This article was originally published by SafetyDetectives on July 2, 2024
In a recent interview with SafetyDetectives, Greg Fitzgerald, Co-Founder and CXO at Sevco Security, shared his extensive background in the IT and security sectors. With nearly three decades of experience, Fitzgerald has held executive roles at notable companies like TippingPoint, Sourcefire, and Fortinet, and was a founding member of Cylance. After his tenure at Cylance and a role at JASK (now Sumo Logic), Fitzgerald co-founded Sevco Security with a mission to tackle visibility issues plaguing the cybersecurity industry. Sevco Security focuses on providing comprehensive asset inventory to enhance vulnerability prioritization and remediation, ensuring that security teams have the visibility they need to protect their enterprise networks effectively.
Can you share a bit about your background and what led you to co-found Sevco Security?
I have worked in the IT and security space for nearly thirty years, holding executive roles at places like Tipping Point (later acquired by 3Com then HP), Sourcefire (later acquired by Cisco), Fortinet, and as a founding member of Cylance. After my time at Cylance, I joined JASK (now Sumo Logic) as the CMO where a number of executives from Carbon Black were working too, including my co-founder here at Sevco, J.J. Guy. We hit it off, and it turned out we were deeply aligned around how we saw challenges in the industry. After leaving JASK, We decided to come together – uniting the founding teams of Carbon Black and Cylance, two companies that changed the game for SecOps.
We coalesced around the idea that there was still a major issue plaguing companies: Visibility. We knew that there was a dramatic misalignment: security teams could not see all the IT assets on their network, but were still responsible for safeguarding them. We knew classic ITSM/CMDBs were not fulfilling a promise and were causing more harm than good. Thus, we launched Sevco together with the goal of providing the best damn visibility of all IT assets (devices, users, applications, vulnerabilities, etc.) on enterprise networks.
How does Sevco Security’s approach to asset inventory improve vulnerability prioritization and remediation?
Asset inventory is the first step in addressing any security issue – you need to know exactly what you’re protecting, and what your current security posture is. So Sevco provides that picture and builds prioritization of what is important to work on first on top of that. We can surface not just software vulnerabilities that most vuln management programs are primarily concerned with, but also the security gaps that exist in nearly every environment, which we call “environmental” vulnerabilities. These are things like missing and misconfigured agents, shadow IT, end-of-life systems, all types of issues that impact risk. If your patch management tool isn’t deployed on a device, it doesn’t matter if you’ve detected a CVE on it, it’s not getting patched. Or if it’s missing from a vulnerability assessment tool, it’s not being assessed for vulnerabilities in the first place – exposures could be lurking, and you’d never know. So Sevco can provide these insights into an organization’s risk profile, and surface issues that may be preventing the effective remediation of serious vulnerabilities in their environment. That visibility into assets also enables us to see how effective your remediation is, too. So we could automate remediation, and then validate that remediation was successful when we observed it on the asset.
Can you explain the importance of having a complete asset inventory before addressing vulnerabilities?
You can’t protect and prioritize what you don’t know, which is why inventory – the foundation of visibility into all your assets – is the first step in any security framework and security program. Sevco started with providing a comprehensive inventory for security teams, but in the process, we were uncovering more security risk gaps and tool coverage gaps than our customers knew how to deal with. So the natural extension of our asset inventory and security gap visibility was to start to prioritize those environmental vulnerabilities with software vulnerabilities like CVEs too. You get every exposure in your environment in a single database and pane of glass, so you can proactively prioritize across all these risks. This approach allows CISOs and security teams to gain an accurate snapshot of their organizations’ cyber risks, and better understand how effective they are at actually mitigating them. You can’t do any of that well without first knowing exactly what your environment looks like, and getting a comprehensive picture of those exposures.
What are the biggest challenges organizations face today in terms of asset intelligence and management?
The modern attack surface is far larger than it was just a few years ago. The networks and assets that security teams are tasked to secure are no longer confined to a building or two; they expand across states and, in many cases, countries. CISOs are accountable for the security of every asset on the enterprise network, but depend on IT teams for inventory, but that inventory isn’t accurate for a lot of reasons (not timely, not comprehensive with integrations across IT and Security tools, not a long activity history kept, etc). So security teams are starting with an inaccurate picture of the IT environment they’re charged with protecting. This affects every aspect of a security team’s mandate. It means that their vulnerability management programs, for example, are likely undercounting vulnerabilities in their environment because of assets missing from vuln tools. Security teams shouldn’t rely on IT teams for inventory – security teams need a level of accuracy and comprehensiveness that IT teams don’t because a single unknown asset could be the backdoor an attacker needs to gain access to their environment.
What are some common security risks associated with poor asset management?
Uncertainty around enterprise inventory – the attack surface – is a massive issue for security teams. I mentioned environmental vulnerabilities earlier, and they have become more prevalent as networks and their corresponding attack surfaces have expanded in recent years. These environmental vulnerabilities – vulnerabilities in the configuration or state of your IT environment, be they missing controls, unknown assets (shadow IT), or system software that is out of date and end-of-life, are particularly risky because they’re hiding under the surface of normal SecOps monitoring. Poor asset management means that the tools security teams are deploying to protect their environment aren’t protecting everything they need. Malicious actors just need to find one of these exposures – but security teams need to find them all.
What are the emerging trends in vulnerability management and asset intelligence that organizations should be aware of?
Sevco Security recently released its most recent State of the Cybersecurity Attack Surface report, which examines the ways in which enterprises are struggling to get visibility into their IT assets. This report highlighted how environmental vulnerabilities are manifesting themselves across enterprise networks.
We found that 28% of all IT assets are missing at least one critical control – either endpoint protection or patch management. These controls are essential to protecting enterprise networks from modern attack techniques…and more than 1 in 4 IT assets are missing at least one.
And our report found that 6% of all IT assets have reached end-of-life. These EOL IT assets will never be patched, so security teams have to be aware of them to either upgrade the software and close those vulnerabilities, or provide some mitigating controls to protect them despite their being end-of-life. Rife with well-known, actively exploited vulnerabilities but without the ability to patch, assets nearing or reaching their EOL stage are far more common than you’d expect, and they are particularly insidious because they are often below the radar of IT teams.
Book a demo and see for yourself https://www.sevcosecurity.com/book-a-demo/