I just spoke with someone on our site chat that said “I have just about every security tool at my disposal. Shouldn’t that be enough to see everything in my environment?” I then started talking about the cybersecurity solution visibility paradox and decided the term was worth a blog post.
More Tools, More Data
When I give the Axonius pitch, I usually start with the idea that it’s absurd that in 2019 we still struggle with asset management. In fact, I often reference this tweet:
CISO: How many windows hosts do we have?— Jim Schwar (@jimiDFIR) February 8, 2018
AV Guy: 7864
Desktop Management: 6321
EDR Team: 6722
CMDB Team: 4848
SIEM Team: 9342
We have amazing security tools, yet still have a hard time understanding how many devices are in our environments and whether they are covered by the tools we’ve made part of our security policies. But why?
More Tools, Less Visibility
The more tools we have to secure and manage assets, the more data we have about them. However, just having data does not equal visibility. Instead, it means we have more individual silos of information about the devices those tools know about, and that leads to two issues:
- The individual silos don’t talk to each other.
- The tools only know what they know, and don’t know what they don’t know.
Individual Silos, Not Talking
Vulnerability scanners know a lot about the devices they scan. Amazon knows a lot about S3 buckets. EDR tools know a lot about the devices they’re on. Network switches, MDM tools, SIEM solutions, CMDBs, the list goes on and on.
All the data is out there about assets, it’s just not correlated in a way that can make sense of whether all assets are being managed and secured.
For example, if my policy says that every Windows device needs to have a particular EPP product installed, needs to be scanned by a VA scanner, needs to be part of Active Directory, and needs to be in a CMDB, where can I find that information?
I Know What I Know, I Don’t Know What I Don’t.
The second issue is that each individual tool knows what they know, not what they don’t. I know: reading that makes my brain hurt, too.
A VA scanner knows a lot about the devices they scan, literally nothing about those they don’t. An EPP product is the same: doesn’t know anything about the devices they’re not installed on.
In our above example, you can’t expect an EPP solution to know that there’s a Windows device it should be installed on but isn’t. You can’t expect a VA tool to scan something it doesn’t know about.
The Cybersecurity Solution Visibility Paradox
Therein lies the paradox: the more solutions in an enterprise, the more data about assets, yet the more data about assets the harder it becomes to see and understand whether the assets fit the security policy.
All Hail the Conquering Hero: Correlation
Although seemingly paradoxical, there’s a solution: correlation. Yes, this is part what Axonius does, and of course, you can sign up for a trial. But let’s put that aside for now and just talk about the approach.
If you were to grab all data about assets from every solution that knows about them, then correlated it to understand each unique device you could:
- Get a full inventory of all assets – Managed and unmanaged, cloud and on-prem. You’d be able to see every single device
- Understand where there are security coverage gaps – You could see every device that is missing coverage from any tool.
- Use the tools to take action – If you found an Amazon instance not being scanned by a VA tool, you could just tell the VA tool to add it to its next scheduled scan. If you found a Windows device without an EPP tool, you could install that agent with WMI.
Finally, our VP of Product, Lenny Zeltser just covered this very topic on a recent webinar: The Ultimate Questions of (Cyber) Life, the Universe, and Everything. In it, he covers exactly how to answer the questions that each tool begets.