Creating a Vulnerability Management Program – Cybersecurity Risk: Why You Need Both Vulnerability and Threat Assessments
- Aug 23, 2022
- Brad LaPorte
In this blog, we’ll add to our cybersecurity considerations the concept of threats and threat intelligence. So far, we’ve looked at assets and their vulnerabilities. While these are essential building blocks in constructing a smart cybersecurity program, adding the threat element to the equation is key to any well-run, efficient cybersecurity program.
It’s not hard to understand why if you take a high-level view of the matter. What a cybersecurity team is striving for is understanding and managing the risks their organization faces. If you pick it apart, you can see that risk is the result of vulnerabilities and threats. An unlocked house may be vulnerable, but it faces a higher risk of being robbed if it’s located in the middle of a high-crime urban setting than it does at the end of a dirt road where the closest neighbor is 10 miles away.
To be sure, no organization can take the kind of comfort the owners of the isolated rural house might enjoy. Cybercriminals don’t have to worry about distances between themselves and their victims. At the same time, a SOC would go insane if it tried to plug up all vulnerabilities everywhere all at once because of some unknown potential threats.
The answer, then, is to combine the knowledge a team has about its own vulnerabilities and threats that may take advantage of those vulnerabilities. That’s how risk is assessed. But risk is not classified into a simple yes or no answer. There are low risks, high risks, and everything in between. The tools to be used need to be capable of helping teams quantify that risk so they know how to prioritize potential remediations.
In this entry, we’ll take a look at how vulnerability and threat can be determined through the right methods and tools.
We looked closely at vulnerability in previous blogs, but a quick summary here can help us keep in mind what vulnerability assessment consists of. The first consideration, of course, is being fully cognizant of your attack surface. That means getting a comprehensive, up-to-the-minute inventory of your assets. The list of them is just the start. You also need to know the status of their security programs, operating systems, firmware updates, patching, and the like. And, operationally, you need to understand the context for each asset’s use: who accesses it, who has access that potentially shouldn’t, the business use of the asset, its connection to other assets, etc.
Vulnerability assessing essentially takes this assumed knowledge you have of your assets and pushes it to the next level. In our house analogy, it’s a bit like having someone who installs security systems look over your house from the burglar’s perspective. Sure, you have double-bolted doors that you always lock, but what about those basement windows? They may look narrow, but a determined burglar could easily smash them and slip inside. Better install a sensor and wire it to your alarm system.
We talked about the automated and manual methods that can test vulnerability. Vulnerability scanners look over your entire infrastructure and create updates for your team to act upon. Organizations further up the security ladder have vulnerability scanners from more than one vendor to help ensure accurate, complete readings.
But even so, vulnerabilities may be hidden. That’s where penetration testing comes in. People whose sole job is to find the weak spots in an infrastructure are hired to poke and prod and find the holes in your defenses. Because it can be costly and is only a snapshot in time, automated solutions or hybrid models (people augmented with automated tools) are being used more and more.
The next step is to combine the knowledge of your vulnerabilities with the actual threats you face.
Running a modern-day cybersecurity department means moving from a purely reactive state to one that anticipates the attacks that may be launched against you. To do so, you need to have a sense of your opponent:
These are challenging questions to answer. Organizations need to move through different levels of maturity to provide the best, most complete answers. Those that do are able to process and integrate a significant amount of knowledge – not just about potential attacks that have been identified on the “clear” (surface) web, but also in the less-visible dark web and deep web where the threat actors gather and collaborate on ways to succeed.
Threat intelligence tools gather data on existing and emerging threats to disseminate this knowledge to security teams. Collecting raw data from a wide range of sources (like public intelligence, first and third parties, social media, etc.), threat intelligence solutions use machine learning algorithms to compile, consolidate, and analyze threat data to deliver three types of insights:
This, obviously, leads to a great deal of data for security teams to sift through. Threat intelligence tools are often paired with other cybersecurity solutions, like vulnerability prioritization tools and other vulnerability management platforms. This enables cybersecurity teams to get out from under the data overload and act on the insights that apply to their individual organization.
The market for threat intelligence products has primarily been focused on large enterprises, although it is expanding to mid-sized organizations as well. These threat intelligence tools tend to be more restricted than the enterprise counterparts. The rule of thumb for any company considering purchasing threat intelligence tools is to acquire only what your organization is ready to use without becoming overwhelmed.
Once you have this technology in place, your organization can then proceed to move through the level of threat intelligence maturity. Understanding these levels gives your organization a road map to follow to maximize the return on your threat intelligence investment.
There are roughly five levels of threat intelligence maturity, and it takes time to move from one to the other. Even though you can’t jump from level one to level five overnight, it’s best to understand what that process looks like.
Here, the organization is responding to threats as they emerge without a sense of what’s next. The organization is striving to establish the fundamentals of its cybersecurity program, having a sense of its attack surface and using basic protections such as an antivirus program to build some defenses.
As we mentioned earlier, risk is a combination of vulnerabilities and threats. While the organization is getting a grasp of its vulnerabilities, it also is getting a sense of threats by incorporating Indicators of Compromise (IoC) and Indicators of Attack (IoA). Added up, these two give insights into what threats are in play and what the attackers’ intent seems to be.
It’s a good idea at this phase to collaborate with others who similarly are trying to understand what’s under threat. There are newsletters that share this information, as well as information sharing and analysis centers (ISACS). With this information, a cybersecurity team can begin to prioritize alerts, digest actionable advisories, and deploy the right patches to address current common vulnerabilities and exposures (CVEs).
At this level, the organization is starting to get ahead of the daily reactive state and staying ahead of threats. It sees threats coming by constantly monitoring emerging threat indicators, such as targeted campaigns, exploit disclosures, and indications and warnings. On the vulnerability side, the organization is moving to a more advanced security stack with next-generation endpoint security and a Security Information Event Management (SIEM) platform.
Security and business leaders are cooperating, so each side understands the other’s needs, with the security team thus able to respond to cyberthreats according to the context of business goals and objectives.
This organization has gone far beyond its initial reactive state and has become fully engaged in risk planning and prevention, with both a thorough internal vulnerabilities testing program and robust intelligence platforms such as those focused on Security Orchestration and automated Response (SOAR). The business context understanding has also become more developed in terms of planning for attacks. For example, the organization has segregated its networks so that different activities and operations are separated — isolating incoming threats to limited areas.
The final piece of the puzzle is to determine the threats directed by cybercriminals to partners. Increasingly, supply-chain software providers and business partners are being used as a backdoor to an organization’s valued information or vulnerabilities. By extending that threat intelligence beyond an organization’s own infrastructure, the company has reached the top level of maturity.
And, as we have noted previously, cybersecurity is not an activity that is ever complete. New threats emerge continually, and the attack surface of growing organizations only gets larger. Patching is a continual effort and employing new tools in response to new threats is inevitable.
That isn’t meant to sound discouraging, just realistic. The sooner your organization starts moving up the ladder of maturity, the more secure you will become. But the movement upward never comes to a complete stop.
NopSec has created a set of tools designed for risk-based vulnerability management (RBVM) – that is, the risk that is derived by looking at the combination of vulnerabilities and threats. Tools include:
At NopSec, we know how much there is to think about when you’re trying to lead your security team from the initial stages of protection to the more advanced levels. See how other leading cybersecurity teams are succeeding by reading the 2022 State of Vulnerability Management Report.
Answer: A vulnerability scan is an automated process that scans your existing environment for any known vulnerabilities. A vulnerability assessment typically includes a vulnerability scan, but combines automated tools like vulnerability scanners with human intelligence and expertise using techniques such as pentesting for a more complete view into your organization’s risk.
Answer: Threat intelligence tools collect, consolidate, and analyze threat data from a wide range of sources. These sources can include internal and external data, public or open source data, social media intel, and more.
Answer: Threat intelligence tools collect data from a wide range of sources and utilize machine learning algorithms to produce insights on strategic, tactical, and operational levels.
If you haven’t read the previous installments of this series you can do so here:
Next: Creating a Vulnerability Management Program – Vulnerability Remediation: More Complex than You Might Imagine