Some of the most precious assets of a company are its data stores, which are frequently in danger of being stolen or misused. Unfortunately, many organizations often use shoddy preventative strategies to thwart cybersecurity breaches. As new technologies have evolved, so have hacking techniques, with bad actors and hackers employing sophisticated strategies. In 2020, online scams and cyber crimes surged by 400 %, and by 2025, it is predicted that cybercrime will cost the world $10.5 trillion annually. Consequently, employing preventative measures is challenging despite advancements such as universally deployed zero trust network access.
Why is it challenging to ensure network security?
As organizations accelerate digital transformation initiatives, new threats and attacks emerge proportionally. Although a network is essential for connecting businesses with clients, it can also serve as a waypoint for attackers to access private information. Compounding the issue is the emergence of hybrid work that has expanded the overall network attack surface.
As a result, several challenges emerge when it comes to protecting network infrastructure:
- Identification and collection of vulnerability information for the network using network penetration testing.
- Protection of network devices from exposed threats and weaknesses or implementation of workarounds to prevent possible network breaches.
- Detection of breaches on time, receive alerts and initiate the triage processes.
- Remediation of stale configurations to avoid further compromise.
- Management of vulnerabilities of multi-domain networks with multi-vendor resources.
The ideal approach
If a cyber attack occurs, it is crucial to quickly identify, mitigate, and repair the compromised network components. The National Institute of Standards and Technology (NIST) framework suggests the five best strategies to minimize cyber-attacks:
- Identifying a threat is essential since knowing shortcomings can work to your advantage.
- Protecting data, assets, and resources from theft and manipulation. Upon detecting a system’s weaknesses, immediately patch or upgrade it with additional security features.
- Detecting the breach in security. Companies sometimes are not even aware of a security breach. A reliable detection system that tracks the breach should be in place when it occurs.
- Responding to the attack and fortifying the network. The initial triage should be ready to mitigate the attack.
- Recovering from the attack and disinfecting a network. Upon detection, employ measures to recover from the attack or quarantine/ sandbox the affected portion of the network.
Let’s look at how Anuta Networks ATOM, with its vulnerability management, configuration compliance, software compliance, alarm generation, monitoring, and alert correlation capabilities, is equipped to mitigate the vulnerabilities inherent in any given network.
ATOM as a Vulnerability Manager
The time-tested adage “prevention is better than the cure” should be considered when thinking about network security. ATOM can track network configuration as well as software compliance and self-heal the erroneous zones within a network. It can also address all of the security pain points by importing and using the security information from network device vendors. ATOM also enables enterprises and service providers to rapidly design and provision network services, onboard server infrastructure, create inventory, collect security information, ensure security configuration and software compliance, and provide an additional layer of security for multi-vendor physical and virtual infrastructure. Let’s now dive deeper and examine three areas – threat identification and collection, threat detection, recovery, and response, and finally, external integration.
1. Threat Identification and Collection:
- Network vendors such as Cisco, Juniper, and Palo Alto Networks collect and store network vulnerability information in their respective databases. This information for each vendor is available from sources such as NIST-NVD and is accessible through APIs. For instance, Cisco has PSIRT (Product Security Incident Response Team), which identifies flaws in their platform, suggests a workaround to prevent the system from attack, and releases a stable OS version to manage vulnerabilities. Cisco releases this vulnerability data from their OpenVuln API in machine format. Anuta Networks obtains similar information on vulnerabilities through the relevant APIs from other vendors.
- When ATOM onboards network devices, it creates an extended inventory that captures the device’s OS and OS version. ATOM can ingest all the vulnerability information, such as the CVSS (Common Vulnerability Scoring System), fixed version, and workarounds of the related OS and OS version. It also includes the relevant product security information, which significantly eases the efforts of network and security engineers related to vulnerability assessment and penetration testing.
- Vulnerability assessment and penetration testing refer to detecting vulnerabilities using manual and automated tests. They also include analyzing network threats and generating actionable insights and reports. Based on assessment reports, vendors eliminate common weaknesses, release a fixed version of the software, or provide recommendations for preventing the threat. ATOM is efficient in facilitating vulnerability identification, analysis, and risk assessment by making readily available threat analysis reports from network device vendors. As ATOM imports this information from the vendor’s security database, other ATOM functionalities, such as configuration compliance, alerting, and software compliance can be leveraged in remediation efforts.
- Similar to Cisco device vulnerability information accessible through APIs, vulnerability information for Juniper devices is available on NIST NVD, which can be extracted from REST APIs and used to manage the threats. Similarly, the Palo Alto Networks PSIRT team publishes vulnerabilities using API, and Anuta Networks can also subscribe to security advisories from Alcatel Lucent and other vendors.
2. Threat Detection, Recovery, and Response:
- ATOM includes alert creation features, compliance and remediation, and closed-loop automation capabilities. ATOM can filter advisories with the most critical severity and mark the affected OS version as non-compliant. It can also view the vulnerability of an OS version, its summary, and its explanation, and take remediation action regarding the affected OS version upgrade or implement another workaround.
- To upgrade the OS version of a network device, ATOM offers a pre-defined workflow that handles the pre- and post-checks. In this way, the device stays compliant with its OS version. The number of susceptible OS in ATOM, active non-compliant alerts and top trending vulnerabilities are just a few examples of the reporting and analytics of the vulnerability data that ATOM can provide in its dashboard.
- Most attacks occur due to network device misconfigurations stemming from incorrectly configured firewall rules, lack of authentication, and more. ATOM addresses these issues with configuration compliance, allowing a user to create an ideal configuration template in the form of a regular expression or jinja template, which is then compared to onboarded devices. If any device configuration is non-compliant, an alert is generated. The user can subsequently fix the non-compliant configuration or choose an auto-remediation process.
- Let’s examine an example of a vulnerability that warns that OSPF on a device could be exploited to compromise security. Clicking on the advisory link in the summary section will take one to an external Cisco page where information such as an “indicator of breach” and a “workaround” for the issue can be found. The suggested workaround in this example is to implement OSPF with authentication. If OSPF authentication is not present in the device configuration, ATOM will start a remediation process with user permission. As a result, we may use the configuration compliance capability to verify OSPF settings on all devices running susceptible OS versions. Routers that defy the configuration compliance policy may result in an alert or a Slack notification from ATOM.
3. External Integration
ATOM can integrate with external security (SOC) tools such as SIEM or SOAR and export the network alerts to external NMS or SIEM tools. ATOM can also sense breach indicators, create alerts based on the alert definition and pass them to external SOC tools. It can also handle configuration compliance and OS/ software compliance and work in tandem with SOC tools to mitigate security risks. To expand the functionality of external security tools such as Splunk, one can also install Splunk log forwarders on the ATOM agent, which can gather logs from ATOM and send it to the Splunk server and facilitate the management of all security-related records in a single location.
Anuta Networks ATOM plays an essential role in the network vulnerability management lifecycle. When scanning onboarded devices, ATOM refreshes its security database dynamically. It also controls the network and stores pertinent security information from a broad range of vendors. Additionally, the workflows collecting the vulnerability data can be scheduled to run periodically so that the vulnerability database has the latest information. The outcome is a significantly reduced workload for a security operations team.
ATOM is a one-stop solution for information collection, security policy and upgrade management, and breach detection. It also serves a vital role as an additional layer of security for network infrastructure and saves significant time and effort spent on threat hunting and applying security policies. Contact Anuta Networks today to learn more!