Connect with us

Hi, what are you looking for?



Using Gap Analysis to Fix a Leaky Enterprise

Attackers Evolve Quickly, and We Must Work Daily to Ensure We Are Ready for Their Next Move

Attackers Evolve Quickly, and We Must Work Daily to Ensure We Are Ready for Their Next Move

I recently had a rather comical experience involving a leak in the watering system in my garden. One day, I noticed that one part of the system was leaking.  After that piece was replaced, a second part starting leaking. Replacing that piece resulting in a third part leaking. Finally, after four different components were replaced, there were no more leaks.

As you can see, the water found its way out of the system via its weakest point. Once that point was fixed and was no longer weak, the water found its way out of the system via the next weakest point. This continued until all weak points in the system had been replaced.

The parallel to information security is a natural one. Risks and threats will always be out there, and some of them will flow towards, into, or through our enterprises. If we perform gap analysis well and remediate findings appropriately, we can reduce both the number of weak points within our enterprise and our susceptibility to attack at each of them. If we don’t, we risk exposing our enterprises to unnecessary risk and introduce the potential for grave damage at the hands of attackers.

It is in this spirit that I offer five tips for using gap analysis to fix a leaky enterprise:

1. Build according to plan: One of the best ways to stay on top of security weak spots within the enterprise is to know where all spots (weak or otherwise) are located within the enterprise. It may sound obvious, but in practice, there are often far too many surprises around the business that are unknown to the security team. Security should have a good understanding of what different network and cloud environments look like.  Assets within each environment should be known. Access rights and privileges should be controlled and audited. Security should be a part of each new deployment. When applications are developed, that process should include security from the start. If security is involved, weak spots will be known and can be addressed.  If security is left in the dark, the weak spots will still be there, only unknown to security and thus unmitigated. Whoever coined the phrase “ignorance is bliss” certainly wasn’t talking about security.

Gap Analysis: Cybersecurity2. Use quality components: While it may cost a bit more to acquire a solution with good security, to build security in from the start, or to configure a technology securely, it is well worth the cost.  Unfortunately, this doesn’t always happen. In those cases, security issues, often critical ones, are discovered down the line. When this happens, a work around or retrofit must be designed and deployed. It’s rarely as good as a proper fix, but in many cases, it’s the only option there is. The resource cost can be quite high when team members must be pulled off of other important job functions in order to address a burning security issue with no supported fix. Further, beyond just the time required to design the initial fix, the maintenance and upkeep of a custom fix also add up over time. It’s far more efficient and far more sound security-wise to include security from the get-go.

3. Find weak spots before the attackers do:  When I looked at the pieces I replaced on my watering system, I saw that they were quite worn and brittle. Had I been paying closer attention, I could have noticed them and replaced them sooner, before I had leaks. The same is true in security. If you keep a close eye on the various moving parts of the enterprise, you might find that some of them are about to sprout a leak. Vulnerability scanning, penetration testing, and other techniques can be leveraged to keep this close watch. The idea here is to find the weak links before the attackers do. Something that is certainly not an easy task.

4. Prioritize and remediate findings: Once weak links are located, they will need to be remediated. This most often requires the cooperation of multiple stakeholders from different parts of the enterprise. Further, limited budgets, staffing challenges, and other resource constraints can complicate matters. Prioritization is necessary here. Look for the issues that will result in the most dangerous leaks and address those first. In other words, tackle the highest risks first. Which issues may result in sensitive data being stolen? Which issues may result in large monetary losses? Which issues may result in regulatory fines? Which issues may cause serious or irreparable brand reputation damage? Those are the issues that need to be prioritized first. Once those have been addressed, the security team can continue working its way down the list of issues, from highest risk to lowest.

Advertisement. Scroll to continue reading.

5. Consider the job partially completed: Resting on its laurels can get a security organization in trouble.No matter how well we’ve performed gap analysis, how thoroughly we’ve remediated issues, and how foolproof our methodology is, we must remain humble. We must always look for that next weakness, that next undiscovered asset, and that next previously unknown threat. Attackers evolve quickly, and we must work daily to ensure we are ready for their next move.

Related Reading: Leveraging Gap Analysis to Drive Security Metrics

Related ReadingExamining Enterprise Security Blind Spots

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.