Fortifying security posture: Taking a risk-centric approach

Shantanu Srivastava

Vulnerabilities are proliferating at an unprecedented rate and threat actors are leaving no stone unturned to take advantage of them with a range of new malware and exploits. The threat intelligence analysts at Skybox security also observed a 24 per cent jump in new vulnerabilities exploited in the wild last year.

The Cybersecurity and Infrastructure Security Agency (CISA) alert issued in April 2022 reinforces these findings: “Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.”

Prioritise active threats and exposure

While this may sound contradictory, but fixing all vulnerabilities is likely unnecessary for most organisations. Moreover, large organisations battling with millions of vulnerabilities find it almost impossible to immediately fix all flaws identified by traditional vulnerabilities scanners.

Also Read | Cyber-resilient network builds upon the inherent reliability of networking

Traditional approaches to understanding the severity of vulnerabilities rely almost exclusively on the Common Vulnerability Scoring System (CVSS). However, the CVSS only provides a generic picture and does not consider how the vulnerability could be exploited within a specific network. As a result, organisations are left dealing with a massive list of vulnerability alerts with little to no visibility into how they should be prioritised based on specific security controls and configurations.

Risk-based approach adopted by 48 per cent of organisations with no breaches

Although cybersecurity breaches rose dramatically year-over-year, the good news is that 48 per cent of organisations with no breaches took a risk-based approach. Ingredients of this risk-based approach include:

1. Attack surface visibility and context
2. Attack simulation
3. Exposure analysis
4. Risk scoring
5. Vulnerability assessments

These capabilities are the foundation of proactive security posture management. They provide organisations with a level of understanding—of their attack surface, their greatest risks, and how to manage them—that has been sorely lacking in traditional approaches. Cybersecurity leaders are now embracing the fact that not all vulnerabilities are created equally. Actual risk reduction rather requires focusing on eliminating the threats that matter. This new way of thinking enables SecOps to ruthlessly prioritise the vulnerabilities that matter for remediation and quantifiably reduce risk.

Cyber Risk = Exploitability x Exposure x Asset Importance x Financial Impact

For a comprehensive risk score, consider adding these elements to the static CVSS:

Exploitability: Are threat actors exploiting the vulnerability in the wild?
Exposure: Are existing security controls protecting the vulnerable asset?
Asset Importance: Is the asset mission critical? Would it expose sensitive data?
Financial Impact: How much will it cost your business per day if the system is compromised?

Also Read | Cybersecurity will become a productivity enhancer and not an enigma

To battle the side effects of digital transformation and modern cybercrime strategies, it’s best to embrace breach prevention. That means focusing on active threats that are accessible to adversaries and have the potential to devastate your business financially – instead of the millions of vulnerabilities that aren’t even exposed.

Cyber risk modeling empowers security teams to pinpoint the risks that matter and eventually prioritise remediation where it’s genuinely needed. Risk-based metrics can also be tracked over time to prove the value of your cybersecurity program. These modern strategies provide a foundation for improving any security program, especially those charged with protecting complex environments and proactively securing digital transformation.

Views Expressed by – Shantanu Srivastava, Vice President – Sales, APAC at Skybox Security

Elets The Banking and Finance Post Magazine has carved out a niche for itself in the crowded market with exclusive & unique content. Get in-depth insights on trend-setting innovations & transformation in the BFSI sector. Best offers for Print + Digital issues! Subscribe here➔ www.eletsonline.com/subscription/

Get a chance to meet the Who's who of the NBFCs and Insurance industry. Join Us for Upcoming Events and explore business opportunities. Like us on Facebook, connect with us on LinkedIn and follow us on Twitter, Instagram & Pinterest.