There are never enough hours in the day to do everything. I think we all have a to-do list that is at least twice as long as the time available to complete it. To cope, we prioritize what’s “on fire” or what has the most potential to immediately cause damage if it’s not taken care of. Often the things we “should” focus on fall to the wayside as they are outshined by what we must do immediately. This is especially true when the ”should do” tasks are tedious and time-consuming. 

Unfortunately, CVE management for network devices often falls into the “should do” category.  

I doubt you could find a security professional who would say that just hoping CVEs are resolved is a good strategy. Yet, for many companies, that’s exactly what happens. I met a CIO recently at a very high-profile Fortune 100 company who reluctantly admitted that they have no idea if they’ve resolved all the high-risk CVEs affecting their network; without data, they rely on hope and assure the rest of the team that everything will be OK. This CIO fully recognizes that this approach is unacceptable, but given current tools and circumstances, it’s the best they can do.  

Why is CVE management such a burden? 

CVE management is highly complex due to the ever-increasing volume of CVEs issued overlayed with the complexity of networks. 

CVEs issued by year:

Source: CVE Details 

Each of these CVEs is not only specific to a device but also to the operating system version and the enabled features on that device or specific deployment as outlined in the CVE. In some instances, network administrators would need to go to a vendor site for details on which configurations are vulnerable, which makes remediating them exponentially more complex.  

There are several common reasons for deprioritizing CVE remediation: 

  1. Resource Constraints: CVE management is extremely labor-intensive. IT departments are facing flat budgets and a talent shortage. While the importance of CVE remediation is never in question, teams need to prioritize addressing the most significant and likely to be exploited vulnerability; CVEs don’t often make this threshold.  
  1. Complexity: Many enterprises have multiple teams that work to assess and remediate CVEs. In some cases, the process involves several highly skilled engineers and can take weeks.  
  1. Lack of Communication: CVE management is never the responsibility of an individual – or even a single team. Many IT departments don’t have effective collaboration mechanisms in place, and a lack of effective communication creates delays in remediating vulnerabilities. 

What are the risks of CVE mismanagement? 

The most obvious risk is falling victim to a cyber-attack by a bad actor or a data breach. Both of which can lead to tens of millions of dollars in losses. Additional concerns include compliance violations (which come with exorbitant fines, legal costs, and loss of trust) or outages that lead to loss of revenue and customer dissatisfaction.  

How does a digital twin improve CVE management? 

The most obvious way a digital twin helps is through advanced vulnerability analysis. Advanced digital twin technology safely collects config and state information on every device in the network. The digital twin then knows which devices in the network are impacted by a CVE based on their OS version, configuration, and enabled features. Additionally, the digital twin also leverages the vendor-specific data not included in the NIST database to provide a comprehensive risk assessment. Based on the OS version, configuration, and enabled features, it knows which devices are most exposed to the internet (ergo, which devices have the most significant risk).  

Forward Networks takes this information and compares it against the NIST database and vendor-specific announcements, such as the Cisco Security Advisories, to deliver an at-a-glance prioritized remediation plan. Enhanced analysis increases the likelihood that a device reported as potentially vulnerable is actually vulnerable, which helps with prioritizing remediation efforts. This information is always up to date, and with integrations such as ServiceNow, we can automatically open tickets for resolution that include all the pertinent information. To learn more about how we do this, read the use case

For a full demonstration of the technology, meet us at the RSA Conference in San Francisco, April 24 – 27 in booth 4225. Enjoy an energizing cold brew while you talk security with our experts. 

Network operations teams rely on highly specialized tools developed by individual vendors designed to address particular problems. The result? Most enterprises have 10+ Network Operations applications in place and they don’t talk to each other—which means that network operations engineers spend an exhaustive and unnecessary amount of time toggling between applications and sifting through information as they work to resolve tickets. Multiple tools providing state information introduces inconsistencies in the data accuracy and level of detail.

Because information is not portable between applications or is vendor-specific, inaccessible because it’s siloed due to security boundaries across the network, or current, the teams charged with network and security operations are at a disadvantage. When people working to solve a problem have incorrect, incomplete, or out-of-date information they cannot efficiently solve problems.

We don’t think it should be that hard

Forward Networks was created to make the hard parts of network operations easier.  For us, that means giving instant access to the information you need to troubleshoot and resolve network issues. 

The Forward Networks platform is based on a mathematical model that creates a digital twin of the network.  This software-based twin provides a comprehensive visualization of all possible network paths, a searchable index of configurations presented in a vendor-neutral manner easily understandable for even tier-one support specialists, the ability to verify network behavior, and predict how NAT or ACL changes will impact the network.  Network state information is updated at regular intervals determined by the operations team.

To ease the burden on network operations teams, we’ve developed an integration between Forward Networks and ServiceNow that provides a single source of truth for the network and enables more efficient use of both platforms. The integration between the applications allows engineers to automatically share relevant details about network state, configuration, and behavior with everyone working on resolving this issue. This information automatically updates within both platforms creating a detailed and current single source of truth.  The integration between the two applications takes only seconds to enable and configure. 

Reduce Mean Time to Resolution (MTTR)

A typical incident response involves several teams, the network operations engineer who got the call, maybe the apps team or security team, more senior engineers if the case needs to be escalated. The difficulty of resolving issues is compounded when everyone is working from their own assumptions and data. One of the most effective ways to reduce mean time to resolution is by creating an accurate single source of truth and ensuring everyone involved has access to it.  

Because Forward Networks regularly verifies that the network is behaving as intended, it can (at the discretion of the network operation team) proactively open, update ServiceNow incidents based on these verification checks. Whether incidents are created automatically or manually, a link to the relevant data becomes part of the incident and is updated as the system collects network state information, this ensures everyone is working from the same information.  For existing ServiceNow incidents, the Forward Networks integration allows network engineers to capture relevant information and add it to the incident, again saving the resolution team time they would have spent researching the issue.

This integration also allows networks operations to verify that the changes they’ve made have resolved the issue by running a query.  The platform will show if the issue is resolved or allow the engineer solving the issue to see how their change impacted the network and what else may be causing the issue, this way tickets can be followed through to resolution.  Incident history can be viewed from within Forward Networks or ServiceNow allowing the engineering team to see all actions and status from their platform of choice. 

The real benefit of this integration is immediate access to information that reduces the mean time to resolution from hours to minutes for most problems. 

See the Forward Networks ServiceNow integration in action

Have 5 minutes? Watch the Forward Networks and ServiceNow integration in action on our Forward Fix – engineering content by engineers, for engineers. 

Top cross