On False Senses of Security

November 16th, 2011

Customer conversations are the best part of my job. I really enjoy talking with users and buyers of security technology, especially in today’s hyperactive threat and attack climate. Most often these conversations are with customers proactively planning updates to their security strategy, or with prospects that have matured to a level where their tools need to be upgraded to enterprise solutions. However, there is small percentage of organizations we speak with who have come to eEye as a result of breach or a failed audit. One of *those* conversations was the impetus for this post.

A prospect recently walked me through the background on their most recent PCI audit, which they failed (for those of you not familiar with PCI, check out a quick background here – but keep reading, because this example maps to all types of regulations). For the last few years, they had been using a SaaS PCI auditing service, which originally fit their needs, as their IT and Security teams were not as built out as they currently are. As part of a due diligence checklist performed by their larger parent company, they were subjected to a manual PCI audit, where trained auditors went through the checklist item by item, verifying the checks and conditions were in fact in place, in a “live” setting. For years, they had been operating under a false sense of security due to the inadequacy of their existing security toolset.

Digging in a little deeper so that we could help the prospect craft a strategy to get them back in compliance, they shared their most recent audit results with us. From there, we quickly identified three key areas where we could immediately help them get back in compliance. At the end of the day, this applies to situations beyond PCI, and should always be considered as part of a “healthy security strategy diet”.

1. Scanning accuracy. This is the cornerstone for any effective vulnerability management process, and something many organizations largely take for granted. It’s a widely held assumption that vulnerability scanners are all alike, finding the same flaws, with the same level of accuracy. Sadly, this isn’t the reality. eEye was founded as a company with a goal to become the foremost expert on vulnerability research and identification. Our Retina suite of products have continually been awarded for their accuracy. Even with all of eEye’s advances and market firsts, we continue to invest in vulnerability research and implement that knowledge in our core scanning technology.

It was the case that this particular prospect’s tools had been failing to identify vulnerable systems– systems which had been on their network for over 3 years. Each time they were scanned, they turned up as “OK”, when in reality, they had vulnerabilities of the highest magnitude as part of the Microsoft Jet Database, which was connected to their payment network. (I know, you’re all scratching your head, “Jet Database?”, but it illustrates the importance of having a scanning technology that provides the widest and most accurate coverage for your systems). Speaking of coverage…

2. Scanning Coverage. This isn’t as much about scale (which is also important), but more about the ability to scan for all types of assets as part of an audit. The industry evolved past desktops and servers long ago, and amazingly, not all security vendors have followed suit in their coverage. What does today’s dynamic enterprise need to be able to audit? Everything, really. This also required an approach where network based scanning is complemented by host-based scanning for the mobile assets that your organization relies on.

Thankfully, the PCI audit was just looking at the payment system itself, but the auditors did file a notice with company that they felt they had little operational security control over their ‘non-standard’ assets, such as virtual servers and applications and mobile assets which traveled in and out of the perimeter with frequency.

eEye’s ability to perform both network and host based scanning addressed this concern as well as our unique (unique as in “only solution in the industry”) offering for scanning virtual applications was able to almost double the coverage of their existing vulnerability tools.

By doubling that coverage, though, did we just bury them under a mountain of data? Thankfully, no. Keep reading to see how we help our customers avoid being lost in “security big data”.

3. Actionable reports and intelligence. One of the contributing reasons for our prospect turning to eEye for help in becoming compliant with their PCI requirements was the lack of visibility they had into what was really going on within their network . Tactically, we were able to help them change that by increasing the accuracy of their scans, as well as the breadth of coverage for their new and emerging technologies. Strategically, we were able to help them by providing them with Retina Insight for actionable reporting and analysis on their security posture.

Interestingly enough, due to the lack of visibility with their prior tools, the “laundry list” approach to fixing vulnerabilities had created a negative culture internally with regards to vulnerability tracking and remediation. The data was too hard to find and extract. With Retina Insight, the company can now easily identify risk, quantify its potential impact to operations and act accordingly, all within the Retina CS suite.

As I mentioned, this action plan was designed for an organization who had previously failed their PCI audit, but I think we can all agree that these basic tenets of vulnerability and threat management can be applied to a wide range of organizations, regardless of their regulatory burdens or industry.

I’d love to hear your thoughts. Use the comments section below to share your opinions, or even your own stories of dealing with regulatory audits like PCI. We’d love to hear them.