Today, even mid-sized organizations are dealing with thousands of vulnerabilities across their growing attack surface. Therefore, relying solely on existing intelligence provided by vulnerability scanners should only be a first step in a cyber risk management process. Without determining the risk associated with vulnerabilities, organizations often misalign remediation efforts and resources. This approach not only wastes time and money, it also extends the window of opportunity for hackers to exploit critical vulnerabilities. This begs the question: what steps are required to focus remediation efforts on the threats that represent the biggest risks to an organization?
At last week’s Black Hat USA 2016 in Las Vegas, many practitioners expressed frustration with how to determine which threats and vulnerabilities they should focus their mitigation efforts on. Most organizations face an uphill battle in defending against cyber adversaries, primarily because the attack surface they have to protect has grown significantly and is expected to balloon even further. While it was sufficient in the past to concentrate on network and endpoint protection, nowadays applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a much broader attack surface to defend. According to the 2015 Global Risk Management Survey, 84% of cyber-attacks today target the application layer, not the network layer. This is forcing organizations to adopt a more holistic approach to cyber security.
According to Gartner ("Security and Risk Management Scenario Planning, 2020"), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when cyber attackers, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account.
Focusing solely on findings from internal security intelligence such as vulnerability scanners, configuration management databases, and SIEM systems can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources. The POODLE Vulnerability in 2014 is a good example. The National Vulnerability Database (NVD) assigned this vulnerability originally a 5.5 CVSS score out of 10, which led most organizations to not remediate it. On average, organizations only act upon security flaws that are rated 7 or higher -- to be able to deal with the onslaught of vulnerabilities in their environment. However, if those organizations had known that hundreds of thousands of POODLE exploits were being carried out, they likely would have changed their risk assessment of the vulnerability.
As we all know, two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.
Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable?
Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business. Ultimately, not knowing the impact a “coffee server” has on the business compared to an “email server”, makes it virtually impossible to focus remediation efforts on what really matters.
Applying a cyber risk-based approach to security operations enables organizations to focus on identifying the needle in the haystack without being distracted by all the ambient noise.