Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Identifying Risk, or Finding a Needle in a Haystack

Risk management is a hot topic these days. Many industry publications have shifted their focus away from compliance or security to risk management practices. Newer regulations and industry standards are now mandating a risk-based approach to security. This is forcing many organizations to transition from a compliance, check-box driven approach to a more pro-active, risk-based view of security.

Risk management is a hot topic these days. Many industry publications have shifted their focus away from compliance or security to risk management practices. Newer regulations and industry standards are now mandating a risk-based approach to security. This is forcing many organizations to transition from a compliance, check-box driven approach to a more pro-active, risk-based view of security.

Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. This can sometimes feel like trying to find a needle in a haystack. So how can risk and security professionals harness the potential of big data to identify risks that threaten the organization most?

SIEM, Honey Pots: Attracting the Needle

For many years, businesses either focused on achieving compliance or taking preventive measures to strengthen their security posture. Endless data breaches have proven that neither approach is necessarily effective in minimizing risk. In fact, you could even argue that for years organizations may have misaligned their resources and funds in fighting threats.

What does this mean? Well, when an organization is solely focused on strengthening its compliance posture to pass an audit, they primarily look at control failures and gaps and try to mitigate them. However, if there is no threat that could reach the vulnerability in the context of the control gap, why bother? The same applies to vulnerabilities discovered by an organization focused on improving their security posture. Even if a vulnerability can be reached by an existing threat, choosing the right remediation method should also take into account whether any compensating controls are in place that might mitigate the risk. Furthermore, any decision related to resource allocation should be driven in conjunction with the business criticality a compliance or security shortcoming poses.

That’s where the rubber meets the road in risk management. In other words, risk management must take a variety of factors (such as compliance posture, threats, vulnerabilities, reachability, and business criticality) into account to derive a holistic view and ensure the efficient alignment of resources for remediation actions. In principal this sounds logical. However, if we just consider threat assessments, an organization can quickly accumulate huge amounts of data from their network, web assets, social media, reputation, etc. that needs to be combed through.

Even mid-sized organizations, are subject to dozens of regulations that mandate thousands of controls and have to deal with hundreds of pages of security findings, ranging from vulnerabilities, threats to incidents. Then these must be correlated with thousands of assets that represent different business levels of criticality. Using human labor, email, Excel spreadsheets, and survey results to transition to a risk-based approach is unfeasible.

Fortunately, new technology – big data risk management – is emerging that helps to not only to aggregate compliance, threat, and vulnerability data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is increased operational efficiency and faster time-to-remediation.

Advertisement. Scroll to continue reading.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...