Deeper Into The Well

Christopher Kissel | Senior Analyst Cybersecurity, Frost & Sullivan

In January 2017, Frost & Sullivan published Vulnerability Management: Adding Actionable Intelligence to Network Scan Technology, a review of the Vulnerability Market (VM). In the report, Digital Defense, Inc. was cited as having the Best Scan Engine.

The citation is right—the patented Network Host Correlation (also referred to as scan-to-scan reconciliation) tracks the activities of network hosts. The approach is correct in that if something happens against a host address (a server configuration, or problems arising from software upgrades), a cascading effect occurs with scans often finding false positives or losing the endpoint altogether. The only problem with the citation is that VM is a continuing process that involves good technology before and after network scans. Digital Defense does other things well worth bringing attention to.

The basic core-set of functions in VM are invaluable. A vulnerability assessment scan is designed to look for devices with an IP address and determine how exploitable the device is. The general taxonomy is centered around the Common Vulnerability Scoring System (CVSS) which considers such factors as access, authentication, confidentiality, and integrity an average score is created (in CVSS, the score is somewhere between 1‒10).

Underappreciated is the company’s expertise in more than just uncovering vulnerabilities. Digital Defense offers managed services, penetration testing, and Web application testing. The engineering team will reverse engineer an attack to gain visibility over registries and applications as well the network surface. Self-evidently, the discoveries improve the efficacy of the Frontine Vulnerability Manager™ (Frontline VM™) platform. More than that, Digital Defense provides additional attack vector information to their clients as well as to Product Security Incident Response Teams (PSIRT) of potential vulnerable systems. In the last year, Digital Defense’s Vulnerability Research Team found and reported zero-day threats to Riverbed SteelCenter, Avaya AES Management Console, and Lexmark Markvision among others. (By way of discovering zero days and vulnerabilities, in some cases, Digital Defense has sent over Python scripts showing the vulnerability and suggested remediation).

Usability is a watch word in any network security technology. Toward that end within the last year, Digital Defense built in an all HTML5 front-end and newly architected back-end (we appreciate and lament the passing of Flash). Very rarely are VM systems deployed in a green field, and VM tools often need to be integrated in the daily workflow of SecOps team.

In the modern multilayer security stack used by enterprises, a security vendor must have both an integration framework, as well as tight partner integrations. Digital Defense offers REST API, JSON, and a QuickConnect Integrated API Key. The API structure cuts down on a lot of headaches; even in dense enterprise networks, the Digital Defense solution can be stood up in a week, and completely deployed within another week’s time. Frontline VM can be integrated with ServiceNow facilitating ticketing, and Digital Defense appliances (VM and Web application scanning) are accessible within SplunkBase. Digital Defense is tightly integrated with IBM QRadar. (The undisclosed company roadmap shows additional partnerships planned with other cyber security providers).
The work detail for analysts begins on the ActiveView dashboard. The Network Host Correlation process plays very nicely in ActiveView. In other types of VM systems, an analyst would have to track the activity of hosts by comparing CSV lists, but the history of host activity is indexed and accessible in ActiveView. Additionally, ActiveView attaches “smart labels” to endpoints in the scan process. By having device profiles preloaded, ActiveView can assign values to logical business groups or device types (Windows server, printers, etc.). If a malware type is targeting specific assets in an attack, the smart label hierarchy helps to begin the remediation process.

The last part of the usability concept is Frontline Security GPA®. The scoring system is designed to look like a college grading system with 4.0 being the best (and something lower being this analyst’s college performance). The larger GPA score includes a weighted score for host criticality and host asset value. The tool is used to determine if a network’s security posture is improving over time, but the metric is useful for stakeholders that do not have sophisticated security acumen.

Digital Defense was one of the first vendors to see the value of VM cloud deployments, and continues to leverage what cloud offers. Frontline VM has visibility over N-tier virtual appliances. As Frontline VM is cloud-based, the architecture is designed to ingest large data sets from open source platforms.

Frost & Sullivan maintains that vulnerability management is a fundamental cyber security defense; one that companies would be foolish to do without. For Digital Defense, the recent platform improvements elevate the organization from a VM, Web application scanning, and professional services company into a solutions provider that can help cyber security teams in the threat-hunting process.