many as 30% more devices connected to their network than they realise. That’s a lot of opportunities for threat actors to sneak in unnoticed.
Even when a device is visible, there may still be security issues outside the team’s scope, such as security tools that are not correctly configured or functional.
Q2. What are the biggest barriers to effective asset management, and why are manual approaches no longer enough?
It’s certainly not a lack of effort. I’ve met teams who had been scanning and auditing almost continuously, only to eventually discover they were still coming up short of a full and accurate inventory.
Much of this stems from disjointed tech stacks and processes. Companies have often spent quite a lot on security solutions – even small companies can easily have a dozen or more. But they’re heavily siloed and don’t have much in the way of integration. This means teams have to swap between several sets of unconnected dashboards and data streams. As a result, it tends to be a very manual-heavy process, which wastes time and increases the chances of errors and oversights.
This is compounded by teams themselves often being quite fragmented. IT operations and security teams have their own tools, processes and objectives, and may work in isolation from each other.
Taken together, all of this means enterprises often lack both a big picture view, and the ability to delve into specific assets reliably. Agent-based scanning can miss assets not covered by a specific deployment, while point-in-time scans and audits only capture the moment and are rapidly out-of-date.
Q3. Why are these asset management gaps so dangerous from a security perspective?
The presence of unknown unknowns in the network is one of the most dangerous lapses in security. Discovering a device with corporate network access that has fallen off the security grid is an ideal scenario for a threat actor, and many groups specifically seek them out.
Compromising an endpoint that is unmonitored or has faulty security tools presents a perfect opportunity to gain permanence and launch an attack while flying under the radar.
Depending on their goals, an attacker can exfiltrate all the data on the machine and then use its system permissions to start accessing restricted data on any accessible networks. They can also aim to launch Account Takeover (ATO) email attacks with the user’s email account, targeting other employees at the company as well as any external contacts.
A compromised device also makes a strong jumping off point for ransomware and other malware, with access permissions providing a clear attack path to the most vital systems and data.
Even one unmanaged device is a huge risk, so organisations with large numbers of unaccounted for devices have essentially thrown the doors wide open to attackers without realising it
Q4. What can organisations do to close the visibility gap?
Discovering and securing all these lost devices is a multi-layered effort. Enterprises need to have the right tools in place, but also the processes to use them effectively. It also needs a cultural shift that puts a different focus on risk – there can be no exceptions to security policies and processes.
On the technical side, consolidation should be one of the biggest priorities for organisations to close the visibility gap. Disparate security tools need to be integrated to provide security practitioners with a single point of visibility and control. This allows for a far more efficient process that is much less prone to gaps and blind spots.
Alongside this, automation is a hugely important capability. The more that can be automated, the more manageable the task will be, and this frees up more time for IT and security teams to pursue higher value activity. This also enables teams to move away from periodic checks and towards continuous, automated visibility, detecting issues as they emerge rather than days or weeks down the line.
With this in place, organisations can operate with the confidence of knowing exactly what is on their IT estate, and how it is being used. Getting this under control means companies can focus on their core operations without the risk of threat actors walking into their network through an open door they didn’t even know was there.
