In the movie Everything Everywhere All at Once, protagonist Evelyn Wang must travel between dimensions to confront and defeat an evil that threatens her family’s existence in their home universe. For Wang it is a confusing and taxing fight that requires her to use information, experience, and power gained as she navigates the multiverse to know what she must do to overcome the challenges she meets along the way. It’s a convoluted story arc that is not unlike the day-to-day of a CISO working to protect the modern enterprise and the universe of “things” that are being deployed.
Like Evelyn Wang’s world, today’s technology estates are convoluted and multi-dimensional environments where decisions made anywhere have implications everywhere. Multi-campus, multi-cloud, on-premises, cloud-based, mobile, and software defined are all common terms defining a single enterprise. And then you have to take into account the physical and virtual assets comprising a typical environment, many of which come and go, connect and disconnect independent of IT management. It’s hard to keep up; but keep up you must, because threat actors are constantly on the prowl looking for vulnerabilities that will allow them to perpetrate whatever attack they’ve got in mind.
A recent conversation I had with the CISO of a large enterprise illustrates the dilemma.
“I am responsible for every device, whether I know about it or not,” he said. “Because we don’t know all of the devices that are connected to the network, we have blind spots that are unprotected.”
To protect a technology estate, you need to be able to see across the network—in real-time—and have information in context for making good decisions. That is a tall order for any organization, but especially for those that rely on a sprawling IT estate. In a 2022 study commissioned by IBM, technology analyst firm IDC found that the average number of IT assets managed by 29 organizations studied was 2.7 million. That’s a lot of systems and devices, and it’s only the ones that are in the known inventory. Another report found that as many as 20% of an organization’s IT assets may be invisible to IT management and security operations, meaning more than a half-million unsecured things are operating in the average enterprise.
Of that 20%, not all of it is traditional IT that has simply gotten lost in a fast-growing technology environment. Because connectivity is so essential, a lot of things that constitute the Internet of Things (IoT) end up attaching themselves to the enterprise network. In our experience here at Ordr, we’ve seen exercise equipment, gaming consoles, Kegerators, Tesla automobiles, and a lot more operating alongside mission-critical IT systems, Internet of Medical Things (IoMT) devices, operational technology (OT), and plenty more.
Every asset in an organization’s inventory that is not accounted for and protected is a potential attack vector, or step along a path or lateral movement that an attacker can use to gain access or move undetected. Threat actors know this and are targeting IoT more and more to take advantage. One cybersecurity firm says attacks targeting IoT devices have increased 700% since 2020, and Microsoft security researchers recently discovered a “a sophisticated attack campaign” targeting IoT devices.
That puts a lot of pressure on the CISO, and it also feeds into a vicious asset management and security cycle since a failure to keep track of all assets, including IoT, means that you can’t properly identify your attack surface. These include assets with vulnerabilities, those running outdated operating systems, or devices missing a security agent or patches. This also means IT and security operations aren’t running at maximal efficiency, the context by which decisions are made (and automated) are less precise. Threats thrive in chaos, and so risks increase when assets are not fully inventoried, monitored, and managed in real-time.
When security blind spots are a problem, the best first step toward a remedy is to employ tools that enable IT and security teams to gain visibility into the enterprise’s cracks and crevasses. But there are considerations for this:
- Granular context matters – Asset visibility must include deep threat and asset context. This requires a combination of methods to continuously discover and classify an asset – via deep packet inspection of network traffic, API, NetFlow. For example, in order to determine if you’re impacted by a Zero Day like MOVEit, you must know what applications are actually running on your device. Similarly, to identify vulnerabilities that affect your assets, you may need to know the specific minor version of operating systems running.
- Behavioral analysis via AI can be a differentiator – Devices are deterministic, a video surveillance camera or an HVAC system or a medical device all have specific behaviors in the network based on their functions. The ability to baseline these communications patterns not only surfaces anomalies– early indicators of a potential compromise, but also informs the foundational Zero Trust policies to secure those devices.
- Automated policies are important to scale – When there are hundreds of thousands of connected devices in the network, the only way to secure them are via automated policies. This means dynamically generating proactive Zero Trust policies to enable only “baseline” communications for mission-critical devices, or generating reactive policies to block ports, move devices to a different segment or terminate sessions. When a device fits a specific profile, a pre-defined policy can automatically be applied, for example, activating a vulnerability scan when a new device is discovered on the network.
Evelyn Wang learned how to navigate her way between dimensions of the multiverse to tackle the challenges that were not visible in her home dimension. CISO’s must gain the means to see every asset across a multidimensional enterprise with fidelity and granular context. Only then will they be able to identify their attack surface and address the security gaps that put their enterprise at risk.