Moving from Vulnerability Remediation to Risk Measurement

Ed Bellis    June 6, 2016

Fighting security threats is hard enough, but it’s pretty much impossible if you’re fighting wrong battles. However, that’s what you’re doing if you’re focused on vulnerability remediation.

I see it all the time: Security teams live by their spreadsheets. They have lists of vulnerabilities. They stack rank them by severity, start with the most critical, and commence to work through the list.

The problem? All this effort is being expended without a clear understanding of real business risk. Therefore, critical questions remain unanswerable: Where is risk now and where was it before? Where does the risk level need to be? Are we making progress?

In this paper, I’ll detail some common problems I’ve seen security teams encounter when they focus on vulnerability remediation. These cases provide a very vivid illustration of the limitations and risks of focusing on vulnerability counts—and they underscore how much better things can be for organizations that are taking a holistic risk measurement approach.

Problem #1: Focusing on the Wrong Metrics

The security team at Acme Corporation runs their monthly vulnerability scan report and sees the environment contains 500,000 vulnerabilities. Through an “all-hands-on-deck” effort of late nights and concerted focus, they close out 50,000 vulnerabilities before the next month is out. Great work, right? Not so much. The next monthly report comes out and they see there are now 525,000 vulnerabilities.

What’s next, more coffee and even later nights? The reality is that without making significant additions to headcount, it will most likely be impossible for Acme to make a meaningful dent in vulnerability numbers each month.

While these numbers are depressing in their own right, I’d argue they’re the least of the Acme’s problems. Ultimately, the focus is all wrong. Even if they could make a significant dent in vulnerability counts, a critical question remains: Has risk been reduced at all, and, if so, to what degree?

Contrast this reality with Acme after they start taking a risk measurement approach.

The team starts with a focus on assets, and works back from them to identify threats and determine how to guard against them. Every day, their efforts are dedicated to reducing risk, and they’re clear on the steps that will be most effective in realizing that objective. They may still have 500,000 vulnerabilities open. Even if total vulnerabilities rise, risk will tend to be going down because staff is focusing on the most critical areas of exposure. The team can prioritize efforts and track progress against meaningful objectives. Ultimately, staff can be more effective at what matters most: reducing risk to the business.

Problem #2: Ignoring Assets

The reality for any security professional is that there are always more tasks than hours in the day. The trick is trying to figure out which tasks to prioritize, and which to ignore.

Historically, when staff members were weighing priorities, not much attention was given to Acme’s public facing web site, which delivers publicly available technical resources to electronics consumers. While Acme requires visitors to register to access the site, they don’t charge site users or collect any payment information.

Acme’s leadership team doesn’t feel that their site and assets are likely targets, so they don’t want to allocate a lot of their limited IT budget and staff time to securing these online resources. Acme’s security team had plenty of other tasks to juggle, so they didn’t argue.

The problem is that given their site’s popularity, they’ve ultimately amassed a registered user base of 100 million, including email addresses and other personal information. Further, their site is routinely visited by thousands of unique visitors every day. Because they’re focusing on vulnerability remediation, the security team and executive leadership haven’t recognized the value of the assets associated with their online properties.

While the site’s value may be overlooked internally, it represents an appealing target for those who are constantly looking for user machines to compromise. The bad guys may launch a series of exploits to gain access to user emails, so they can launch a series of phishing attacks. Or, lured by the large volume of visitors, the criminals may exploit a persistent cross-site scripting vulnerability on Acme’s web servers that enables them to infect site visitors’ systems. Once they’ve infected enough machines, they may start creating botnets to launch DDoS attacks. Staff members don’t take the steps needed to guard against these types of attacks, and they’re incapable of stopping them when they happen.

By contrast, when Acme’s security team takes a risk measurement approach, they look at risk holistically, employing techniques like threat modeling. That means factoring in not only vulnerabilities, but Acme’s assets, and the types of threats they’re exposed to. Through threat modeling, they’ll do an objective analysis of the value that data, systems, and users may have to an attacker. They’ll also assess how sites and applications are used, the number of users, the types of attacks being waged against other organizations, critical vulnerabilities discovered on specific systems, and a number of other factors.

Through risk measurement, the security team can gain a much more complete picture of the most critical threats facing their business. Perhaps even more importantly, they’ll be able to gather objective analysis of threats and overall risk, so they can report effectively to executive leadership, and ensure investments are aligned with security priorities.

Problem #3: Investing Time and Money on the Wrong Efforts

After running a scan, John, an administrator at Acme, finds there are 10 vulnerabilities on a given system: one critical, two high, and seven low. Because John and his management team have a vulnerability-count mindset, he focuses on closing those seven low-priority issues and claims victory to his superiors: Vulnerabilities were reduced by 70 percent.

The problem is that John may not have reduced risk much or at all—and a lot of time, effort, and money went into that lack of accomplishment.

Once the team at Acme employs a risk measurement approach, things change substantially. By factoring in exploit threat intelligence, for example, they may find that, of the 10 vulnerabilities referenced earlier, one of the high-priority vulnerabilities is the one that’s currently being exploited most frequently by a sophisticated adversary. By closing that one vulnerability, John may reduce total risk by 70%, while spending far less time and money on remediation.

Conclusion: The Risk Measurement Payoff

By moving from a focus on vulnerability remediation to risk measurement, organizations can reduce business exposure in two ways. First, they can reduce the likelihood of a breach. Second, they can minimize the potential impact of a breach should one occur.

I once heard a CISO say, “We can’t work any harder, we have to work smarter.” Fundamentally, risk measurement provides a way for security teams to work smarter. They can focus their time, budget, and resources on what matters most: reducing risk. Risk measurement also provides teams with a centralized way to accumulate, analyze, and report on risk, which helps significantly improve operational efficiency.

Risk Measurement Can Take a Lot of Effort—Kenna Can Help

While it’s easy to see how risk measurement can help, that doesn’t make it easy to do. A lot of intelligence needs to be correlated to do risk measurement right, and Kenna can help. Kenna automates much of the effort associated with aggregating and parsing intelligence, so security teams can much more easily measure risk and determine the most significant and efficient ways to reduce risk. By combining Kenna with best practice threat modeling approaches, organizations can employ their resources most intelligently to reduce the likelihood and potential impact of breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *