The past two years have been challenging — to say the least — for security leaders. They’ve experienced unprecedented events that have elevated threat levels and increased awareness of cyber risks at the highest levels of organizations.
In my previous blog, I covered recent notable cybersecurity incidents, some of which made headlines and caused significant damage to the victim organizations, and all of which struck fear in many an organization — or should.
I also started presenting the strategy that organizations should adopt to develop a cybersecurity program to defend against attacks. The plan covers five areas: inventory and asset management, breaking down silos, risk assessment, gap analysis and patch management.
I’ll continue discussing the last three parts of the plan in this post. You can read more about inventory and asset management and breaking down silos in my previous article.
What is an IT risk assessment?
An IT risk assessment is something organizations need, but it is not easy to do.
It’s like accounting math, but for technology. The meanings can shift, and it is all predicated on a shared understanding of what the risk assessors are trying to do and how they are measuring risk.
Fortunately, there are some effective practices for risk assessment. One is to provide contextual understanding. Risk is, at its core, a relationship among vulnerability, threat and criticality. A risk assessment team might measure risk based on the presence of vulnerabilities, the likelihood the organization would be targeted by someone seeking to exploit those vulnerabilities, and how critical a targeted system is to the organization.
Get a comprehensive view of risk posture and proactive ways to protect your organization from growing cyber threats with Tanium’s Risk Assessment. Request your no-cost report.
There are many risk measurement frameworks to choose from. The key is to map everything back to vulnerability, threat and understanding how important a given asset is.
Something else to keep in mind is that risk changes by the second. For every emerging threat actor, every zero-day vulnerability seen in the wild, and every laptop that logs on, risk has changed. The security industry has an antiquated view of risk as a snapshot in time, but that simply will not work in a technology landscape that changes so frequently.
Another issue is reporting risk. For many organizations, risk receives a single slide in the quarterly presentation to the board of directors — a situation where it’s impossible to have meaningful conversation about the risk landscape and trends.
Organizations must create a measurement of real-time risk, and for that to be successful, risk calculation must be automated. When instrumenting an environment, that should be a high-priority consideration.
The goal of understanding risk is to provide actionable insight for mitigation and remediation. Mitigation is the temporary state of reducing risk while planning for complete remediation or elimination.
Often, mitigation includes hotfixes, temporary access control changes, or other hardening steps that may reduce vulnerability but also impede productivity. This process is meant to buy time for proper remediation, which often includes upgrades or replacement of vulnerable assets.
In some cases, it’s required that the business “accept the risk” by providing stakeholders contextual information about the cost of the remediation compared to the potential loss that exploitation of the risk would create.
While risk acceptance is a valid approach, it should be used with discretion and revisited regularly to ensure the organization has not assumed more risk than they are prepared to pay for.
At the end of the day, you must be confident that you have only written risk acceptance checks that you’re confident you can cash. Bottom line: Risks must be mitigated, remediated, or accepted, and mitigation and acceptance should never be presumed as “steady state.”
Security gap analysis and management
For every security incident, there’s likely a weakness of some sort within the attacked organization that cybercriminals were able to exploit. This is why it’s so important to find existing security gaps and close them before it’s too late. The time to update the environment is not during an attack; it’s today.
Gap management in terms of network visibility and intrusion detection is impossible without knowing the current state and the end goal and measuring improvements over time. For starters, a company needs to establish how many endpoints it can see and manage compared with how many it can’t and set a goal to reduce that gap over a quarter.
As these goals are accomplished, the organization can expand on them, get more granular, and target specific, highly technical use cases.
While some of those more advanced use-cases may seem pressing, an organization that cannot confidently claim visibility of every endpoint must focus on visibility improvements as a first priority. Improving visibility scales the efficacy of every other effort for security and operations.
Detection, triage/analysis, incident response workflows, and infrastructure management are top-of-mind goals for organizations managing endpoint threats. To do these things effectively, enterprises must build in the right instrumentation before it’s needed.
When assessing instrumentation, companies need to consider what they can get visibility into. Do existing solutions cover all the areas where visibility is needed? This includes endpoints, networks, applications, cloud services, and other areas.
For many organizations, patch management is still an Achilles heel, made worse by the rapid and unexpected shift to remote work. Even after all these months, some are still looking for the right way to get patches to the devices for which they have no line of sight.
Research shows that a relatively small percentage of organizations are capable of deploying a critical patch in less than 24 hours, and many are not confident that applied patches were successfully effective.
Vulnerabilities today are being actively exploited in the wild within hours, not days or weeks. Relying on a 30-, 60-, or 90-day patch compliance is clearly not enough for the more serious vulnerabilities.
In addition to understanding their overall patch performance, organizations need to identify and classify those IT assets that should be prioritized. However, it’s important to note that all systems are a priority to patch; it’s just that some can realistically be allowed a little more time so that the most urgent can be patched first.
This is why understanding risk is predicated on understanding asset criticality. Operational decisions depend on a real-time contextual understanding of your environment.
For most organizations, this means identifying the public-facing systems, such as e-commerce sites, as a high priority since they are most vulnerable to attack. Then they can work inward and down to end-user workstations.
The tech industry often jokes that automation is born out of being annoyed with doing the same redundant, time-consuming tasks repeatedly. This is certainly true with patch management. While it sounds simple, practitioners know it’s often fraught with missing devices, network limitations, and timing around business needs.
After visibility, your next most important priority should be ensuring your patches are automated. Doing so allows your talented engineering teams to focus on innovation and maturing to a proactive posture instead of spending dozens or hundreds of hours a month on retroactive patching.
Time to create and execute your cybersecurity action plan
These are surely challenging times for organizations when it comes to cybersecurity. New threats and vulnerabilities are emerging all the time, while IT environments continue to get increasingly complex.
The fact is, it’s not going to get any easier. Security executives need to lead their organizations in creating and deploying a plan of action that covers key areas such as inventory and asset management, breaking down business/security silos, risk assessment, gap management, and patch management.
By doing this, organizations will create an opportunity to strengthen their defenses against the latest threats. That will clear the way for them to compete effectively as digital businesses while at the same time protecting valuable information resources and elevating their security operations to a proactive and innovative level.