When You Can't See Your Network, You Can't Secure It: Practical Steps for Achieving True Infrastructure Visibility

Mastercard CISO Raj Seshadri Gerber's blunt reminder — CISOs can't protect what they can't see — is more urgent than ever. Hybrid environments, container fleets, unmanaged SaaS apps, and operational technology (OT) devices have expanded the attack surface so quickly that many organizations no longer know where their infrastructure begins or ends. For developers and IT leaders, the fix is not philosophical: it's operational. This article lays out a prioritized, tactical roadmap to achieve end-to-end infrastructure visibility across cloud, containers, SaaS, and OT, with practical metrics, open-source tools, and architecture patterns that bridge blind spots.

Why visibility is the single CISO priority that unlocks everything

Visibility is a prerequisite for inventory, detection, and response. Without an accurate asset inventory you cannot manage risk, measure compliance, or perform meaningful attack surface management. Gerber's warning aligns with three outcomes security leaders must deliver:

• Know what's running (inventory accuracy).
• Know what is communicating (network and service mapping).
• Know who can access what (identity and SaaS discovery).

Below is a prioritized, tactical roadmap that organizes actions into quick wins, medium-term projects, and long-term architecture investments, with metrics and open-source tools you can start using today.

Prioritized roadmap: quick wins to strategic wins

1. Quick Win — Build a reliable single source of truth for assets (0–4 weeks)

   Start by centralizing asset metadata into a canonical inventory. This is not just an IP list — it should include cloud resource IDs, container image names and digests, SaaS app tenants, OT device models, owner tags, and last-seen timestamps.

   Metrics to track:

   • Inventory coverage: percentage of accounts/environments reporting to the canonical inventory (goal: ≥95%).
   • Inventory freshness: median time since last-seen per asset (goal: < 24 hours for cloud and containers).
   • Tag completeness: percent of assets with required metadata (owner, environment) (goal: ≥90%).

   Open-source tools and tactics:

   • osquery for host-level discovery and scheduled queries.
   • Cloud inventory export using tools like CloudMapper, ScoutSuite, or native cloud APIs (AWS Config, Azure Resource Graph, Google Cloud Asset Inventory).
   • Container registries + image scanners (Trivy, Clair) integrated into inventory records.

2. Short Term — Map networking and service topology (2–8 weeks)

   Blind spots often come from unknown network-flows: east-west traffic in cloud VPCs, kube cluster pod-to-pod traffic, or unmanaged devices on an OT VLAN. Deploy passive and active mapping to understand communication paths.

   Metrics to track:

   • Network mapping coverage: percent of subnets/clusters with flow telemetry (goal: ≥90%).
   • Unknown flow reduction: number of previously unseen connections discovered per week (trend downwards).

   Tools and patterns:

   • Flow collectors: Zeek (formerly Bro), NetFlow/sFlow, and Argus for network telemetry.
   • Packet and session capture: Arkime (formerly Moloch) for indexed traffic analysis.
   • eBPF-based observability: Cilium/Hubble for pod-to-pod visibility and service graphing.
   • Service mesh: Istio or Linkerd to obtain service-level metrics and tracing where appropriate.

3. Short-to-Medium — Instrument for telemetry (OpenTelemetry & logs) (4–12 weeks)

   Instrument applications and infrastructure with standard telemetry. Use OpenTelemetry for traces/metrics, Prometheus for metrics scraping, and a central logging pipeline (ELK or Loki) to correlate events.

   Key metrics:

   • Telemetry coverage: percent of services/exporters instrumented with metrics/traces (goal: ≥80% for business-critical services).
   • Mean time to detect (MTTD): time from anomaly to detection (target improvement: 30–50% in 90 days).

   Open-source stack:

   • OpenTelemetry collectors, Prometheus, Grafana, Jaeger/Tempo, and ELK (Elasticsearch, Logstash/Beats, Kibana) or Grafana Loki.

4. Medium — SaaS discovery and identity visibility (6–16 weeks)

   SaaS apps are frequently the least visible part of an estate. Use identity provider APIs and app authorization logs to build a SaaS inventory and an OAuth app map.

   Metrics:

   • SaaS inventory completeness: percent of organizational SaaS tenants accounted for (goal: ≥95% for sanctioned apps).
   • Privilege ratio: percent of OAuth apps with overly broad scopes (target: reduce by 50%).

   Techniques & tools:

   • Integrate Microsoft Graph, Google Admin SDK, and Okta/GitHub APIs to enumerate apps and OAuth grants.
   • Use open-source scripts or lightweight tools to detect third-party apps and tokens in your environment.
   • Adopt an API-driven SaaS management control plane (commercial) or maintain a synced inventory via scheduled API pulls.

5. Medium-to-Long — Container and runtime security visibility (8–20 weeks)

   Containers are ephemeral by design; visibility requires image tracing, runtime process inspection, and cluster-level policy telemetry.

   Metrics:

   • Image provenance: percent of deployed images with known provenance and vulnerability scan (goal: ≥95%).
   • Runtime sensor coverage: percent of nodes/pods reporting runtime telemetry (Falco, eBPF) (goal: ≥95%).

   Open-source tools and strategies:

   • Image scanners: Trivy, Clair integrated in CI/CD pipelines.
   • Runtime security: Falco for suspicious syscall detection; Cilium for eBPF-based visibility and enforcement.
   • Cluster telemetry: kube-state-metrics, metrics-server, and cluster logging exporters.

6. Long Term — OT and industrial control system visibility (12–36 weeks)

   OT environments demand passive monitoring and asset fingerprinting to avoid disrupting production. Integrate OT telemetry into the central SSoT for correlation with IT events.

   Metrics:

   • OT asset coverage: percent of OT segments with passive sensors (goal: incremental coverage with safety-first approach).
   • Incident correlation rate: percent of OT anomalies correlated with IT events (goal: increase over baseline).

   Tools and methods:

   • Passive network sensors and protocol parsers for Modbus, OPC-UA, DNP3.
   • Use Zeek with protocol analyzers and dedicated OT monitoring tools (commercial/open-source hybrids).
   • Strict change control and read-only sensors for asset identification.

7. Strategic — Create a telemetry fabric and detection-as-code (ongoing)

   Standardize collection, normalization, and correlation. Store canonical events in a time-series or event store for long-term analytics and automated detection rules (detection-as-code).

   Architecture patterns:

   • Telemetry bus: central OpenTelemetry collector layer feeding multiple backends (security, observability, cost).
   • Canonical Graph: asset and identity graph model (nodes: assets, identities, apps; edges: network flows, access grants).
   • Detection-as-code: GitOps for detection rules and alerting configuration. Version control and peer review for IDS signatures and SIEM rules.

Bridging common blind spots: architecture patterns

To reliably bridge blind spots across domains, adopt these architecture patterns:

• Sidecar and agent hybrid: use sidecars for service-level traces and lightweight agents for host telemetry. This combination captures both application-layer and OS-level signals.
• Observability lane separation: separate telemetry for performance (APM) from telemetry for security, but ensure they write to a shared canonical graph for correlation.
• Identity-first mapping: map assets to identities and roles to assess access risk quickly. Tie OAuth grants and API keys back to users and service principals.
• Passive-first OT monitoring: use read-only sensors in OT networks to avoid introducing instability.

Open-source toolkit cheat sheet

• Asset inventory: osquery, CloudMapper, ScoutSuite
• Network mapping: Zeek, Suricata, Arkime (Moloch), NetFlow collectors
• Container visibility: Trivy, Clair, Falco, Cilium/Hubble
• Telemetry & observability: OpenTelemetry, Prometheus, Grafana, Jaeger, ELK/Loki
• SaaS discovery: scripts using Microsoft Graph, Google Admin SDK, Okta APIs
• Forensics & endpoint: Velociraptor, osquery

Practical playbook: what to do this week

1. Run osquery on a sample fleet to inventory installed software and running services.
2. Deploy a NetFlow/Zeek sensor on a key internet-facing subnet to capture flow baselines.
3. Schedule a scan of cloud accounts with CloudMapper/ScoutSuite and export results into your inventory DB.
4. Pull OAuth app lists from your identity providers and flag apps with wide scopes for review.

Measuring success: KPIs that matter to CISOs and engineers

Align KPIs to both security posture and operational health. Examples:

• Inventory coverage and freshness (see above).
• MTTD and mean time to remediate (MTTR) for security incidents.
• Percent of critical services with full telemetry and tracing enabled.
• Number of unknown external connections per week (trend should fall).
• Proportion of images deployed without vulnerability scans (target: 0%).

Linking visibility to other security pillars

Visibility is the foundation. Once you have it, controls like identity governance, least-privilege enforcement, and automated response become effective. For related reading on organizational insights and data security, see Unlocking Organizational Insights: What Brex's Acquisition Teaches Us About Data Security, and for a practical discussion of visibility gaps, see Understanding the Visibility Gap: Lessons from Vector's YardView Acquisition.

Closing: visibility as an organizational capability

Gerber's warning is straightforward: you can't secure what you can't see. The appropriate response is not to buy a single tool; it's to build an organizational capability for discovery, telemetry, and correlation. Prioritize getting a canonical inventory, mapping your network and service topology, instrumenting telemetry, and bringing SaaS and OT into the fold. Measure progress with concrete KPIs, use the mature open-source tools listed here for low-friction deployment, and evolve a telemetry fabric that supports detection-as-code. When visibility becomes a repeatable capability, your ability to reduce attack surface and respond to incidents will scale — and the security team will move from firefighting to risk reduction.