This is the second post in a three-part series on Agile Risk Intelligence. The complete Agile Risk Intelligence e-book is now available.
The thump from the far corner of the house reaches a mother’s ears. Before she is even aware of it, her subconscious begins to instinctively collect, correlate and process additional information. Honed by millions of years of evolution and fine tuned by years of her own parenting experience, she quickly determines that the noise is important, somewhat urgent, but highly unlikely to be life threatening. By the time she has consciously stood up and began the walk to the baby’s room, she has already noticed small sounds coming from the room such as squeaks and baby talk, not cries. There have been no screams, and she has a pretty good idea of what she will find there. A small grin shows up on her face.
Unfortunately, security managers don’t have the same evolutionary advantage, the same highly tuned correlation engine, or the ability to quickly process, decide and decisively act. We’ve only been fighting IT alarms for a few decades, not many millenniums. Security managers live in a world of constant information overload, and unlike the human brain, we have ahard time hearing the important “thump in the room” among the cacophony of alarms, alerts and severity rankings. As I mentioned in my previous post, in order to become agile, insightful and responsive, security management teams must close five capability and resource gaps. These gaps prevent insight and meaningful action, leaving teams with the unsustainable choice of over responding to every possible issue, depleting and burning out already scarce resources, or missing real risks leaving the organization exposed to loss. Security managers must close these gaps and move from inefficient instinctive action to agile and responsive insight.
The five gaps are 1.) Lack of Risk Context 2.) Lack of Global Risk Visibility 3.) Lack of Closed-Loop Processes 4.) Lack of Time & Resources and 5.) Lack of Toolsets. Let’s take a quick look at each of these:
Lack of Risk Context – Today, organizations deploy many security tools and scanners. Up and down the stack, they identify vulnerabilities, weakness and patch levels. They typically then rank these based on an expert opinion of severity. However, each of these tools does so in isolation of each other and of the actual deployment environment in which they exist. With tens of thousands of nodes scanned, and thousands of alerts and notifications without context—such as network topography, relationship of elements, and compensating controls—the signal to noise ration is extremely poor, and the ability to prioritize based on true risk is limited at best.
Lack of Global Risk Visibility – Even if local context is good, the lack of global visibility outside of the organization creates significant challenges. Vulnerabilities, which are rated as low severity, may be on the verge of being exploited. Global visibility can provide early warning signs of escalating risk. Without this type of early warning long range “doppler radar,” security managers are slower to react than they need to be.
Lack of Closed-Loop Processes – Many large organizations have significant separations of duty between those tasked with finding and assessing risk, and those who need to fix it. While security managers may flag high-risk situations, they often lack the ability to escalate, confirm and verify fixes. This lack of process integration slows agility and creates both inefficiencies and undue risk and audit exposure.
Lack of Time & Resources – Given the lack of context, visibility and closed-loop process, it’s no wonder that time and resource are stretched to the point of breaking. To do their job, teams must overcome the gaps outlined. They try to do so by jamming together context and visibility using spreadsheets, emails and instinct. They do a good job with what they have, but are stuck in the hamster wheel of pain.
Lack of Toolsets – Teams lack the tools to deliver Agile Risk Responsiveness. They cannot build correlation rules, integration layers, and processes fast enough with the tools they have. The scanning tools lack global and even local context, and integrating each one separately with each other and into a process engine is time consuming and fragile. Security managers are in desperate need of a toolset that delivers integrated context, global visibility and closed loop process management.
Security managers need to find new approaches and solutions to deliver better intelligence and action in order to more effectively manage risk and reduce exposure. Any set of investments should close the gaps of context, visibility, process, time and resource, and toolsets, in order to move management from instinct to insight.
As the mother enters the baby’s room, she sees exactly what she expects. Her precious 20-month old is sitting in the middle of the room, having flipped himself over the side of the crib side. He looks at her and smiles. She smiles back, and goes to get the screwdriver so she can “close the loop” and lower the crib bed as she had been planning on doing for a few weeks.