Cyber security professionals are overwhelmed by the volume and complexity of vulnerabilities they must protect against. The solution is to mitigate the risk where it matters most through prioritisation and continuous exposure management.
This is according to security expert Kris Budnik, Founder and Director of Tilt Advisory, which specialises in helping organisations make more efficient use of technology solutions such as Skybox continuous exposure management tools.
Budnik says: “There are millions of vulnerabilities. Even a mid-sized organisation will face tens of thousands of vulnerabilities. It’s immediately overwhelming. It is important to be able to put context around the vulnerabilities – what assets they are on, how critical the vulnerabilities are and what risks these exposures present to the business.”
However, achieving this perspective isn’t a simple matter when the organisation is dealing with tens of thousands of weaknesses, doesn’t know what it should be protecting and rates every vulnerability based on a worst-case scenario, he says.
“There is a temptation by the risk-averse to want to protect everything all the time – but this is unrealistic. Vulnerabilities are infinite, but resources aren’t, so those two will never meet,” he says. “Spending too heavily trying to mitigate all risk and address all worst-case scenarios can be as damaging for the organisation as ignorance and failing to mitigate risk.”
Balancing the portfolio
Budnik advises organisations to seek a balanced portfolio that both avoids wasting resources and leaving key areas exposed.
“Having context and a good understanding of the environment is key to balancing the portfolio and spending finite resources where they are most needed,” he says. “You want to be as safe as you can afford to be.
“Making balanced decisions without contextual information becomes reactive to the most recent threat or the loudest voice – like their latest external audits. Organisations need to avoid being driven to action by a party that also doesn’t understand the context, threats and risks to the environment,” he says.
Another challenge is that security professionals rarely come from a business background, he adds. “Mostly they come from the tech space and often lack curiosity around the business. Generally, I find this leads to a lack of understanding of what they are trying to protect. It may be glossed over or buried in generalisations such as ‘we must protect data or servers’. This is too vague. You need to ensure that you protect a particular process that enables the business to meet its goals.”
Context and prioritisation
Budnik says solutions that support asset scoping and prioritisation, and vulnerability discovery and prioritisation, help organisations understand how much is enough, and stop when their security is good enough.
“Solutions like Skybox bring intelligence and support decision-making when addressing top exposures,” he says.
He notes that while these advanced technologies support organisations, security and business teams will still need to identify which assets are critical and how they interact with each other, and understand all the context around the impact of potential exposure.
Budnik adds that organisations do not need to wait until all preparatory work has been done before deploying solutions to support threat exposure management. “You don’t need to wait for everything to have been done perfectly before harnessing it. These solutions learn and improve iteratively, so nothing stops you from adding context and information over time and improving its performance. You don’t need to wait until all your ducks are in a row before you make the move.
“There is an out-of-the-box value in deploying technology like this – and often that’s where it stays. However, organisations planning to deploy such technologies should bake into the process the ability to unlock their full potential – not just the out-of-the-box value,” Budnik says.
“There are tools to support discovery of assets, but there’s no avoiding the effort you must put in to understanding what you are protecting,” he says. “To unlock the potential of the technology, it also needs to be informed of the context, so that whatever rules it applies are done in the context of the information you provided. The technology assumes you know your environment and have done the preparation.
“You also need to teach the system to give you less noise: the more sharply defined questions are, the more pointed the answers will be and the better protection value you will get,” he says.
You can download the Skybox Security Vulnerability Solutions Buyer’s Guide here.
Share