When it comes to protecting the enterprise from cyber threats, IT leaders face a truly endless and frustrating task. Today’s constantly evolving threat landscape means organisations face the challenge of eliminating millions of potential vulnerabilities that could prove an entry point for hackers. As a consequence, just like King Sisyphus from Greek mythology who was condemned to eternally roll a huge boulder up a steep hill, IT teams are engaged in interminably patching vulnerabilities with no hope of victory or respite.
The problem is most IT teams only have capacity to patch around one out of every 10 vulnerabilities, so determining what to prioritise can cause conflict across the business. Yet just a small number of these vulnerabilities will actually pose a real threat to the organisation. As a result, many IT teams waste a lot of time, effort, and expense engaged in activities to counteract a huge number of unlikely or irrelevant threats.
Defining risk in the context of cyber security
Adopting a pragmatic and streamlined approach to vulnerability management depends on first understanding what constitutes risk in order to determine which events are a serious enough threat to require prevention or remediation.
For cybersecurity professionals, defining the parameters of what represents risk needs to go beyond simply assessing the probability of an event taking place. It also needs to evaluate the scale of impact to the enterprise should the event actually occur.
So, while there might be a 95% probability that something will occur, the resulting impact of that event could be zero. Alternatively, the chance of another event occurring could be less than 5% but the financial and reputational loss that would accompany a data breach would run into the millions.
The brutal reality is that security incidents happen every day, but the impact of most are negligible. The real challenge is spotting which events are most likely to inflict the most damage to the business.
Determining risk magnitude, criticality, and consequences
In addition to assessing the probability and likelihood of an event occuring, security specialists also need to evaluate the magnitude of impact in relation to their own unique operating scenarios. In other words, making realistic judgements and choices depends on also understanding the criticality and consequences of an event occurring in your specific environment. For example, while the loss resulting from the compromise of a WordPress site that has not been updated could be negligible, the impact of malware that exploits multiple vulnerabilities could lead to system lockdowns, or the critical loss of customer data.
However, adopting an outcome driven approach to cyber security risk assessment is just part of the puzzle. Security professionals also need to be able to also quickly rate and prioritise vulnerabilities in relation specifically to their organisation in order to generate the actionable risk scores that will guide remediation efforts.
A data-driven approach to cyber risk assessment
Without the right insights, it is impossible to take a pragmatic approach to managing risk. What’s needed is a modern data-driven approach to vulnerability management that enables security teams to efficiently evaluate and assess risk, so that IT operations can focus attention where it matters the most – taking action.
The concept of data-driven vulnerability management isn’t a new one. But thanks to the growing complexity of IT environments, today’s security teams now have to manually wrangle an ever-growing volume of vulnerability and log data from across the extended enterprise. Plus, the data-driven approach is reliant on the quality of data gathered and the effectiveness of its analysis and interpretation. No easy task in today’s fast moving world, where vulnerabilities need to be assessed and ranked in close to real-time if risk reduction efforts by security and operations teams are to be both effective and aligned.
To achieve this goal, security specialists need to harness automation and machine learning. In doing so, they can stay abreast of the abundance of data and vulnerabilities that have to be managed and streamline the number of vulnerabilities they ask IT to fix.
Cutting through the data noise
In today’s data-heavy environments, automating routine tasks frees security teams to act on data insight, rather than spending valuable time cleaning, correlating, de-duping, and mapping vulnerability data to the organisation’s assets. Plus, automation can be leveraged to work out false positives and fix naturally occurring false negatives to ensure that teams don’t waste valuable time attempting to fix something that isn’t broken, or accidently overlook an issue that is critical.
Today’s machine learning and automation tools make it easy to take vulnerability data, related risk data, and insight on how to remediate those vulnerabilities, and send all of this directly to the workflows of the IT operations and development teams who are handling incidents, remediation and bug patching tasks.
Rather than getting distracted – or even worried – by high-profile breaches, like the recent malware attack on Honda, taking a risk-based approach to vulnerability gives organisations the context they need to evaluate their specific risk posture and hone-in on vulnerabilities that are most worthy of prioritisation. It also enables enhanced cooperation and collaboration between teams, who can now embrace and share a common risk language that makes it easy to determine what they need to fix first, and why. By successfully combining a machine learning-based approach with the capability to aggregate data – internally, as well as from real-time threat intelligence feeds – security teams can establish and maintain a consistent risk tolerance level that effectively protects the organisation.
Steve has over a decade of experience in cyber security and transformation projects, his role at Kenna is to rapidly grow the EMEA organisation to meet the customer demand for risk-based vulnerability management. Prior to Kenna he held senior sales roles at Forcepoint, Citrix and Imperva, focusing on IT solutions for complex, enterprise requirements. Steve has a passion for driving equality, alongside enabling flexibility at work for modern living. He has held steering committee roles in companies looking to close the gender pay gap and develop careers for working parents, and strives to find and support equality initiatives across the workplace and industry.