WithNetworks Tackles N²SF Strategy through 'Asset and Threat Management'

 Since the official release of the National Network Security Framework (N²SF) Guidelines 1.0, the focus of public security has been shifting from ‘network separation’ to ‘differential control based on the importance of work/information and actual risk levels.’

 In an interview with Byline Network on the 5th, WithNetworks stated that the precision of asset and threat management is the starting point and the decisive factor for N²SF implementation. Consequently, the company presented a practical response strategy centered on its integrated asset and vulnerability management solution, ‘withVTM.’

The First Step of N²SF is ‘Assets’

 N²SF is a public security framework that classifies an organization’s business information into three levels—Confidential (C), Sensitive (S), and Open (O)—and applies differential controls across six domains depending on the grade and threat level. The core is to shift the perspective from ‘how to divide the network’ to ‘what business/information to protect and how.’

 However, it is not easy to apply changed policies to the field immediately. In many public institutions, asset information is scattered across Configuration Management Databases (CMDB) or Excel files, business information in planning documents, and security information in individual solutions. In this state, it is difficult to apply key designs such as information service model definitions, data classification, protection level determination, and Zero Trust architecture all at once.

 “To implement N²SF, how to organize assets must come first,” emphasized Lee Yong, Executive Director of the Information Security Department at WithNetworks. “Only then can data classification begin.” He added, “If assets are not organized, threats cannot be accurately seen. Without knowing what is where, what services are open, and who owns and operates them, ‘differential control’ is likely to remain a policy only on paper. Therefore, in N²SF, asset management is not a simple listing task, but rather an input value for designing policies and controls that fit reality.”

From ‘Inventory Management’ to ‘Decision-Making Standard’… Change in Perspective on Asset Management

 Director Lee described risk management in the N²SF era as “shifting from inventory management to a decision-making basis.” This means that rather than simply increasing asset lists and accumulating vulnerability items, a platform is needed that intelligently explains “what to do first when an actual risk emerges, what is exposed, and why it is dangerous.”

 This perspective highlights the first obstacle encountered in the N²SF application process. Even if controls are meticulously listed, N²SF will not function if the field cannot choose “which risk our institution should handle first.” He explained that there must be a ‘decision-making index’ to narrow down options and establish priorities.

withVTM Automatically Identifies Assets, Including ‘Shadow IT’

 The solution WithNetworks presented for asset identification—the starting stage of N²SF—is ‘withVTM.’ withVTM is an integrated asset and security vulnerability management solution that identifies enterprise-wide assets and provides priorities for ‘what to remediate first’ by combining asset importance and vulnerability information. It is structured to provide a basis for judgment required for security governance operations by linking asset status, importance, vulnerability, threat information, and remediation/regulatory response flows.

Based on this framework, withVTM prioritizes securing visibility by automatically detecting enterprise assets, including ‘Shadow IT’ (unauthorized assets not controlled by the organization). To implement the ‘business/information-centered control’ required by N²SF, all assets constituting the business must first be discovered. Unmanaged assets are prone to lax patching, account management, and access control, making them likely to be exploited as attack paths.

 To achieve this, withVTM utilizes a ‘Shadow IT Scanner’ function. It identifies unidentified IPs and open ports based on network scanning and expands the detection range to equipment where it is difficult to install agents by adding AI-based Operating System (OS) analysis.

 “There are assets where agents cannot be installed,” Lee explained. “Since devices like network security equipment are not in a form where agents can be installed, their risk exposure must be checked periodically from the outside.” In other words, a hybrid operation that balances visibility with agent-based scanning for terminals/servers and agentless scanning for equipment where installation is difficult is realistic.

Calculating Actual Risk: “Even if the CVSS Score is Low, It’s a Threat if Exposed Externally”

 The second feature is ‘Vulnerability Rating System (VRS) Scoring.’ withVTM provides response priorities by comprehensively analyzing asset importance and threat information through its patented AI-based VRS scoring technology.

 WithNetworks concluded that it is difficult to establish priorities for N²SF implementation sites using only the existing Common Vulnerability Scoring System (CVSS). Therefore, the company developed a separate, more detailed scoring system that reflects external attack trends. Director Lee said, “We are building and accumulating a separate scoring system by collecting factors such as the preference for information currently available on the Dark Web.”

 The core of VRS scoring lies in ‘Contextual Information.’ Director Lee explained, “We design it so that the same vulnerability yields different scores for each asset depending on the context. Even if the basic CVSS score is low, if the asset is exposed to the outside and the service is open, the vulnerability score must be measured high when applied.” This ‘realistic risk level’ is exactly what N²SF requires because controls must be strengthened or relaxed based on risk, rather than applied identically according to policy.

Beyond a Single Product, Supporting ‘N²SF Policy Decisions’

 WithNetworks describes withVTM as an ‘engine’ or a ‘platform.’ Director Lee explained that requirements vary by industry. “In the financial sector, it is used as an engine, but in the public sector, it had to be a platform,” he said. “Each field wants different things and uses different main functions.”

 The view of withVTM as an ‘engine’ or ‘platform’ aligns with Zero Trust, which is being discussed as a major methodology for N²SF. Zero Trust requires judging whether to allow access for every request, but if the information that serves as the basis for this judgment is scattered, the policy cannot function. Therefore, the Policy Decision Point (PDP) must have contextual information such as asset importance, current risk level, network segment, and account/owner information when evaluating users, terminals, and service requests.

 At this time, withVTM plays the role of supplying the ‘context’ created through asset identification and vulnerability/exposure analysis to the policy engine. For example, even for the same ‘Sensitive (S)’ task, if an externally exposed service is open or a vulnerability with a high possibility of exploitation is confirmed, the risk level increases. The PDP then strengthens control by restricting access, requiring additional authentication, or rerouting the connection path based on that value. Conversely, for assets with low risk and sufficient control, unnecessary blocks can be reduced to maintain business flow. In short, the contextual information provided by withVTM transforms the PDP’s judgment into a ‘risk-based’ one, enabling the implementation of differential control in the operational stage as required by N²SF.

 “We are not just trying to manage a specific list of assets or specific vulnerabilities,” Lee explained. “It is an engine and platform that organically links assets and vulnerabilities to tell us what our risks are first, show us why they are dangerous, and help automate management.” He added, “Our goal is not to be a product that covers all controls required by N²SF, but to be a foundational platform that organizes contextual information on assets, risks, and tasks and supplies it to policy engines and operational tools so that N²SF control design and operation can function.”

Increasing Inquiries from National Infrastructure Industries such as Finance, Telecommunications, and Energy

 WithNetworks reported that inquiries for asset identification in the N²SF construction stage are increasing from public institutions and national critical infrastructure sectors. Director Lee said, “The movement in national infrastructure sectors such as energy and telecommunications, as well as the top-tier financial sector, is distinct.” He added, “The autonomous security system recently promoted in the financial sector follows a similar flow to N²SF, where asset identification is equally important. The financial sector is trying to determine what security to apply further after accurately identifying assets.”

In fact, WithNetworks was awarded the ‘Integrated Information Security Portal Construction Project’ by the Korea Housing Finance Corporation in September 2025 and applied a withVTM-based system. The corporation built functions for real-time search and automatic classification of information assets such as servers and network equipment, vulnerability inspection and security vulnerability correlation analysis, and systematization/digitalization of security business processes in its internal integrated portal. This has increased efficiency by automating information asset management and security vulnerability inspections for the entire corporation and managing security tasks on a single platform.

Asset Management as a Prerequisite for Control Integration… The Starting Point of N²SF Operational Sophistication

 Director Lee explained that what matters in N²SF implementation is not ‘how many control items you have,’ but ‘how sophisticated the operation is.’ He emphasized, “Sophistication comes from integration. It should be designed so that the accuracy of asset management can be improved and automated by linking vulnerability management solutions with various security solutions.”

 The integration he mentioned is not just about connecting products. He explained, “It is important to weave together information that appears separately, such as ports and processes, and show it as a service flow.” Only by showing what combination of components a service runs on can operators quickly determine the ‘target to be remediated now’ when a threat is detected.

 He also mentioned integration to reduce operational gaps in asset management. Referring to the practice of personnel rotation in public institutions, Lee said, “We design it to automatically map the person in charge/department of an asset by linking with the HR database, and to send alerts related to the asset to that person when the person in charge changes.” The rationale is that by connecting assets and people without interruption, asset risk management can be operated without depending on the experience of a specific individual.

 WithNetworks, established in November 2009, is an ICT company that aims to be an integrated ICT partner encompassing information security and IT infrastructure. Along with building network infrastructure for public and private sectors, it has been developing businesses in security operation areas such as Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). Recently, it has been responding to the demand for security governance from public institutions and the financial sector preparing for N²SF, centered on its integrated asset and vulnerability management solution ‘withVTM.’

Byline Network