Every child in the country knows about computer viruses — even if they and computer users in general do not always understand the extent of the danger. For the most part only security specialists and senior IT management in organisations understand the potentially far more serious dangers posed by system vulnerabilities that the malevolent can exploit through web sites, applications, hosting environments, mobile apps and services.
The infamous Talk Talk ransom exploit last year was just such an attack, carried out through its customer web site and involving the confirmed exposure of more than 157,000 customer names, email addresses and phone numbers, 28,000 partial credit card details, 21,000 bank accounts and 15,000 names and dates of birth.
CIOs and security officers understand the threat, which is why penetration testing is a standard exercise today for most large organisations, and certainly all in the financial world. But our firm belief is that that occasional penetration testing, sometimes just twice a year, is just not enough in today’s dangerous world of constantly renewed cyberthreats. That led us to set up edgescan in 2014. This is a vulnerability management service, delivered online as a hybrid combination of Software-as-a-Service and expert human support.
In less than two years on the market, edgescan has been recognised by Gartner in its Magic Quadrant for Managed Security Services 2015 as a ‘Notable Vendor’ and in the Hype Cycle for Applications Security 2015 as a ‘Sample Vendor’. We have clients with global operations, from Beijing to Buenos Aires. They include 19 Fortune 500 corporations but we also look after about 25 start-ups, mostly digital and online businesses which are focussed on growth and do not have the in-house resources to manage potential vulnerabilities.
The key point is that edgescan is continuously assessing, a digital radar that detects system vulnerabilities from hosting environments to web applications to APIs and VoIP systems.
We have what we call ‘tuned rules’ for vulnerability detection that are constantly updated in the light of the constant change of both system deployments and new vulnerabilities across the organisation’s entire systems and applications stack. Importantly, we couple this with expert human validation.
Our Vulnerability Statistics Report 2015 established that just over 15% of IT assets have high or critical risk vulnerabilities which were easily and remotely exploitable and could affect both application and network layers — combined in some cases. Another way of assessing the range and levels of a systems vulnerability is to look at the Risk Density. Last year our survey established that there were on average 1.5 vulnerabilities per asset assessed, categorised as Critical, High or Medium Risk.
“edgescan is continuously assessing, a digital radar that detects system vulnerabilities from hosting environments to web applications to APIs and VoIP systems. ‘Tuned rules’ for vulnerability detection are constantly updated in the light of the constant change of both system deployments and new vulnerabilities across the organisation’s entire systems and applications stack. Importantly, we couple this with expert human validation”
Normal software development has been greatly speeded up and made more versatile by Agile methodologies and DevOps. The cybercrime fraternity, it must be acknowledged, are just as adept and not constrained at all by traditional practices or governance or reliability. They will just find a new angle and give it a go. That is why 24×7 continuous assessment is the best way — we would say the only way for the future — to underpin corporate digital security.
Our system then uses smart analytics after the test results are obtained to assist risk management in assessing the potential downsides. Our specialisation is full-stack vulnerability management and we can integrate our edgescan SaaS with most firewalls and SIEM [Security Information and Event Management] solutions. Our expert security team currently has 21 software and security specialists supervising the service. They will always manually validate the potential issues so that no client ever experiences a false positive. A major part of their role is to inform our clients about the vulnerabilities uncovered and to advise and support them in carrying out appropriate remediation measures.
Alerts can be automated or by immediate human communications, depending on the client organisation. Some may not have 24×7 IT operations or security staff, for example. Each client has constant portal access to all edgescan data and reports relating to its IT assets. Many system vulnerabilities can be remediated by software patches but sometimes require re-writing of code or re-configuration of systems assets. Our Vulnerability Statistics Report in 2015 showed that 63% of vulnerabilities could have been mitigated by a combination of such measures.
The edgescan service also provides vulnerability mitigation advice and support to our clients. Often the solution is simply to drill in through our client portal and the client team can see or be shown how to do it. On the other hand, we have recently introduced ‘virtual patching’. This is an interim remediation service which can be deployed on particular firewall systems in order to mitigate web security vulnerabilities. The objective is to give the clients time to decide, in the light of the measured risk, what the permanent solution should be.
For a client, the edgescan service begins with the on-boarding of the its assets, which can usually be completed within 48 hours for any global region, say Northern Europe, North America or Asia, in which we provide cover for current clients. Our expert security analysts on-board enumerate and prioritise client assets, typically web sites, mobile applications, web applications, cloud applications, endpoints and hosting servers. The edgescan service works equally with data centre assets and cloud deployments, public or private.
We believe that the combination of managed vulnerability assessment and human expertise is essential, which is why edgescan was set up from the beginning with this hybrid approach. Its value is also relevant in the real world of cyber threats because there is a worldwide deficit of professional expertise in this area. A recent Forbes feature suggested a shortage of digital security experts globally, with perhaps a million more required according to another study by Cisco. Other studies have forecast a shortage of up to 1.5 million by 2019.
This is the ultimate argument for Managed Security Services Provision (MSSP). Commodity services such as email scrubbing and antivirus protection are commonplace. Managed vulnerability assessment and risk management are specialist services within the security spectrum. As the threats continue to become more and more sophisticated and powerful, their role is already front and centre in cyber security.
Eoin Keary is founder and CTO of edgescan.com and BCC Risk Advisory
Subscribers 0
Fans 0
Followers 0
Followers