Q&A: How BackBox Helps You Mitigate CVEs for Network Devices

Originally published on Packet Pushers and edited for length and clarity
This discussion concerns network configuration compliance in the face of never-ending common vulnerabilities and exposures, or CVEs. If you can automate that compliance, you have a shot at keeping pace with the bots attacking those CVEs and attempting to breach your network. Our guest is Rekha Shenoy, CEO of BackBox. We will catch up with Rekha about BackBox, discuss the state of CVE management for network devices in 2024, and finally put together a strategy that keeps your device configurations and security posture compliant.
Q. Would you remind us at a high level what BackBox does?
A. BackBox has been in business for over 10 years, delighting enterprises and managed service providers with a security-oriented network automation solution. The challenge of keeping things compliant and cyber resilient daily is a massive mountain of work. We have been automating that capability for over a decade with an enterprise-grade backup and recovery solution, a solid and deep network configuration solution, and, more recently, we’ve added the ability to remediate vulnerabilities and understand what vulnerabilities apply to your network devices – vulnerability intelligence.
Q. Can you drill into that a little more?
A. We used to think of configuration backup and recovery as a straightforward capability, and it is if you have just one device vendor. But who does, right? When you think about a multi-vendor environment, most people have many vendors, and trying to backup and recover those in an enterprise-grade way is not the same as just putting one backup on the shelf and hoping it works. We support 180+ vendors today to give customers the power to manage multiple backup options and restore, not just a previous backup, but to something they felt confident in maybe a month ago. The capability is at their fingertips, without having to be a subject matter expert on every single device that they own.
Q. So, help me picture how BackBox fits into my network.
A. BackBox is a software solution that you can put on a VM or on a physical device, or we can host it for you. There is an agent capability, which just makes it better for scale and segmentation, but it’s not required, and we do it in the high availability way as well. Essentially, it is going to fit into your network. But what’s more interesting is that it’s API driven. It integrates into your ServiceNow, SSO, log manager, iPad – whatever system that makes sense to you. You can even execute BackBox automations from one of those systems, like your ServiceNow, knowing that BackBox is running under the hood.
Q. It’s always challenging to bring a new tool into an environment because of budget. Does BackBox replace certain things that might be running in the network already?
A. The most common thing we find it replacing is manual work. You’ll often have customers say they don’t frequently patch, upgrade, or touch configurations because they’re afraid of what it may break. And then security and compliance say, thou shalt improve this. You can’t tell me this is the best effort, right? Our job is to prove to them that we can do it with a level of visibility and observability so that when BackBox automates these processes, it’s in a reliable, known, trusted state.
Network engineers are always over-tasked. What’s the least exciting thing to do? Maintenance and patch upgrades. They want to work on more value-added capabilities.
Why must every network engineer become a security expert for patching and upgrades? The pain point is the amount of time they have to spend keeping up with CVEs, understanding which of those apply to their environment, and how many of those they’ve already mitigated. BackBox rationalizes all of this for them. It says here are the latest CVEs, understanding which of those apply to your environment. These are the ones that are critical because they’re actively being exploited. Of that subset, here are the ones that apply to your systems and those that you’ve already covered with mitigation. All you have to do is figure out when to apply some of these configuration upgrades, and then BackBox automatically reports that the mitigation has been delivered. Having that connection between security and networking at your fingertips is step one for us.
Q. How much do I have to care about network device CVEs in the sense that most of them are behind a firewall?
A. It’s becoming increasingly common, and more and more possible for network vulnerabilities to be the starting point for attack attempts. The hard part for network engineers is that they’ve got hundreds of devices to keep up with. And what’s even worse is that many new device types don’t have CVEs in the National Vulnerability Database. So, they also have to go to the device vendors who are just posting advisories on their website. It’s complicated, but you do have to care about all of those vulnerabilities because they’re very real in terms of what’s happening in the real world.
Q. How do I tell which CVEs are worth paying attention to? And yes, they come with risk scores like 0 to 10, with 10 being the most critical. But is there another way for me to prioritize these?
A. There’s a manual way of reading through all of them. You have to understand which of these apply to your network because network topology matters very much regarding what to prioritize and that’s not in those CVEs. Traditionally, that’s the job of a really smart network engineer.
Today, threat actors are writing scripts to take advantage of vulnerabilities in weeks using AI.Then, these scripts are used by people who are not necessarily all that technical. So, your chances of having a CVE exploited have gone from multiple weeks and months to potentially days. That’s why patching once a year and manual effort is no longer acceptable.
Q. So is BackBox then doing something with this CVE capability you have to help me get through this process of determining what I need to pay attention to and prioritize around remediation as opposed to just like a typical vulnerability scanner that gives me a list of everything I’ve got, and it’s sort of up to me to figure it out?
A. BackBox does that interconnection that requires so much human effort. We will match the CVEs to your network topology by your device type, version number, and so on, and then prioritize the ones that apply to you. We also collect that mitigation information and shorten that list to the ones that haven’t been mitigated and actually need attention. Should you want us to go ahead and automate the configuration changes, we have those automations already lined up for you. Should that change cause an unforeseen situation, you get an alert. If a device fails, you can look into it and not worry about the others that were successful. And you always have those trusted backups to restore to.
Q. How often should checking for CVEs be done?
A. We know customers who believe it must be continuous and part of your daily work. Maybe that’s not realistic for every customer. If you’ve been doing them annually, determine whether it’s quarterly. If you’ve been doing them quarterly, then maybe it’s monthly. The more frequently you do it, the less work it requires.
Q. Can you talk more about the reporting I’m getting from BackBox?
A. Sure. We can show you the mitigations for each device, including before and after data, so you’ve got history. We also log every interaction with the network device, including every access and every change that happens to provide an audit trail.
Q. Is the BackBox software an orchestrator or an automator?
A. BackBox provides automation, and we integrate with orchestration systems. BackBox is built with a lot of automations out-of-the-box for many devices. When I talk about not making our network engineers experts on every device, that expertise is built into all of the automation scripts to log into the device, collect that information, store it, change the config, etc., that we already have in the product. When it comes to the device itself and maintaining and keeping that device secure and compliant, that’s when you would think of us.
Q. Compliance is a key driver for updates, patching, and remediation. Can you integrate with existing frameworks like PCI, HIPAA, and so on?
A. Many of these compliance standards go back to the CIS standard, requiring a certain level of patching. We can provide network engineers with the ability to respond to many of these compliance standards with our pre-built automations and generate reports to give to a compliance officer.
Q. We’ve talked a lot about automation, which is really helpful. However, automation can also make engineers nervous. How do you keep humans in the loop with your automated mitigation, especially when rolling out a whole patch or an entire OS upgrade?
A. That’s probably why our customers love us as much as they do and why managed service providers use us. Because that’s their bread and butter, that’s their revenue source. And if they get this wrong, they could lose very large customers they support. Being part of their ecosystem is where we have the highest bar to measure ourselves and ensure that what we’re doing works.
They put us into a test environment to ensure they have a trusted, reliable network automation in place. But most importantly, what they like most is that if it fails, they have the backup to restore. Say they wrote some custom scripts, and they went ahead and tried it out, but it didn’t work. They can call our engineers, who take a look and are able to fix it because we’ve got that expertise in-house. Even if they wrote a custom script, we can help and we don’t charge for that. We’re that extended arm for automation for our enterprise and MSP customers.
Q. Finally, what if I roll out an automated mitigation, and that change just doesn’t work, and all of a sudden I can’t talk to the device? What happens now?
A. I think that’s a very real use case. Your biggest problem is knowing that a device died when you were running an automated mitigation for about a hundred devices.
BackBox first captures that data and tells you about successes or failures in real-time. Once you have that, you can log on to this device through BackBox, where you have many options in front of you to understand what changed, how to recover this device, or how to go back to a known and trusted state. All of those options are available inside of BackBox at your fingertips.
Check out the podcast for more detail or learn more about BackBox by visiting https://backbox.com/product/. Ready to get started? Request a demo to see our solution in action.