Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Cyber Risk Prioritization: Fixing What Really Matters

Today, even mid-sized organizations are dealing with thousands of vulnerabilities across their growing attack surface. Therefore, relying solely on existing intelligence provided by vulnerability scanners should only be a first step in a cyber risk management process. Without determining the risk associated with vulnerabilities, organizations often misalign remediation efforts and resources.

Today, even mid-sized organizations are dealing with thousands of vulnerabilities across their growing attack surface. Therefore, relying solely on existing intelligence provided by vulnerability scanners should only be a first step in a cyber risk management process. Without determining the risk associated with vulnerabilities, organizations often misalign remediation efforts and resources. This approach not only wastes time and money, it also extends the window of opportunity for hackers to exploit critical vulnerabilities. This begs the question: what steps are required to focus remediation efforts on the threats that represent the biggest risks to an organization?

At last week’s Black Hat USA 2016 in Las Vegas, many practitioners expressed frustration with how to determine which threats and vulnerabilities they should focus their mitigation efforts on. Most organizations face an uphill battle in defending against cyber adversaries, primarily because the attack surface they have to protect has grown significantly and is expected to balloon even further. While it was sufficient in the past to concentrate on network and endpoint protection, nowadays applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a much broader attack surface to defend. According to the 2015 Global Risk Management Survey, 84% of cyber-attacks today target the application layer, not the network layer. This is forcing organizations to adopt a more holistic approach to cyber security.

According to Gartner (“Security and Risk Management Scenario Planning, 2020”), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when cyber attackers, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account. 

Focusing solely on findings from internal security intelligence such as vulnerability scanners, configuration management databases, and SIEM systems can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources. The POODLE Vulnerability in 2014 is a good example. The National Vulnerability Database (NVD) assigned this vulnerability originally a 5.5 CVSS score out of 10, which led most organizations to not remediate it. On average, organizations only act upon security flaws that are rated 7 or higher — to be able to deal with the onslaught of vulnerabilities in their environment. However, if those organizations had known that hundreds of thousands of POODLE exploits were being carried out, they likely would have changed their risk assessment of the vulnerability.

As we all know, two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.

Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable? 

Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats. 

Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business. Ultimately, not knowing the impact a “coffee server” has on the business compared to an “email server”, makes it virtually impossible to focus remediation efforts on what really matters.

Advertisement. Scroll to continue reading.

Applying a cyber risk-based approach to security operations enables organizations to focus on identifying the needle in the haystack without being distracted by all the ambient noise.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.