The recent disclosure of an unpatched critical zero-day vulnerability (CVE-2023-20198) in Cisco's IOS XE software highlights the vulnerabilities inherent in modern IT infrastructure. While agent-based products have become popular for organizations looking to bolster their cybersecurity, this recent vulnerability begs the question: is an agent-based approach really sufficient? Agents undoubtedly offer valuable insights into vulnerability management, but they don’t offer a truly holistic understanding and comprehensive risk assessment.
Today, under active exploit and added to the CISA KEV catalog, this new flaw allows unauthorized attackers remote, full-privilege access to affected devices, rendering them entirely under the attacker’s control. The incident highlights a critical point: while agent-based vulnerability management tools are instrumental in monitoring and detecting potential threats on devices they're installed on, they aren't a cure-all. Consider network devices, such as the affected Cisco gear. These devices often don't support agents and thus could serve as spots in an agent-only vulnerability management strategy.
The speed at which attackers can exploit such zero-day vulnerabilities emphasizes the need for a multi-faceted approach to vulnerability management. While agents can offer near real-time alerts, there are situations, such as the present Cisco case, where immediate external interventions, like turning off a feature are needed even before an official patch is released.
Relying solely on agent-based products might not offer a complete risk assessment, underscoring the need for a multifaceted approach. The most pivotal reasons include:
- Endpoint restrictions: Not all endpoints support or have agents installed, leading to potential assessment gaps. Moreover, not all devices in a company’s environment can or should have an agent installed. Infrequently connected devices like off-site servers may also evade regular scans. Security teams need to scan these devices externally to avoid vulnerabilities.
- Infrastructure complexity: Many network devices, like routers, switches, firewalls, IoT, and OT devices, don't support agents, posing potential risk assessment blind spots.
- Cloud and virtual environments: Agent-only products might only offer a partial view of cloud-based infrastructure, especially when dealing with containers, serverless functions, and other dynamic cloud-native constructs.
- Configuration checks: Agent-based products are excellent for vulnerability checks but are often less effective in assessing misconfigurations, which are as risky as known vulnerabilities.
- External exposures: Agents are great for assessing the state of a device from its perspective. However, they might not capture how the device looks from an external perspective, i.e., how it might appear to an external attacker. Periodic external scans are essential to fill this gap.
- Ensuring redundancy for robust defense: Consider a multi-layered shield. While one wouldn't solely rely on a single layer of security in modern network architectures, vulnerability management benefits from a diverse strategy. Merging agent data with network scans helps to create a stronger, more redundant system. This ensures that potential vulnerabilities are detected and addressed, no matter how hidden.
In the face of evolving cyber threats, organizations need a security stack that delivers comprehensive coverage and offers a lens into its IT ecosystem, including on-premises, cloud, mobile, OT, and IoT assets. It’s also essential to receive real-time alerts as they let organizations stay proactive rather than reactive. Furthermore, leveraging advanced threat intelligence and machine learning can narrow the focus to critical vulnerabilities, ensuring timely and efficient responses.
However, organizations really need to develop a truly unified approach to security and compliance. It’s not just about detection; it’s about effective action. An organization’s security environment must have the ability to auto-deploy patches, isolate suspicious devices, and present a consolidated dashboard view for a clear picture of the threat landscape.
In light of the CVE-2023-20198 incident, it's evident that organizations face significant and evolving risks. Sole dependence on agent-based solutions can overlook vulnerabilities in crucial devices and systems. Adopting a well-rounded vulnerability management strategy that integrates agent-based and agent-less methods has become essential. By harnessing the strengths of diverse approaches, organizations can pinpoint vulnerabilities and take robust measures to curb potential threats. A comprehensive cybersecurity environment supports agents and incorporates network scans, external scans, and passive scans. This multifaceted approach aids organizations in maintaining a proactive stance in the ever-evolving realm of cyber threats.
Saeed Abbasi, manager of vulnerability and threat research, Qualys
