Elimination of Edge Network Vulnerabilities – Mission Impossible?

NIS2 Directive Will Soon Be Law in European Union Member States

Problem Introduction

The ongoing challenges of protecting organizations against cybersecurity threats are numerous—the never-ending litany of yet another breach in the news provides ample evidence. What rarely features in reports is the cost – an enormous $4.88m per breach on average, a statistic that is not immune from inflation either, up 10% in 2024¹. A surge in attacks on edge infrastructure is also being reported, with many vulnerabilities in the very devices organizations depend on for security². So many potential hurdles, even Ethan Hunt would be dismayed!

The obstacles to effective visibility present in this very dynamic environment are multifaceted but primarily tied to:

• Increased attack surface linked to the explosion in the number of endpoints, including headless IoT, OT, and other unmanaged assets
• Unsecured connections and ubiquitous connectivity
• Network architecture complexities and device/network misconfigurations

These conditions in turn present difficulties to many of the existing cybersecurity solutions designed to thwart hackers. What follows is a summary of three broad groups of tools that are generally must-haves for a robust cybersecurity posture but sometimes leave holes in defenses at the network edge.

Vulnerability Management & Testing Tools

Vulnerability Management and Testing Tools are solutions designed to identify, assess, prioritize, mitigate, and manage security vulnerabilities within an organization’s IT infrastructure, networks, applications, and systems. These tools are essential components of a comprehensive cybersecurity strategy, helping organizations identify and address security weaknesses before they can be exploited by attackers.

These solutions encompass a range of capabilities and purposes such as vulnerability scanning, network vulnerability assessment, and configuration management.

Vulnerability management & testing tools are a critical component of a comprehensive cybersecurity strategy, helping organizations identify and address security weaknesses before they can be exploited by attackers. They facilitate proactive risk management and enhance the overall security posture of an organization.

However, because of incomplete endpoint, device, and infrastructure discovery they can fall short. The foundational step in vulnerability management is ensuring ALL assets are in fact discovered or inventoried. Sounds simple but is often notoriously difficult. Let’s discuss the circumstances that can cause the discovery process to break—and remember, the further you are into the network edge (and away from the centralized tool’s starting point), the more one or more of them can result in missed assets or even entire network segments.

The reasons some discovery mechanisms fail to discover all endpoint devices can involve the network architecture itself (asymmetric routing, NATs, firewalls, hub-and-spoke topologies, etc.), network media converters that cause undiscovered paths, and misconfigurations of network resources. A common misconfiguration example occurs when switch ports are configured with an incorrect VLAN setting so they don’t have an IP address in the VLAN segment under test.

Network Management Tools

Network management tools include features to manage network infrastructure elements (including switches, routers, firewalls, and Wi-Fi access points) by periodically collecting data from these managed devices. Depending on the vendor this can comprise SNMP, packet sniffing, flow data, syslog, APIs, or agents. For security validation, some network management tools can also be configured to alert on configuration changes. As such, they can play an important role in ensuring the reliability, security, and efficiency of computer networks in organizations.
Capabilities of tools here range from ongoing monitoring to configuration management along with inventory and fault management.

Though network management tools can communicate with network infrastructure elements, they frequently cannot discover all endpoint devices—often for the same reasons as those described above for vulnerability management and testing tools.

In addition, they can be difficult to set up and configure, requiring specialized knowledge and training to use effectively, and frequently generate false alarms. This complexity can be a barrier for smaller organizations or less experienced administrators. In addition, they can be costly both upfront and via ongoing expenses like licenses, “per element monitored” fees, and subscriptions.

Endpoint Monitoring Tools

Endpoint monitoring tools are software solutions designed to monitor and manage endpoints within a network. These tools include a broad suite ranging from endpoint detection and response (EDR) to network access control (NAC), and endpoint profiling tools. Data collection methods vary with many utilizing deployed agents while some use network traffic analysis to passively view endpoint traffic or flows. Examples of endpoints include desktops, laptops, tablets, servers, industrial controls, and IoT devices. Endpoint monitoring tools play a crucial role in ensuring the security, performance, and compliance of these devices.

Three areas of where they may fall short:

• Restricted/Limited Deployment – Agent-based monitors cannot be installed on all endpoints, especially any lightweight devices. Examples here are include headless IoT, OT, and ICS (industrial control systems) but also encompasses devices often overlooked such as thermometers, IP cameras, building controls, etc. This is a serious weakness. Any device without an agent is a “visibility blind spot” that could be (and have been) exploited by bad actors.
• Complexity – Endpoint tools can be cumbersome to maintain, both in deployment of agents and subsequently in data collection and analysis.
• Cost & Overhead – Agent-based tools can be costly to license and maintain, often priced by the numbers of devices monitored. Those that use network traffic analysis, while robust, are often exceptionally expensive to procure and cumbersome to implement due to the required overlay of span or tap ports to the monitoring system.

Summary

Every cybersecurity specialist understands that protecting critical IT assets along with sensitive organizational and customer data remains a challenge—especially at the edge network. There is numerous cybersecurity solutions designed to aid in this effort, many of them essential to achieving these objectives.

However, three broad categories of these tools; Vulnerability Management & Testing, Network Management, and Endpoint Monitoring can, depending on the specifics of the network environment, leave gaps that may be exploited by threat actors.

Therefore, when assessing your organization’s cybersecurity robustness, make sure you know what these edge gaps are—this blog is a good starting point. And if you’re doing this research to comply with NIS2, our handy guide CyberScope Addresses Three Critical NIS2 Measures at the Challenging Edge will provide you with valuable insights (even if your organization is not located within the European Union).

Ultimately, whatever tools are deployed must effectively address the unique challenges at the dynamic network edge – including those less visibility obvious gaps.

1: Cost of a Data Breach Report, IBM, 2024
2: Surge in Attacks Against Edge and Infrastructure Devices, Bank Info Security, June 2024