HOW TO PRIORITIZE CYBERSECURITY RISKS:A PRIMER FOR CISOS
Intro 3
Most CISOs will experience a breach on their watch 4 Problem #1: The attack surface is expanding 4 Problem #2: CISOs lack visibility into and across information assets 6 Problem #3: Digital transformation creates cyber risk 7
Conclusion 14
How CISOs should prioritize vulnerabilities 12
Step 1 is visibility across all assets 11
How CISOs prioritize vulnerabilities today 10
Vulnerabilities are growing and attackers have the advantage 9
Operational reasons CISOs lack visibility 8
CONTENTS
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 2
Intro
CISOs and other security leaders know they can’t find and fix every vulnerability. Yet, that’s what boards of directors, CEOs and other C-suite members expect them to do.
Vulnerabilities continue to lurk in physical and virtual assets, and CISOs lack complete knowledge of their existence. They also don’t have a means of assessing emerging threats or the relative business risk associated with a given vulnerability. Even if CISOs could provide IT Ops with a list of every vulnerability that needs to be patched, IT Ops wouldn’t be able to comply because the volume of vulnerabilities is simply too overwhelming. Moreover, IT Ops is largely focused on keeping systems up and running – not causing disruptions or delays, which patching is prone to do. Sooner or later, a failure will occur and the CISO will be held responsible.
So, what’s a CISO to do? The short answer: They have to work smarter, not harder. To do that, they need to reduce the vast universe of potential vulnerabilities down to a subset of the vulnerabilities that matter most. Using CVSS scores to prioritize is a good start, but it isn’t enough to address the complexity of today’s attack surface. This ebook explains the other elements required for CISOs to gain a clear outlook on their organization’s true business risk, so they can prioritize their efforts accordingly.
“Through 2021, the single most
impactful enterprise activity
to improve security will be
mitigating vulnerabilities.”1 -
Gartner
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 3
Most CISOs will experience a breach on their watch
There are no guarantees in cybersecurity. Yet, CISOs are assessed based on how they manage breaches. According to a 2018 survey conducted by the Ponemon Institute, 91% of organizations have experienced at least one damaging cyberattack over the past two years.2
Are you confident you can prove you took proper steps to protect your organization’s assets?
Problem #1: The attack surface is expanding
Many security teams say their greatest challenge is simply seeing all the assets in their environment. Legacy tools haven’t kept up with the new technologies adopted by IT and the various lines of business. Further, as the mix of technology becomes more complex, adversaries have a larger attack surface to probe and exploit.
Think of your security team standing at the bottom of this graphic (see Figure 1 on next page) looking up across all your company’s IT assets – and struggling to track the laptops, cloud deployments, containers, IoT systems and more.
Here’s the problem: Adversaries can see everything and will attack you wherever they find a weak link. This drives up the cybersecurity risk to the business.
91%of organizations have experienced at least one damaging cyberattack over the past two years.2
A fair question: “How many vulnerabilities do we have?”
A better question: “Which vulnerabilities pose the greatest risk?”
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 4
Asset Description
Server, desktop, and network infrastructure Security practices are mature, but not perfect
Web apps Software dependencies
Mobile devices Hardware, software, network and app diversity; all are literally mobile
Laptops Uncontrolled use such as connecting to public Wi-Fi and laptops not connected to the corporate network that can’t be monitored
Containers Ephemeral nature, immaturity of container security
Enterprise IoT
May be physically vulnerable May be capable of compromising core systems May be controlled remotely May have embedded software that lacks appropriate security May run critical real-world processes and tasks Attacks may breach the kinetic barrier through to the physical world
Legacy ICS/SCADAMay be physically breached or controlled by someone with apparent authority May be remotely controllable Depending on age, may lack any type of built-in security
Figure 1. Today’s modern attack surface
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 5
Problem #2: CISOs lack visibility into and across information assets
IoT, cloud, mobile, DevOps – your attack surface grows exponentially with the breakneck speed of digital transformation. In the cloud, containers spin up and down, living minutes – often seconds. Meanwhile, 9 billion IoT devices are expected to inundate the enterprise by next year. It’s no easy battle. You need visibility into every vulnerability – you need a foundation to win.
CISOs and their organizations need a single source of truth that reveals all their IT assets and surfaces key insights.
“Risk is always present. It’s the
lack of visibility and intelligent
management of risk that can be
catastrophic.”3 — Gartner
Asset Description
Server, desktop, and network infrastructure Visible, but patching everything isn’t possible
Web apps, mobile, laptop Inconsistent visibility
Containers No visibility or inconsistent visibility
Enterprise IoT No visibility or inconsistent visibility
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 6
Problem #3: Digital transformation creates cyber risk
Most organizations are executing some kind of digital transformation strategy. According to a 2018 digital transformation survey conducted by Tech Pro Research, 70% of survey respondents said their companies either have a digital transformation strategy in place or are working on one.4
CISOs lack visibility into everything. Here are some of the forces at play:
Cloud • Dramatically increases an organization’s attack surface • CISOs lack visibility into cloud assets • On-prem and cloud-specific solutions only provide siloed visibility
Shadow IT • CISOs and IT lack visibility into assets • CISOs and Legal lack insight into terms and conditions that may violate security policies, laws and regulations Hyper-growth • Fast asset acquisition may disregard product-related security risks • CISOs and IT lack visibility into assets
Mergers and acquisitions • CISOs cannot assess the actual inventory • Consolidation may cause lost or hidden assets
Remote employees/road warriors • Assets may be lost, stolen or compromised • Lack of company ownership may preclude visibility • If a tracking agent isn’t installed, asset usage may violate company policies • Often use dynamic IP addresses • Connect to public Wi-Fi for convenience
New assets are constantly entering the organization. CISOs are responsible for security breaches, regardless.
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 7
Operational reasons CISOs lack visibility
Limited resources
• Security team is small. Modern security requires such a broad and varied set of skills and expertise that security teams inevitably have gaps. • Finding and retaining security staff is difficult.
IT disconnects
• CMDB data is often outdated. • Firewalls are preventing network scans. • IT Ops can’t patch software fast enough. • The relationships between IT and IT Ops can be contentious.
Limited budgets
• Budgets can’t keep pace with evolving threats. • It’s not just the cost of buying the technology, the technology has to be managed and maintained. • Proving ROI can be hard.
No aggregation layer
• Security technologies lack a common language. • Missing integration and interoperability mean that security domains live in isolated silos. • There’s no single source of truth that provides visibility into everything.
Figure 2. Organizational challenges compound the problem
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 8
Prioritizing threats makes security and IT Ops more efficient. CISOs can focus on the vulnerabilities that matter most to the business and demonstrate better ROI on cybersecurity investments.
Vulnerabilities are growing and attackers have the advantage
Vulnerabilities are growing. More than 25% of them are classified as Critical or High.5 But only 10% of all vulnerabilities have known exploits.
In Tenable Research’s recent report, Quantifying the Attacker’s First-Mover Advantage, they analyzed the 50 most prevalent critical and high-severity vulnerabilities from just under 200,000 vulnerability assessment scans over a three-month period. What did they find?
Alarmingly, all too often, the attackers have the advantage. On average, they have a seven-day head start on defenders. Threat actors are sprinting ahead, exploiting vulnerabilities before security teams have even left the starting blocks – before businesses even know they’re at risk.
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 9
How CISOs prioritize vulnerabilities today
Challenges
Focus • CISOs focus on Critical vulnerabilities • Hackers know that, so their focus includes High and Medium exploits
Context • What are hackers focusing on now? • Which vulnerabilities would have the most severe business impact? • Is an employee, contractor or customer using the asset? • Is the asset involved in running a critical business process?
Vulnerability-to-exploit relationship • Vulnerability-to-exploit ratio: There’s a vulnerability, but are attackers targeting it? • Emerging methods hackers plan to use – and are using – to bridge the gap
“65% of surveyed organizations
say they find it difficult to
prioritize what needs to be
patched first.”6
– Ponemon Institute
Figure 3. Prioritization using CVSS scores
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 10
Step 1 is visibility across all assets
CISOs need complete visibility into all their company’s IT assets, both physical and virtual. Without that, it’s impossible to understand the actual scope of vulnerabilities and take appropriate remedial action.
In the absence of a platform capable of providing that level of visibility, CISOs are constrained by budget, resources and the ephemeral nature of virtual assets.
IoT devices and cloud assets compound the problem because CISOs might not have relationships with the business leaders whose lines of business use them, whether they’re medical devices or sensor-based equipment operating in the field. Yet, those IoT devices are connected to the Internet and may be compromised.
In short, the modern attack surface has created a massive gap in an organization’s ability to truly understand their Cyber Exposure.
The assets in red can’t be seen and analyzed effectively with traditional vulnerability management tools. This represents the Cyber Exposure gap. The larger the gap, the greater the risk of a business-impacting cyber event occuring.
Opportunistic attackers focus on a subset of vulnerabilities. Identifying those vulnerabilities should be your first priority. Here’s how to do it.
Figure 4. Organizations face a Cyber Exposure gap
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 11
How CISOs should prioritize vulnerabilities
CVSS scores alone are not adequate. You need a risk-driven approach that prioritizes critical assets and vulnerabilities known to be targeted by attackers.
Cyber Exposure analysis and scoring weighs vulnerabilities, threat data and the asset’s business value and criticality, giving you clear guidance about where to focus remediation efforts based on risk. Instead of being limited to raw vulnerability data, you can manage by context-relevant Cyber Exposure scoring, allowing you to prioritize remediation according to the actual risk to your organization.
Vulnerability Data + Threat Intelligence + Asset Criticality = Cyber Exposure Risk Score
Cyber Exposure risk scores enable CISOs to focus their efforts.
“Prioritization of vulnerabilities
is also essential—for example,
based on scanner scores or CVSS
scores as well as understanding
the business importance of the
affected system. By integrating
threat intelligence, security
teams can factor in whether
a vulnerability has been
weaponized or is part of an
active campaign.”6
– Ponemon Institute
Vulnerability Data• How critical is the vulnerability? • Have we looked everywhere?
Threat Intelligence• Is the vulnerability currently being exposed? • How probable is it that a vulnerability will be exploited in the future?
Asset Criticality• What are the characteristics of the asset? • What’s the potential risk to the business if the asset isn’t protected?
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 12
Focus CISOs can focus on the subset of vulnerabilities that would have the greatest business impact.
Resource Allocation Prioritizing vulnerabilities requires fewer
resources – and resources can be allocated more effectively.
Figure 5. The Key to Prioritization – Shrinking the Scope
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 13
Conclusion
Most CISOs are able to say that X many people are working on Y number of cases or that their company has Z number of critical vulnerabilities open. How do those numbers translate to a lesser likelihood that the company will be breached? They don’t.
Reducing numbers alone does not lower cyber or business risk. Minimizing the vulnerabilities that matter is what makes the difference. Want to learn more?
Watch the Predictive Prioritization webinar
1. Gartner Security and Risk Management Summit 2018 Presentation, Fix What Matters: Provide DevOps Teams With Risk-Prioritized Vulnerability Guidance, Dale Gardner, June 4-7, 2018.2. http://lookbook.tenable.com/ponemonreport/ponemon-report-20183. Gartner, “Seven Imperatives to Adopt a CARTA Strategic Approach,” April 20184. https://www.zdnet.com/article/survey-despite-steady-growth-in-digital-transformation-initiatives-companies-face-budget-and-buy-in/5. Tenable.io analysis based on NVE data6. Ponemon Institute, “Today’s State of Vulnerability Response: Patch Work Demands Attention”
HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 14
7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046
North America +1 (410) 872-0555
www.tenable.com
COPYRIGHT 2019 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
01/07/19 V02