More security tools don’t necessarily equal better security, as many companies can attest.
You’ll find varying numbers on exactly how many security technologies enterprises use, with some surveys putting the number in the 70s, but research from the Ponemon Institute and IBM noted that high-performing organizations had winnowed their toolset to “just” 39.
Meanwhile, in a ReliaQuest survey of 400 security decision-makers at large enterprises, 71% said they’re adding security technologies faster than they can effectively use them. And 69% reported their security team spends more time managing those tools than defending against threats.
To tackle the problem, Boston-based ZeroNorth offers an overlay of security tools to provide visibility and prioritization in one place from various tools across infrastructure and applications.
The category of risk-based vulnerability management, Gartner analyst Dale Gardner has said, suffers from lack of comprehensive, end-to-end view of risk posed by applications and “full-stack view” of vulnerabilities.
Value from Existing Tools
ZeroNorth founder Ernesto DiGiambattista lived the problem in former roles as chief technology and security officer with a financial group and earlier as vice president of corporate audit at an investment banking company.
Adding a new tool meant adding a team to manage the tool. Providing a report for an audit meant putting all the tool owners and the data owners in a room for two weeks where they would try to merge data from all the tools, then try to hash out what the data was telling them. But the next time he needed a report, it would no way be consistent with the previous report. He decided he could either build out a system to consolidate all this information or build out a company to do it. Thus ZeroNorth was born in 2015.
“Fast forward to the world of DevOps where development is moving at the speed of light, and security and vulnerability management is using the exact same model they were using 15 years ago. That’s not a tenable position for anyone to be in,” said CEO John Worrall.
“We are a layer on top of your scanning tools that can add more value out of your existing investment in scanning tools. And we can take a lot of labor on the equation that requires you to operate those tools.”
Various security tools generate data in different formats, he pointed out. ZeroNorth automates the entire process of data normalization and correlation, so you actually have a better picture of what your risk is telling you, he said.
Organizations can look at the business processes and understand the application and infrastructure risk tied to very specific critical components of the business.
“Scanning for vulnerabilities across applications and infrastructure requires a number of different tools that can become onerous to manage individually. Consolidating the output of those tools and making sure developers can quickly remediate issues is very difficult to do manually.
“ZeroNorth greatly simplifies this process in a way that integrates into existing developer workflows while prioritizing issues that present the most business risk. And on top of that, the consolidated view we have through ZeroNorth has made it much easier to provide security assurance to customers and regulatory bodies because we always have the information we need at our fingertips,” said Francis Juliano, chief technology officer of auction technology vendor Bidpath.
Probably the worst thing that security teams can do to the DevOps team is to send a lot of false positives into the ticketing system. ZeroNorth can compress issues, giving the development team a much finer-tuned ticket that tells them exactly what has to be fixed and why Worrall said.
“Oftentimes, you’re going to run some dynamic scanner in your production environment that might show 500 or 600 different findings. If we can correlate that back to one or two different software libraries … tie it back to an open source library that is out of date. So instead of sending 500 or 600 tickets, we create one ticket, we create one single unit of work for the developer that says, ‘Go fix this open source library issue. And when you fix that, you’re also going to fix these other 500 or 600 scans that we’ve attached.’
“So we’re really compressing the number of items that they have to work on. And we’re maintaining a record for compliance purposes,” he said.
The company maintains that this technology shouldn’t have to be something development teams are concerned about or even know is running.
“When we go talk to CISOs about our solutions, they talk about how application development, DevOps is moving so fast. They don’t have a lot of expertise in their environment. So they don’t have the resources to sit down with every business unit and help teach … how to design your applications and how to do application security right.”
ZeroNorth essentially creates a data lake for data from security tools.
“Think of our platform as a common bus where all your tools are integrated into the platform, all your applications, all your repositories, microservices, your containers, your production environments … across the organization, across the [software delivery lifecycle]” connected through APIs, Worrall said.
With its associate policy engine, organizations can automate which scans to run when, and create more sophisticated policies around if/then scenarios.
The platform normalizes, de-dupes, and correlates the data so it can be analyzed for risk to the business, then prioritizes vulnerability information in the admin console with alerts sent through systems including Jira, VictorOps, text, email, or Slack.
“One of the things I liked about their platform is that it is both a ‘starter kit’ for organizations trying to gain visibility into what’s going on in their environments and can be used by more mature organizations that have multiple tools deployed. ZeroNorth ships with several open source scanners, but companies can integrate any others in their environment, which makes management easy and visibility uniform,” Katherine Teitler, senior analyst at TAG Cyber, told The New Stack.
She’s referring to the Quick Start Program which includes a suite of open source tools including the OWASP Dependency Check (DepCheck) for software composition analysis (SCA); Bandit, Brakeman and SonarQube for static application security testing (SAST); Aqua, Clair and Docker Content Trust for container security; OWASP Zap for dynamic application security testing (DAST) of deployed web applications; and Prowler to identify misconfigured or otherwise vulnerable assets within cloud infrastructure.
The system also can run competing tools in parallel to make comparison shopping easier. Users can start with the open source tools, Worrall said, then compare them with commercial tools as they run side by side.
It provides metrics including Internal Rate of Detection (IRD) and Internal Rate of Remediation (IRR), enabling organizations to regularly measure whether they’re actually getting better at finding and remediating vulnerabilities better, faster and cheaper.
Providing Managers Good Data
In this emerging market, the main competitors so far have been organizations that have built out this capability themselves, he said. In the commercial market, he pointed to Kenna Security as its closest rival, though it initially was focused on infrastructure only and added the application coverage more recently.
“Tenable or Veracode or Checkmarx or Black Duck — they all have their ability to integrate with the environment and scan the environment. All we’re trying to do is to take the results and integrate them into our data lake,” then normalize the data and offer remediation advice, he said.
Assigning risk is a business function.
“Our role there to make sure that we can provide information on all the vulnerabilities that are found, and make sure that there’s really good data available to the managers and the developers as they’re trying to understand what to do first. And what’s really, really critical and unique is that we are able to allow organizations to tie it back to their business components.” Enabling governance has been a big differentiator with customers, he said.
“Security fundamentals such as vulnerability management have continued to plague organizations for decades,” said Patrick Heim, partner and chief information security officer at ClearSky, of its investment in ZeroNorth. “We see the adoption of DevOps as an opportunity to fundamentally transform infrastructure security and see ZeroNorth at the center of sustainable and risk-driven vulnerability management.”