Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/2/2018
10:30 AM
Renaud Deraison
Renaud Deraison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Argument for Risk-Based Security

A scanner can identify a vulnerability, but only a deep understanding of cyber exposure will tell you about the seriousness of that risk. Here's how and why.

There's a strange paradox about business today. Technology, which has long been its most powerful enabler and accelerant, has emerged as business's biggest, but largely invisible, threat.

I'm not talking about the latest apocalyptic fantasy about artificial intelligence, but rather the exploding by-product of business in the age of cloud computing and the Internet of Things (IoT): data. As IBM CEO Ginni Rometty recently declared, "Data is the world's new natural resource. It's the new basis of competitive advantage and it's transforming every profession and industry." Yet if all that is true, she argued, "then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world."

It's a rational argument. Global cybercrime is predicted to cost $6 trillion annually by 2021, according to Cybersecurity Ventures, but it's not as existentially scary as Rometty makes it seem. Because almost every function of business has been digitized, today's cloud-powered companies are operating at incredible speed — and will only keep accelerating. What's more, billions of new IoT-enabled devices are baked into just about every facet of industrial technology, from power grids and wind turbines to break-room snack machines — all slinging data around the clock. We have unprecedented levels of security risk thanks to a rapidly expanding attack surface that now faces virtually every company. No wonder it takes over six months today for most companies to even detect a data breach. And, as we've seen with the latest Uber breach, businesses may take months to a year to disclose a breach to the public even after it is detected.

What companies lack today is accurate, real-time visibility of the dynamic attack surface. Traditional security tools were built for long-gone fixtures such as client-server technology, on-premises data centers, and linear software development cycles. Modern IT thinks in terms of minutes when it comes to release cycles. (In just two years, according to a recent study by Cisco, the number of third-party cloud applications in business has grown by a factor of 10 and more than 25% were deemed to be high risk.)

Additionally, a worst-case mindset tends to cloud more pragmatic executive decision-making. Companies often fixate on macro events like nation-state attacks when they are far more likely to be breached by a random malware attack like WannaCry. Companies too often don't take the simple measures to protect themselves as much as they should against the more likely threats.

How can executives shift into smarter, more holistic management of cyber-risk? It starts with focusing on the widening gap between threats and risks that are currently known (and thus under-represented) and true cyber exposure. Scanning the network for vulnerabilities or deploying multiple tools against the "threat of the week" is a one-size-fits-all approach that no longer aligns with reality. Mobile and IoT devices often operate under the radar for such security tools, as do public cloud resources, software-as-a-service applications, and industrial control systems.

In order for businesses to effectively manage their cyber exposure, here's what I recommend:

  • Determine, then focus on, your most critical needs. You can't afford to protect or respond to everything equally. What is most important to your organization? The old CIA standard (confidentiality, integrity, and availability) is still a good rule of thumb.
  • Double down on secure application design. The only way to make applications secure is to design them securely from the start. Careful attention needs to be given to the design process to ensure it takes everything into account on safety; it can't be "sprinkled" on later using a Web app firewall.
  • Hire for soft skills, not just technical aptitude. When it comes to security, most roles are cross-functional and require you to exert influence on other stakeholders. This is because the most vulnerable or exposed systems are often not ones you own. Soft skills are essential to build alignment and consensus with a persuasive argument.
  • Get a better view of your external exposure. Points of connectivity and access between companies, partners, and customers get more complex every year. Getting a handle on the full extent of these exposures should be the foundation of understanding your true risks, and that requires benchmarking and establishing a strategic baseline.

Every aspect of business has risks that can be managed — and managed well. Cyber exposure is no different. Emerging technologies that provide a specific focus on a targeted piece of the attack surface (for example, operational technology or open source software), advanced security analytics, and enhanced, cross-functional operational workflow can help companies reduce their exposure and give business leaders greater confidence in managing risk based on quantitative and actionable measurements. A scanner can identify a vulnerability, but a true understanding of cyber exposure will analyze the seriousness of that risk, what might happen if you choose to accept it, and how severe the various possible outcomes of a breach might be.

Related Content:

Renaud Deraison is chief technology officer of Tenable. Prior to co-founding Tenable, Renaud redefined the vulnerability management market by authoring Nessus, the world's most widely deployed vulnerability scanner, with over one million downloads. Nessus has received ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shermski
100%
0%
shermski,
User Rank: Apprentice
1/2/2018 | 1:19:04 PM
Well said
Well written article! I would add that effective risk awareness and mitigations should align with the procurement process. Perform technical and contractual risk assessments for against potential business partners and services.

Additionally, those companies that do not do a lot of in-house app development should consider additional contract stipulations such as alignment with the Cloud Security Alliance controls.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...