Trying to convince SecOps teams they need more data is like trying to convince a drowning person they need more water. SecOps teams are so overwhelmed they can’t even respond to 67% of the alerts they receive. On average, SecOps teams receive 4,484 alerts per day and spend over three hours per day manually triaging the alerts, costing $3.3 billion annually in the US alone. (Source: Vectra 2023 State of Threat Detection)
The problem is that the high-volume of data they are receiving lacks context. When you receive over 20,000 CVE announcements and over 1.5 million alerts, you do not need more data; what you need is actionable, timely data that provides context and a path for remediation.
Forward Enterprise is integrated with the NIST database and endpoint scanning solutions, Rapid7 and Tenable. This integration provides security teams a prioritized remediation report of the vulnerabilities that exist in their network ranked by exposure.
Join our co-founder, Nikhil Handigol on Thursday, August 24th at 2:00 p.m. EDT/11:00 a.m. PDT to see this in action.
During a live technical session, Nikhil will demonstrate our Tenable integration and highlight how the solution delivers complete attack surface visibility, empowering SecOps to proactively identify impacted hosts with critical vulnerabilities accessible from the Internet or other critical exposure points in seconds.
You’ll see how the integration with Tenable delivers an actionable exposed host report that incudes:
Most importantly, Nikhil will demonstrate how a mathematical model of the network helps make the plethora of network vulnerability data actionable.
Register for your seat now. [If you miss the live session, it will be immediately available on-demand via that same link.]
There are never enough hours in the day to do everything. I think we all have a to-do list that is at least twice as long as the time available to complete it. To cope, we prioritize what’s “on fire” or what has the most potential to immediately cause damage if it’s not taken care of. Often the things we “should” focus on fall to the wayside as they are outshined by what we must do immediately. This is especially true when the ”should do” tasks are tedious and time-consuming.
Unfortunately, CVE management for network devices often falls into the “should do” category.
I doubt you could find a security professional who would say that just hoping CVEs are resolved is a good strategy. Yet, for many companies, that’s exactly what happens. I met a CIO recently at a very high-profile Fortune 100 company who reluctantly admitted that they have no idea if they’ve resolved all the high-risk CVEs affecting their network; without data, they rely on hope and assure the rest of the team that everything will be OK. This CIO fully recognizes that this approach is unacceptable, but given current tools and circumstances, it’s the best they can do.
CVE management is highly complex due to the ever-increasing volume of CVEs issued overlayed with the complexity of networks.
CVEs issued by year:
Source: CVE Details
Each of these CVEs is not only specific to a device but also to the operating system version and the enabled features on that device or specific deployment as outlined in the CVE. In some instances, network administrators would need to go to a vendor site for details on which configurations are vulnerable, which makes remediating them exponentially more complex.
There are several common reasons for deprioritizing CVE remediation:
The most obvious risk is falling victim to a cyber-attack by a bad actor or a data breach. Both of which can lead to tens of millions of dollars in losses. Additional concerns include compliance violations (which come with exorbitant fines, legal costs, and loss of trust) or outages that lead to loss of revenue and customer dissatisfaction.
The most obvious way a digital twin helps is through advanced vulnerability analysis. Advanced digital twin technology safely collects config and state information on every device in the network. The digital twin then knows which devices in the network are impacted by a CVE based on their OS version, configuration, and enabled features. Additionally, the digital twin also leverages the vendor-specific data not included in the NIST database to provide a comprehensive risk assessment. Based on the OS version, configuration, and enabled features, it knows which devices are most exposed to the internet (ergo, which devices have the most significant risk).
Forward Networks takes this information and compares it against the NIST database and vendor-specific announcements, such as the Cisco Security Advisories, to deliver an at-a-glance prioritized remediation plan. Enhanced analysis increases the likelihood that a device reported as potentially vulnerable is actually vulnerable, which helps with prioritizing remediation efforts. This information is always up to date, and with integrations such as ServiceNow, we can automatically open tickets for resolution that include all the pertinent information. To learn more about how we do this, read the use case.
For a full demonstration of the technology, meet us at the RSA Conference in San Francisco, April 24 – 27 in booth 4225. Enjoy an energizing cold brew while you talk security with our experts.
Cybersecurity is front and center as part of our national defense strategy. Civilian networks responsible for life-sustaining services such as water and power must be protected with the same vigor as networks that host sensitive data.
To accomplish this the Department of Homeland Services developed the Continuous Diagnostics and Mitigation (CDM) program in 2012. CDM supports government-wide and agency-specific efforts to provide risk-based, cost-effective cybersecurity solutions for protecting federal civilian networks by providing financial assistance to civilian government agencies as they focus on improving their security posture by:
Forward Networks is an approved vendor in all 8 functional capability categories. The data collected and analyzed by the Forward Networks platform is instrumental to ensuring that the network security posture matches expectations.
Forward Enterprise helps agencies comply with CISA Binding Operational Directive (BOD) 23-1. Using Forward Enterprise, security professionals can identify vulnerabilities before becoming a threat. Because Forward Networks can scan your network multiple times per day without performance degradation, it delivers timely, actionable alerts to security professionals. In conjunction with third-party application integrations, the level of detail in alerts empowers engineers to remediate any errant configurations or known critical vulnerabilities before they cause an incident. The three most popular security use cases are:
To learn more about Forward Networks’ work with federal agencies, visit https://www.forwardnetworks.com/federal/.
Headline grabbing vulnerabilities, like SolarWinds and Log4Shell, target management software and end hosts, but if you search for “most exploited vulnerabilities” on Google, you will quickly learn that some of them directly target network and security devices as well as server load balancers.
These are the 3 most exploited CVEs in the last couple of years:
Would you be surprised to learn that network device operating systems can be vulnerable to security flaws like any other software? To remediate this risk, network and security administrators need a vulnerability management program in place. Having the right processes and technology in place can save time while protecting the network security posture.
A common approach is to split vulnerability management into two phases:
Publicly disclosed security vulnerabilities have an assigned CVE (Common Vulnerabilities and Exposures) ID number and a severity level based on their impact. CVEs help you to coordinate the efforts to prioritize and address these vulnerabilities to make systems and networks more secure. Most enterprise networks have evolved over time and include devices from several vendors running multiple versions of operating systems. Knowing that a vulnerability was announced doesn’t give a clear picture of the organization's correlative risk.
Large enterprises do their best to keep an accurate inventory of devices and their state, but given that most companies have experienced mergers, IT department turnover, and are resource constrained, this inventory is rarely current. Because networking vendors typically fix security vulnerabilities by issuing a new OS version, a detailed and up-to-date inventory is paramount. Trying to conduct this analysis manually is expensive, time-consuming, and error prone.
To make the analysis easier, faster, and more reliable, Forward provides a network devices vulnerability analysis that automatically compares the CVE information from the NIST National Vulnerability Database (NVD) with OS version running on the devices in your network.
This analysis provides a list of all possibly affected devices and related vulnerabilities. “Why possibly affected?” you might ask. Keep on reading and you will find out why.
The following screenshot shows an example of network vulnerability analysis in the Forward UI.
The summary at the top shows the number of CVEs detected as well as the number of devices impacted.
The table shows a summary view of the CVEs including CVE ID, Severity, Description, Impacted OS, Impacted versions, and the number of Possibly impacted devices.
The Details page shows you information about devices that are impacted by that CVE like Device, Model, OS version, and Management IPs.
One of the fundamental issues is that the number of vulnerabilities and devices affected can be overwhelming, making it difficult to prioritize which devices should be updated first. Filtering vulnerabilities by severity provides some help but typically the number of Critical and High severity vulnerabilities is still so high that it‘s challenging to determine a starting point. This is where the notion of “possibly affected devices” becomes pertinent. Some vulnerabilities can impact a device only if specific configurations are present, a specific feature is turned on, or they are deployed in a way that is explained in the CVE. This information is not in the NIST database, network engineers have to research vendor sites such as the Cisco Security Advisory repository to get this level of detail.
There’s a better way
Monitoring the latest descriptions and automatically checking them against the device configurations in your network is best performed by software — it frees up highly skilled engineers to spend time on proactive strategic initiatives and is far more accurate. For many NOC teams, this capability would be A dream come true, or Like Christmas came early, right?
Well, that is exactly what Forward Enhanced Vulnerability Analysis provides!!
No more manual, tedious, and error-prone hunting for those configs on every single “possibly affected” device, one by one, that would take forever.
Just an always accurate, always updated list of devices that are actually vulnerable! Remediation efforts can be prioritized based on risk severity to ensure effort is directed to keeping the network as safe as possible.The screenshot below shows the Detected based on field. This field indicates that there is an at-risk device in the network that matches the OS version only (OS version match) or is running the impacted OS version and matches the vulnerable configuration (Config match).
Read the use case to learn more about how Forward Enterprise can help limit your CVE exposure. Stay tuned with Forward Networks announcements because some great new innovations about vulnerabilities are...coming soon...