“I don’t know everything that’s going on in my environment. I would love to say that I do, but I do not. And so, I have my view, I have vulnerability management, and I have Shadow IT. Today I’m going to talk about how we merge these pictures at Air Canada,” said Air Canada’s Kyle Howson at the Randori/SANS Attack Surface Management Virtual Conference.
Watching Howson’s talk, I learned he and his team at Air Canada are using Randori to discover their unknowns, build a comprehensive view of their attack surface, and impress the brass upstairs with real-time insight into their cyber exposure.
“We can’t protect what we don’t know about. Shadow IT, process failures… Systems get set up all the time for projects, things that are not even included anymore. How do we keep track of all those? What happens when you think you’ve patched something and you didn’t patch something?” The answer: Randori.”
In his talk, Kyle walked through how Air Canada is using Randori to solve for three important use cases: find unknowns, prioritizing vulnerabilities, and report on Air Canada’s risk to attacks in the news.
Using ASM to Know Your Unknowns Assets
First off, Air Canada needs to be able to monitor for new hosts in their environment and watch for those ones that really matter. Shadow IT is a major source of attack surface risk, causing 1 in 3 breaches according to Gartner. Attack Surface Management allows Air Canada to find shadow IT they would have otherwise missed by offering an external perspective – exposing what attackers see when they look at Air Canada.
As a global airline with thousands of employees, things are constantly changing and they needed an automated and continuous way to identify shadow IT, monitor for exploitable software and cut through the noise generated by threat intelligence and vulnerability scanners. By integrating those sources with Randori, Air Canada is able to flag when new systems are added or critical changes are made to their environment in an automated and manageable fashion.
Using AMS to Prioritize the Targets Threat Actors are Targeting
A lot of security teams share the same common complaint: there are too many alerts and too much noise to know what really matters. This leads to patches being doled out seemingly at random, or based off of inaccurate and insufficient data. This is the position Air Canada found themselves in.
Like many companies, Air Canada monitors threat actors who may be targeting their industry, country, or peers — but acting on that intelligence can be a challenge. Using their SOAR platform by LogicHub, Air Canada was able combine the real-time threat information provided by Anomali with Randori’s real-time attack surface visibility and Target Temptation analysis to illuminate the most actionable intelligence and identify the systems on their perimeter that are most likely to be targeted. With this information, Kyle is able to arm his vulnerability management team with a critical context into the latest threat intelligence and the attackability of the specific asset in question, helping them reduce Air Canada’s real-world risk by prioritizing the vulnerabilities most likely to be targeted first.
Using ASM to Impress the Brass Upstairs with Real Time Intelligence
Every security practitioner has been in this position: a significant vulnerability has been reported in the news and the entire team is scrambling to understand how it affects them and if they should be rushing to patch or not. What happens next? An email arrives from an executive, asking, “What’s our exposure?”
By integrating Randori, Anomali and LogicHub, Kyle is able to answer these questions before they are even asked. Scraping the latest news every 2 minutes, Kyle knows Air Canada’s exposure to the day’s events before he’s had his morning cup of coffee. Air Canada has automated the process of learning and understanding how a critical vulnerability reported in the news — it happens every day — affects the risk this vulnerability poses to their system.
“For example, let’s say there is a APT: Lebanese Cedar APT group was attacking ISPs worldwide going after Jira servers….using LogicHub & Randori, it’s automatically combing through the news stories helping me understand my exposure. If there’s a hit, I’ll get an email that says “Hey, this is a really big thing that’s going on in your environment.” and instantly be able to see the systems that are affected in Randori….if I’m not exposed, I don’t get an email. Some days, I have no issues…other days, I’ll have five different news stories that pop up.”
Why spend the morning scrambling to investigate whether or not you need to patch a news-worthy vulnerability that may not even affect your system? Air Canada has established a quick and painless process so that when there’s an attack in the news, assessing their own exposure is as simple as receiving an email. The email explains the vulnerability and their exposure to it, as well as how tempting these vulnerabilities would be for an attacker to exploit. They get real-time, actionable information that reflects the attacker’s perspective. This means they can avoid the n-day scramble when a new CVE is announced and make their bosses very happy when they ask what’s going on.
Looking good to your boss with this system is as easy as forwarding an email. Randori provides the difference between a day lost to chasing a brand-name vulnerability and just another day at the office. It tells folks right off the cuff what their day will look like and how it will be affected by exposure.
Get a demo today to see how Randori can help you impress the brass upstairs.
