Not All Security Risks Are Created Equally
… manually evaluating several data sources, which slows the pace, given the size of the attack surface. Plus, it provides cyberattackers more time to find and exploit additional security gaps.
Sophisticated attackers build robust infrastructure and automation to find blind spots. To effectively defend against them, security teams also should leverage automation as much as possible. Look for context data in places an attacker could easily find, such as:
- Device-related data such as IP addresses, subdomains, DNS records and company and product logos and names. This helps teams understand which organization or department owns the asset.
- Public information such as company news stories, websites, regulatory documents and industry databases. These will provide clues about business connections, subsidiaries, partner companies — even which assets are exposed.
- Third-party services. Vendor-provided or open-source intelligence solutions can include data feeds and sources of information for context. However, be aware that many third-party services are expensive and unable to deliver results in a timely manner.
- Technical links. Technical links between machines, such as hyperlinks, gateways, usage of third-party code and resources and other tech relationships can also reveal business importance and attractiveness.
Finally, don’t ignore scalability. Efforts at classifying business context for prioritizing risks must scale to rapidly address all of the assets associated with an attack surface, which could be hundreds of thousands for some organizations.
Assign Scores to Risks
Scoring systems can be an effective way to analyze, sort and rank risks. For example, a low score of “0” could be assigned to a certificate about to expire on a rarely used Apache server. On the other hand, a high score of “10” could stem from sensitive business documents stored on an unpatched file server where exploitation complexity is low and asset discoverability is high. The priority score rationalizes marching orders for remediation, starting with the highest priority risks first. When prioritization works well, high-risk attack vectors can be clearly communicated between security teams and executive management. When this doesn’t work, even the vulnerability management team can’t explain why one risk is more prevalent and urgent than another, and conversations are purely technical rather than business-risk oriented.
Five criteria can help with risk scoring. These include:
- The potential impact of an exploited asset — both technical and to the business.
- Business context identifies assets with greater interest to attackers.
- Exploitation complexity helps determine which gaps are easiest to exploit and are ideal for enabling an attacker’s path of least resistance.
- Discoverability shows how easy it is to identify a vulnerable asset and how likely a sophisticated attacker will figure out that it belongs to your organization.
- Remediation effort reflects the estimated level of effort required to fix the risk. Weighting these criteria with a scoring system will help accelerate the prioritization of risks to your enterprise.
The importance of prioritizing risks discovered across the enterprise attack surface can’t be emphasized enough. Most organizations are swamped by thousands, even tens of thousands, of so-called urgent risks. No one has the resources to remediate everything immediately, so a rational, programmatic and automated approach to prioritizing risks is needed to help isolate those that genuinely require urgent attention.
Lori Cornmesser is vice president of worldwide channel sales for CyCognito, a company focused on solving a fundamental business problem in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. You may follow her on LinkedIn or @CyCognito on Twitter.
- Page 1
- Page 2