By Dr. Edward Amoroso
Chief Executive Officer, TAG Cyber
Research Professor, NYU
A question often posed by my graduate students is this: Why not just remove all the vulnerabilities to secure an enterprise? If this were possible, then the result would be full cyber protection. Without vulnerabilities, there are no entry points for attackers. So, yes – I tell my students, in theory this would lead to a good result. The problem is that the goal to remove all vulnerabilities is comparable in feasibility to doctors removing all diseases.
As a result, we do the best we can – and the discipline we rely on is called vulnerability management. In our rich advisory and consulting practice at TAG Cyber, we’ve yet to meet an enterprise of any size or consequence that doesn’t include dedicated staff working in this area. Despite marketing claims (I won’t embarrass with a reference) by some vendors that vulnerability management is dead, I can report from the front that they are wrong: It is alive.
Fortra has created a strong portfolio of support for this important discipline. While it is certainly true that all types of cybersecurity tools and platforms will contribute in some way to vulnerability management by helping to uncover issues, dedicated vulnerability management tools must include the following capabilities: advanced vulnerability scanning, security testing, and threat assessment. Below we outline the Fortra support in each area.
Advanced Vulnerability Scanning
Enterprise security has always included vulnerability scanning of corporate assets. Early targeted scans of small local area networks and physical servers have expanded, however, to include more comprehensive coverage of hybrid cloud infrastructure, virtual systems and servers, mobility services, and software applications. Such expansion has led to the need for more powerful vulnerability scanning platforms.
The acquisitions of Digital Defense and Beyond Security provide Fortra with the ability to integrate advanced vulnerability scanning services into their enterprise protection portfolio. Digital Defense's Frontline SaaS platform uses the scalability of the cloud and robust automation support to streamline network security assessments. The goal is to reduce manual effort by security teams and pinpoint vulnerabilities that pose the highest risk, allowing teams to focus on high value tasks and expand the scope of the vulnerability management program.
Security Testing
Enterprise security teams have also typically performed security testing to identify exploitable weaknesses. Tests can target networks, operating systems, servers, devices, applications, and other resources. They also usually balance static analysis such as Static Application Security Testing (SAST) with dynamic analysis such as Dynamic Application Security Testing (DAST). Threat emulation is also a key requirement for most enterprise teams.
The acquisition of Core Security provided Fortra with the ability to simplify vulnerability validation with automated pen testing software. Expert pen testing services are also available through Digital Defense. The Cobalt Strike acquisition took security testing one step further and provides Fortra with a world-class adversary simulation tool that can execute advanced attacks. Such capability provides enterprise security groups with use-cases to validate the effectiveness of their controls (or to identify gaps in protection that require security remediation). Beyond Security also includes support for application security testing capabilities including SAST and DAST, which are essential for secure coding practices. Social testing, also known as social engineering services, are provided by Digital Defense, to test the security awareness and practices of an organization’s employees and suppliers.
Threat Assessment
To ensure proper protection coverage for an enterprise, threat assessment capabilities must be present in the security infrastructure. This capability requires accuracy in identifying malicious tactics and scalability to the size and mission of the organization. Generic threat assessment is not useful, because risks might be identified that are not locally meaningful. Remediation would therefore provide low return on the invested time and effort.
The acquisition of Digital Defense offers Fortra with an advanced platform for vulnerability management and threat assessment. The Frontline platform supports cloud-native operation via SaaS deployment. Threat Intelligence and Digital Risk Protection services from PhishLabs, also acquired by Fortra, provide additional context for external threat assessment. An additional Fortra acquisition, Agari, offers exceptional threat visibility for email infrastructure.
As should be evident from the narrative above, Fortra supports the essential vulnerability management in an integrated platform. Enterprise customers are advised to spend some time with the Fortra team learning how this combined suite can be applied to their local environment. Our experience at TAG Cyber has been that such discussions usually result in an action plan.
Read more from Dr. Edward Amoroso.