Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/2/2018
10:30 AM
Renaud Deraison
Renaud Deraison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Argument for Risk-Based Security

A scanner can identify a vulnerability, but only a deep understanding of cyber exposure will tell you about the seriousness of that risk. Here's how and why.

There's a strange paradox about business today. Technology, which has long been its most powerful enabler and accelerant, has emerged as business's biggest, but largely invisible, threat.

I'm not talking about the latest apocalyptic fantasy about artificial intelligence, but rather the exploding by-product of business in the age of cloud computing and the Internet of Things (IoT): data. As IBM CEO Ginni Rometty recently declared, "Data is the world's new natural resource. It's the new basis of competitive advantage and it's transforming every profession and industry." Yet if all that is true, she argued, "then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world."

It's a rational argument. Global cybercrime is predicted to cost $6 trillion annually by 2021, according to Cybersecurity Ventures, but it's not as existentially scary as Rometty makes it seem. Because almost every function of business has been digitized, today's cloud-powered companies are operating at incredible speed — and will only keep accelerating. What's more, billions of new IoT-enabled devices are baked into just about every facet of industrial technology, from power grids and wind turbines to break-room snack machines — all slinging data around the clock. We have unprecedented levels of security risk thanks to a rapidly expanding attack surface that now faces virtually every company. No wonder it takes over six months today for most companies to even detect a data breach. And, as we've seen with the latest Uber breach, businesses may take months to a year to disclose a breach to the public even after it is detected.

What companies lack today is accurate, real-time visibility of the dynamic attack surface. Traditional security tools were built for long-gone fixtures such as client-server technology, on-premises data centers, and linear software development cycles. Modern IT thinks in terms of minutes when it comes to release cycles. (In just two years, according to a recent study by Cisco, the number of third-party cloud applications in business has grown by a factor of 10 and more than 25% were deemed to be high risk.)

Additionally, a worst-case mindset tends to cloud more pragmatic executive decision-making. Companies often fixate on macro events like nation-state attacks when they are far more likely to be breached by a random malware attack like WannaCry. Companies too often don't take the simple measures to protect themselves as much as they should against the more likely threats.

How can executives shift into smarter, more holistic management of cyber-risk? It starts with focusing on the widening gap between threats and risks that are currently known (and thus under-represented) and true cyber exposure. Scanning the network for vulnerabilities or deploying multiple tools against the "threat of the week" is a one-size-fits-all approach that no longer aligns with reality. Mobile and IoT devices often operate under the radar for such security tools, as do public cloud resources, software-as-a-service applications, and industrial control systems.

In order for businesses to effectively manage their cyber exposure, here's what I recommend:

  • Determine, then focus on, your most critical needs. You can't afford to protect or respond to everything equally. What is most important to your organization? The old CIA standard (confidentiality, integrity, and availability) is still a good rule of thumb.
  • Double down on secure application design. The only way to make applications secure is to design them securely from the start. Careful attention needs to be given to the design process to ensure it takes everything into account on safety; it can't be "sprinkled" on later using a Web app firewall.
  • Hire for soft skills, not just technical aptitude. When it comes to security, most roles are cross-functional and require you to exert influence on other stakeholders. This is because the most vulnerable or exposed systems are often not ones you own. Soft skills are essential to build alignment and consensus with a persuasive argument.
  • Get a better view of your external exposure. Points of connectivity and access between companies, partners, and customers get more complex every year. Getting a handle on the full extent of these exposures should be the foundation of understanding your true risks, and that requires benchmarking and establishing a strategic baseline.

Every aspect of business has risks that can be managed — and managed well. Cyber exposure is no different. Emerging technologies that provide a specific focus on a targeted piece of the attack surface (for example, operational technology or open source software), advanced security analytics, and enhanced, cross-functional operational workflow can help companies reduce their exposure and give business leaders greater confidence in managing risk based on quantitative and actionable measurements. A scanner can identify a vulnerability, but a true understanding of cyber exposure will analyze the seriousness of that risk, what might happen if you choose to accept it, and how severe the various possible outcomes of a breach might be.

Related Content:

Renaud Deraison is chief technology officer of Tenable. Prior to co-founding Tenable, Renaud redefined the vulnerability management market by authoring Nessus, the world's most widely deployed vulnerability scanner, with over one million downloads. Nessus has received ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shermski
100%
0%
shermski,
User Rank: Apprentice
1/2/2018 | 1:19:04 PM
Well said
Well written article! I would add that effective risk awareness and mitigations should align with the procurement process. Perform technical and contractual risk assessments for against potential business partners and services.

Additionally, those companies that do not do a lot of in-house app development should consider additional contract stipulations such as alignment with the Cloud Security Alliance controls.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15593
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
CVE-2019-16285
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVE-2019-16286
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
CVE-2019-16287
PUBLISHED: 2019-11-22
An attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges.
CVE-2019-18909
PUBLISHED: 2019-11-22
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.