What is full visibility, in terms of risk management via IT? It is the ability to collect, investigate, analyze and store all records of activity on the company's infrastructure — including email activity, network traffic, or endpoint actions. (Specifically, visibility draws from the network, email, and endpoints.)
A business can employ a number of types of protection to improve its visibility.
Web proxy protection
Upwards of 80% of network traffic going north to south (out and back to the internet) is encrypted. This encrypted network data is important both as primary alerting information and as correlation data during a multi-phased, dynamic attack. A web proxy protection solution can take all egress and ingress (north to south) traffic, de-crypt it, inspect and analyze it, and then re-crypt it to maintain the typical traffic flow. It allows you to shine a light and apply toolsets to this de-crypted traffic, which is a significant portion of visibility, and thus defense. Web proxy protection also serves as an element of “defense in depth” by depressing the execution capability of breaches on endpoints.
At a minimum, endpoint protection provides the data needed to prevent or quickly remediate security compromises such as malware, ransomware, or bad actors, whether on a laptop, desktop, or a server. It includes anti-virus protection and the ability for these functions to work anywhere the endpoint is connected to the company network, such as a public Wi-Fi hotspot. Endpoint visibility plays a vital role in investigating and tracing incidents and compromises in order to assure that the issue has been cleared.
Email is a primary delivery vector for bad actors. Businesses can become vulnerable when under-trained or under-aware employees receive malware or phishing attacks via email. Employee training can assist in a defense approach, but even the most attentive employee can have a bad day, so relying on employee behavior can feel like playing from behind. Full visibility incorporates file-carving toolsets on email flow, with endpoint and network configuration aligned to contain any successful malware penetration.
In a remote work environment, endpoint protection and web proxy protection have become a greater variable to overall defense. In the unfortunate occurrence of a compromise, full visibility can greatly accelerate an investigation into who is on the enterprise infrastructure, where they have been, and if they have been removed.
The context of the threat is paramount for all aspects of defense. Without full visibility into all the available information about the threat, the analyst loses the ability to understand and evaluate it. Lack of context hinders the ability of an organization to fully understand how its defense is working, if an incident has been fully remediated, or to know if it’s in alignment with current security policies.
Obstacles to full visibility typically include:
- Availability of resources to oversee the program
- Integration of tools to get the most out of their capabilities
- Centralization of the visibility into a ‘single pane of glass’ for intelligence development
- Tuning of toolsets to manage risk tolerance with business information flow efficiency
As a business clarifies its risk tolerances and posture, consider the extent to which it is gaining visibility into its environment and utilizing that information for intelligence and decision making.
For more information, visit SEI IT Services.