the future of threat and vulnerability management to ......the future of threat and vulnerability...

TO CONTROL CYBER RISKThe Future of Threat and Vulnerability Management

2

The Future of Threat and Vulnerability Management to Control Cyber Risk

EXECUTIVE OVERVIEW Threat and vulnerability management (TVM) has never been more difficult. The stakes are

much higher. It’s hard to evaluate cost-to-value, and security expertise is limited. Even with

multiple scanning tools, threat and vulnerability management doesn’t get easier. In fact, many

organizations are running into data overload, but that’s all about to change.


RiskSense is bringing a new perspective

and visibility into what alters cyber risk.

The RiskSense platform will enable

organizations to replace their current

options of “ignore, defer, or continue to

do what we do today with limited insight”,

into a context-intelligent and proactive

approach in order to achieve risk-based

vulnerability prioritization.

Let’s look at an overview of today’s

cybersecurity challenges, followed

by a walk-through of the six defining

pillars that RiskSense is focused on

as we work to define risk-based

vulnerability management.

3


It is no secret that threat and vulnerability

management is the dirtiest job in cybersecurity.

Security analysts must wade through piles

of vulnerabilities, without knowing what else

is around the corner. The result is “cyber risk

mayhem”, where it becomes impossible to

fix everything. To complicate matters further,

the risk posed by a given vulnerability can

change day-to-day. Cybersecurity efforts must now include the entire spectrum of risk identification and remediation steps, including cyber risk assessment, prevention, mitigation, resilience, and recovery scenarios. “Issuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action,” according to Clayton. Although the SEC is increasing its focus on accountability, there aren’t really any clear guidelines on how to accomplish this. In essence, it is accountability without a path.

It’s not just the SEC increasing its focus on cyber risk. Rep. Jim Himes introduced the Cybersecurity Disclosure Act of 2019, a bill that would make the SEC issue a new set of rules requiring U.S. companies to tell their investors whether or not they have someone who has cyber expertise on their board.

The Increased Focus on Cyber Risk Accountability

“As digital transformation progresses from the world of monolithic applications to cloud-native component architecture, the question of risk becomes more difficult to quantify when everything can be considered to be connected. In that case, everything can be considered high risk!” –– Stephen Magnani, Senior Vice President-Office of the Chief of Information Security-Application Security Management, Citi (1)

The U.S. Securities and Exchange Commission (SEC) is currently looking closer at corporations that are not reporting on their cyber risk properly. According to Jay Clayton, Chairman of the SEC, “Even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself.”

TODAY’S CRITICAL CYBERSECURITY ISSUES


(1) Mighty Guides: The Essential Guide to Understanding Risk and Quantification

4


Most organizations today rely on the severity scores of the National Vulnerability Database (NVD) and a version provided by their vulnerability scanners. The sourcing and curating of vulnerability and threat intelligence has just begun to evolve. With AI-assisted analysis and human verification, vulnerabilities and their true risk to a business become apparent by looking at the internal asset criticality and the shifting external intelligence. More sources are needed to truly under cyber risk and vulnerability exposure. Just like crowdsourcing, tapping into the collective value of those in security, like penetration testing experts with their experience of code weaknesses and security configuration knowledge, is essential. These individuals have the skills to move a vulnerability from concept to a proven risk with exploitable code and tools. From the intelligence side, more focus on dangerous vulnerabilities with capabilities for remote execution or privilege escalation is needed. Significant risk occurs from these vulnerabilities when they have active exploits trending in the wild.

Some organizations, if they could, would just throw more bodies at the vulnerability problem, but there simply aren’t enough people with the necessary security expertise to fill all of the available roles in every company. Even if an enterprise is lucky enough to have a highly skilled security team, a scan and patch approach is not going to reduce their cyber risk. Vulnerability weaponization is happening at an increasing rate. With the absence of in-depth cyber risk intelligence, the security team is making decisions with narrow viewpoints. They are driving the organization’s costly security resources into action (or more likely, reaction), but they are not statistically changing the risk equation.

As a result, enterprises are spending on multiple scanning tools and analyzing the data, but they are struggling to understand why their investments aren’t driving down the frequency of security incidents. Frustrated, many turn their attention to other areas of security hoping they will have better outcomes and to minimize their vulnerability programs as necessary ‘hygiene’.

The Cost-to-Value Problem Community Contribution

The Future of Threat and Vulnerability Management to Control Cyber RiskThe Future of Threat and Vulnerability Management to Control Cyber Risk

Managing cyber risk used to be all about patching volume, but accurate measures of cyber risk management and their effectiveness requires a qualitative assessment. An effective TVM solution must provide a way to show results that are understandable by the organization’s IT and security teams, all of the way up to C-level executives and board members, without needing interpretation. This measurement or score will facilitate planning, versus simply reacting to activity-based vulnerability remediation metrics.

A cybersecurity score or value provides a way to measure the effectiveness of an organization’s risk-based approach to vulnerability management. In addition, enabling security teams to run “what if” scenarios give visibility to the actions will positively make a difference and allows them to align activities to current resource availability and business concerns. Quality results need up-to-the-moment calculations based on the business criticality of systems, weaponization, and context-intelligence.

Quantity vs. Quality

5

We envision a future where the functions of IT, DevOps, and Security act as a fully integrated team. But in most organizations today, one group is responsible for vulnerability scanning, the security team is responsible for setting priorities, and the IT team is then responsible for performing remediation actions. As a result, security and IT are often at odds. Security is responsible for cyber risk, but IT is fielding the burden of work to fix or mitigate. To make matters worse, IT often doesn’t have visibility, or get feedback as to the importance of their efforts.

When IT and security can share responsibility and unify as a team against cyber risk, more of the right activities will happen with increasing efficiency. Closed loop verification goes smoother, compliance is easier to validate, and those in IT and security that are actually doing this work will get credit for measurably improving the security posture of the company.

With highly trained security expertise at a premium, what if your organization could make better use of the personnel it already has? Imagine how one or two security FTEs could be used for other, more pressing, security aspects in your business. Continuous, prioritized, and prescriptive risk-based vulnerability management allows you to get to remediation activities faster.

Every organization is competing for the same scarce security resources today. If every security team could obtain just a small amount of efficiency, collectively we’d get a lot better at controlling cyber risk. The United States still leads the world in digital business transformation. We now need to lead in how to transform threat and vulnerability management to help prioritize and drive better results for all.

Threat and vulnerability management platforms need to adapt to meet the growing challenges of digitized businesses,

ever-increasing IT expansion, and deliver better outcomes for overwhelmed security teams.SIX PILLARS

OF FUNCTIONALITY

AND VISION FOR

RISKSENSE: • Reclamation

• Collaboration

• Intelligence

• Measurement

• Coverage

• Validation

2. Collaboration

Shared Responsibility with No More Silos

1. Reclamation

Managing Risk, Not Resources


3. IntelligenceToday’s security teams are dealing with data overload. It is no longer possible to get results using a human-driven solution alone. Google has optimized the search function so much that you can find anything digital almost instantly. Vulnerability and threat intelligence need to take a similar approach. Mine as many sources as possible, curating the information using both AI-driven ntelligence and human-assisted verification, and elevate the top trending threat results. Access to statistically proven intelligence, and not justgathered data, will be a new requirement.

Understanding trending exploits, and predicting those to come, will grow with crowd-sourced exploits and intelligence from a global base of pen testers. It will accelerate the identification of code exposure from theoretical risk into validated exploitable maneuvers.

Real Results, Nothing Arbitrary or Artificial

6

5. Coverage 6. Validation4. Measurement Fact-based decisions for threat and vulnerability management need to mature. Measurement should be a built-in component for knowing your current risk exposure. Identify consistently weak areas within highly critical business systems. Results can fluctuate based on what’s important to you right now and what is externally changing that could increase your cyber risk.

What if you could run remediation scenarios and see which combinations of actions would really make a measurable difference in cyber risk to your organization? By identifying the best predictive steps and patch recommendations. New estimated measurements of risk exposure can be calculated. Organizations with this level of measurement can improve the navigation throughout the remediation process and map the appropriate resources, change windows, and see upon patch validation that their security posture has measurably improved. This could be across an organization, within a specific asset group, or within regional segments or business units.

Coverage and visibility for threat and vulnerability management needs to keep up with the dynamics of business. Moving from compliance-driven, point-in-time assessments, to ones that are more time-sensitive and require a sense of urgency because of the potential high risk they present to an organization is critical.

The utilization of web applications, IoT, virtualization, and containers contribute to a fluctuating attack surface. Vulnerability weaponization, meaning there is malware and/or an exploit available, is increasing in speed, often in less than seven days. Penetration testing grows in importance to identify the inventory of assets and how layered vulnerabilities can expose business to risk. Modernizing these assessment, to include the near real-time delivery of findings as they are encountered, removes unnecessary latency. This allows remediation to begin immediately, rather than waiting for the conclusion of the engagement, when the entire pen test assessment is presented and finalized. Expanding technologies and shortened timelines will bring higher importance to penetration testing and exploit validation as a risk countermeasure, with AI and human-focused intelligence looking at code and scenarios no one has covered before.

Security teams need to focus beyond just compliance and evolve toward a critical consciousness where validation of cyber risk and exposure is a key aspect of everyday business. Collective risk-based management goes beyond the infrastructure of an organization and begins to measure and validate any connected entity. One cannot assume that the organizations you do business with have mature vulnerability management programs. Rapidly vulnerabilities are weaponized, gain adversarial popularity, and indiscriminately look for exploitable targets. Business will move from “Hey, I’ve been breached,” to validating how vendors, third parties, APIs, and connected services affect the security posture of their business. With a clear and transparent way to make fact-based decisions about cyber risk, everyone within a community or ecosystem will have a way to measure, validate, and decide if they are willing to accept or deny the risk

Moving Beyond Compliance


SIX PILLARS

OF FUNCTIONALITY

AND VISION FOR

RISKSENSE: • Reclamation

• Collaboration

• Intelligence

• Measurement

• Coverage

• Validation

Reflection of Risk and Remediation

Adapting to Change

7


Core to the RiskSense vision is the expertise of its founders, management team, and a highly experienced and well-certified

penetration testing team.

LEADERSHIP IN CYBER RISK

Dr. Srinivas Mukkamala is a recognized expert on artificial intelligence (AI) and neural networks, and part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying these concepts to cybersecurity problems. Dr. Mukkamala was also a lead researcher for CACTUS (Computational Analysis of Cyber Terrorism against the U.S.) and holds a patent on Intelligent Agents for Distributed Intrusion Detection System and Method of Practicing.

Srinivas previously co-founded CAaNES, a spin-off from New Mexico Tech- ICASA that focuses on proactive and reactive intelligent risk analytics, vulnerability management solutions, red teaming, malware analytics, and Web 2.0 and application security. Under Dr. Mukkamala’s leadership, CAaNES assisted over 300 entities in NM, CO, CA, TX, AZ, UT, NJ, WI, and AR. Dr. Mukkamala received his Bachelor of Engineering in Computer Science and Engineering from University of Madras, and his M.S. and Ph.D. in Computer Science from New Mexico Tech.

Dr. Srinivas MukkamalaRiskSense CEO and Co-Founder RiskSense’s highly-trained pen testing team provides a wide range

of certifications and expertise to RiskSense customers. Current certifications include:

• GIAC Penetration Tester (GPEN)• GIAC Web Application Penetration Tester (GWAPT)• EMC Data Scientist Associate (EMCDSA)• MicroStrategy Certified Developer (MCD)• CompTIA Mobile App Security+• x64 Linux Assembly Expert (SLAE64)• PCI Approved Scanning Vendor (PCI ASV)• Mountain Goat Certified Agile Scrum Master• Mountain Goat Certified Agile Product Owner

RiskSense Pen Testing Team


READ OUR BLOGSCHEDULE A DEMOCONTACT US

Brochure_TheFutureofTVMtoControlCyberRisk_20190710

About RiskSenseRiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.

Contact us today to learn more about RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | www.risksense.com© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc.

https://risksense.com/company/contact-us/

https://risksense.com/demonow/

https://risksense.com/blog/

the future of threat and vulnerability management to ......the future of threat and vulnerability...

Documents