sign in sign up
<<
Home , Vulnerability management

The Future of and Vulnerability Management TO CONTROL CYBER RISK The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk EXECUTIVE OVERVIEW

Threat and vulnerability management (TVM) has never been more difficult. The stakes are much higher. It’s hard to evaluate cost-to-value, and security expertise is limited. Even with multiple scanning tools, threat and vulnerability management doesn’t get easier. In fact, many organizations are running into data overload, but that’s all about to change.

RiskSense is bringing a new perspective Let’s look at an overview of today’s and visibility into what alters cyber risk. cybersecurity challenges, followed The RiskSense platform will enable by a walk-through of the six defining organizations to replace their current pillars that RiskSense is focused on options of “ignore, defer, or continue to as we work to define risk-based do what we do today with limited insight”, vulnerability management. into a context-intelligent and proactive approach in order to achieve risk-based vulnerability prioritization.

2 The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk

TODAY’S CRITICAL CYBERSECURITY ISSUES

It is no secret that threat and vulnerability “As digital transformation progresses from the world management is the dirtiest job in cybersecurity. of monolithic applications to cloud-native component Security analysts must wade through piles architecture, the question of risk becomes more difficult to quantify when everything can be considered to be connected. of vulnerabilities, without knowing what else In that case, everything can be considered high risk!” –– is around the corner. The result is “cyber risk Stephen Magnani, Senior Vice President-Office of the Chief of Information Security- Management, Citi (1) mayhem”, where it becomes impossible to fix everything. To complicate matters further, the risk posed by a given vulnerability can The Increased Focus on Cyber Cybersecurity efforts must now include the entire spectrum of risk change day-to-day. identification and remediation steps, including cyber risk assessment, Risk Accountability prevention, mitigation, resilience, and recovery scenarios. “Issuers and other market participants must take their periodic and current disclosure The U.S. Securities and Exchange Commission (SEC) is obligations regarding cybersecurity risks seriously, and failure to do so currently looking closer at corporations that are not reporting may result in an enforcement action,” according to Clayton. Although on their cyber risk properly. According to Jay Clayton, Chairman the SEC is increasing its focus on accountability, there aren’t really any of the SEC, “Even the most diligent cybersecurity efforts will not clear guidelines on how to accomplish this. In essence, it is accountability address all cyber risks that enterprises face. That stark reality without a path. makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain It’s not just the SEC increasing its focus on cyber risk. Rep. Jim Himes cases they have been successful at the most robust institutions introduced the Cybersecurity Disclosure Act of 2019, a bill that would and at the SEC itself.” make the SEC issue a new set of rules requiring U.S. companies to tell their investors whether or not they have someone who has cyber expertise on their board.

(1) Mighty Guides: The Essential Guide to Understanding Risk and Quantification 3 The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk

The Cost-to-Value Problem Community Contribution

Some organizations, if they could, would just throw more Most organizations today rely on the severity scores of the bodies at the vulnerability problem, but there simply aren’t National Vulnerability Database (NVD) and a version provided enough people with the necessary security expertise to fill all by their vulnerability scanners. The of the available roles in every company. Even if an enterprise sourcing and curating of vulnerability is lucky enough to have a highly skilled security team, a scan and threat intelligence has just begun and patch approach is not going to reduce their cyber risk. to evolve. With AI-assisted analysis and Vulnerability weaponization is happening at an increasing rate. human verification, vulnerabilities and Quantity vs. Quality With the absence of in-depth cyber risk intelligence, the security their true risk to a business become team is making decisions with narrow viewpoints. They are apparent by looking at the internal Managing cyber risk used to be all about patching volume, driving the organization’s costly security resources into action asset criticality and the shifting external but accurate measures of cyber risk management and their (or more likely, reaction), but they are not statistically changing intelligence. More sources are needed effectiveness requires a qualitative assessment. An effective the risk equation. to truly under cyber risk and vulnerability TVM solution must provide a way to show results that are exposure. Just like crowdsourcing, understandable by the organization’s IT and security teams, all As a result, enterprises are spending on multiple scanning tools tapping into the collective value of those of the way up to C-level executives and board members, without and analyzing the data, but they are struggling to understand in security, like penetration testing experts with their experience needing interpretation. This measurement or score will facilitate why their investments aren’t driving down the frequency of of code weaknesses and security configuration knowledge, planning, versus simply reacting to activity-based vulnerability security incidents. Frustrated, many turn their attention to other is essential. These individuals have the skills to move a remediation metrics. areas of security hoping they will have better outcomes and to vulnerability from concept to a proven risk with exploitable minimize their vulnerability programs as necessary ‘hygiene’. code and tools. From the intelligence side, more focus on A cybersecurity score or value provides a way to measure dangerous vulnerabilities with capabilities for remote execution the effectiveness of an organization’s risk-based approach to or privilege escalation is needed. Significant risk occurs from vulnerability management. In addition, enabling security teams to these vulnerabilities when they have active exploits trending in run “what if” scenarios give visibility to the actions will positively the wild. make a difference and allows them to align activities to current resource availability and business concerns. Quality results need up-to-the-moment calculations based on the business criticality of systems, weaponization, and context-intelligence.

4 The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk

SIX PILLARS Threat and vulnerability management platforms need to adapt to meet the growing challenges of digitized businesses, ever-increasing IT expansion, and deliver better outcomes for overwhelmed security teams. OF FUNCTIONALITY 1. Reclamation 2. Collaboration 3. Intelligence AND VISION FOR With highly trained security expertise at a premium, We envision a future where the functions of IT, Today’s security teams are dealing with data what if your organization could make better use DevOps, and Security act as a fully integrated overload. It is no longer possible to get results RISKSENSE: of the personnel it already has? Imagine how team. But in most organizations today, one group using a human-driven solution alone. Google has one or two security FTEs could be used for other, is responsible for vulnerability scanning, the optimized the search function so much that you can • Reclamation more pressing, security aspects in your business. security team is responsible for setting priorities, find anything digital almost instantly. Vulnerability Continuous, prioritized, and prescriptive risk-based and the IT team is then responsible for performing and threat intelligence need to take a similar approach. Mine as many sources as possible, vulnerability management allows you to get to remediation actions. As a result, security and IT • Collaboration curating the information using both AI-driven remediation activities faster. are often at odds. Security is responsible for cyber ntelligence and human-assisted verification, and risk, but IT is fielding the burden of work to fix or elevate the top trending threat results. Access to • Intelligence Every organization is competing for the same mitigate. To make matters worse, IT often doesn’t statistically proven intelligence, and not just scarce security resources today. If every security have visibility, or get feedback as to the importance gathered data, will be a new requirement. • Measurement team could obtain just a small amount of of their efforts. efficiency, collectively we’d get a lot better at Understanding trending exploits, and predicting • Coverage controlling cyber risk. The United States still leads Shared Responsibility with No More Silos those to come, will grow with crowd-sourced the world in digital business transformation. We exploits and intelligence from a global base of • Validation now need to lead in how to transform threat and When IT and security can share responsibility pen testers. It will accelerate the identification of vulnerability management to help prioritize and and unify as a team against cyber risk, more of code exposure from theoretical risk into validated drive better results for all. the right activities will happen with increasing exploitable maneuvers. efficiency. Closed loop verification goes smoother, Managing Risk, Not Resources compliance is easier to validate, and those in IT Real Results, Nothing Arbitrary or Artificial and security that are actually doing this work will get credit for measurably improving the security posture of the company.

5 The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk

SIX PILLARS 4. Measurement 5. Coverage 6. Validation

Fact-based decisions for threat and vulnerability Coverage and visibility for threat and vulnerability Security teams need to focus beyond just OF FUNCTIONALITY management need to mature. Measurement should management needs to keep up with the dynamics compliance and evolve toward a critical be a built-in component for knowing your current of business. Moving from compliance-driven, consciousness where validation of cyber risk and risk exposure. Identify consistently weak areas point-in-time assessments, to ones that are more exposure is a key aspect of everyday business. AND VISION FOR within highly critical business systems. Results can time-sensitive and require a sense of urgency Collective risk-based management goes beyond fluctuate based on what’s important to you right because of the potential high risk they present to an the infrastructure of an organization and begins RISKSENSE: now and what is externally changing that could organization is critical. to measure and validate any connected entity. increase your cyber risk. One cannot assume that the organizations Adapting to Change you do business with have mature vulnerability • Reclamation What if you could run remediation scenarios and management programs. Rapidly vulnerabilities see which combinations of actions would really are weaponized, gain adversarial popularity, and The utilization of web applications, IoT, virtualization, • Collaboration make a measurable difference in cyber risk to your indiscriminately look for exploitable targets. and containers contribute to a fluctuating attack organization? By identifying the best predictive Business will move from “Hey, I’ve been breached,” surface. Vulnerability weaponization, meaning there steps and patch recommendations. New estimated to validating how vendors, third parties, APIs, and • Intelligence is and/or an exploit available, is increasing measurements of risk exposure can be calculated. connected services affect the security posture of in speed, often in less than seven days. Penetration Organizations with this level of measurement can their business. With a clear and transparent way • Measurement testing grows in importance to identify the inventory improve the navigation throughout the remediation to make fact-based decisions about cyber risk, of assets and how layered vulnerabilities can expose process and map the appropriate resources, change everyone within a community or ecosystem will have business to risk. Modernizing these assessment, • Coverage windows, and see upon patch validation that their a way to measure, validate, and decide if they are to include the near real-time delivery of findings as security posture has measurably improved. This willing to accept or deny the risk they are encountered, removes unnecessary latency. • Validation could be across an organization, within a specific This allows remediation to begin immediately, rather asset group, or within regional segments or than waiting for the conclusion of the engagement, Moving Beyond Compliance business units. when the entire pen test assessment is presented and finalized. Expanding technologies and Reflection of Risk and Remediation shortened timelines will bring higher importance to penetration testing and exploit validation as a risk countermeasure, with AI and human-focused intelligence looking at code and scenarios no one has covered before. 6 The Future of Threat and Vulnerability Management to Control Cyber Risk The Future of Threat and Vulnerability Management to Control Cyber Risk

LEADERSHIP IN CYBER RISK

Core to the RiskSense vision is the expertise of its founders, management team, and a highly experienced and well-certified penetration testing team.

Dr. Srinivas Mukkamala RiskSense Pen Testing Team

RiskSense CEO and Co-Founder RiskSense’s highly-trained pen testing team provides a wide range of certifications and expertise to RiskSense customers. Current Dr. Srinivas Mukkamala is a recognized expert on artificial intelligence (AI) certifications include: and neural networks, and part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying • GIAC Penetration Tester (GPEN) these concepts to cybersecurity problems. Dr. Mukkamala was also a • GIAC Web Application Penetration Tester (GWAPT) lead researcher for CACTUS (Computational Analysis of Cyber Terrorism • EMC Data Scientist Associate (EMCDSA) against the U.S.) and holds a patent on Intelligent Agents for Distributed • MicroStrategy Certified Developer (MCD) Intrusion Detection System and Method of Practicing. • CompTIA Mobile App Security+ • x64 Linux Assembly Expert (SLAE64) Srinivas previously co-founded CAaNES, a spin-off from New Mexico Tech- • PCI Approved Scanning Vendor (PCI ASV) ICASA that focuses on proactive and reactive intelligent risk analytics, • Mountain Goat Certified Agile Scrum Master vulnerability management solutions, red teaming, malware analytics, • Mountain Goat Certified Agile Product Owner and Web 2.0 and application security. Under Dr. Mukkamala’s leadership, CAaNES assisted over 300 entities in NM, CO, CA, TX, AZ, UT, NJ, WI, and AR. Dr. Mukkamala received his Bachelor of Engineering in Computer Science and Engineering from University of Madras, and his M.S. and Ph.D. in Computer Science from New Mexico Tech.

7 About RiskSense RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud- based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.

Contact us today to learn more about RiskSense CONTACT US SCHEDULE A DEMO READ OUR BLOG RiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | www.risksense.com

© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Brochure_TheFutureofTVMtoControlCyberRisk_20190710