By Lori Cornmesser

Lori Cornmesser

Information security risk is defined as a gap that could potentially be exploited, leading to financial or reputation loss. Companies may use several security testing products in addition to risk-assessment services to detect their security gaps. However, as systems become more complex, and attacks become more sophisticated, risks become more prevalent, and the sheer number of security gaps exceeds many organizations’ remediation capabilities. For example, if your team identifies 1,000 security gaps but can reasonably address only 100; where should it start? How should remediation proceed?

If you spread your resources across all potential risks, you won’t be able to address any issue adequately, leaving your organization more vulnerable to an attack. Risk prioritization is the best way to combat these problems. It helps companies whittle down a massive pile of risks to a manageable list that a security team can realistically address while keeping their organization secure. The prioritization component is critical. You don’t want to dedicate resources to security gaps that aren’t likely to pose severe threats to the business. Here are three time-tested tips for developing a risk-based, decision-making strategy to prioritize security gaps.

Think Like a Cybercriminal

When you consider some of the high-profile security breaches from earlier this year, there are helpful clues for learning how to prioritize security risk. For example, recall the Colonial Pipeline cyberattack, which shut down a top U.S. pipeline for several days and resulted in a $5 million ransom payout. An audit of the breach revealed that the attackers exploited a legacy VPN. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network. So, how does that tie into prioritization? It’s a reminder that hackers are always looking for the lowest hanging fruit — i.e., the path of least resistance — to a victim’s network. Learn to think like a hacker and ask yourself, “What’s the path of least resistance to our IT ecosystem?” Besides the mistake Colonial made in not revoking the VPN credentials after a remote worker left the company, there are other common themes seen in major security breaches, such as:

Put Vulnerabilities in Context

Understanding the business context surrounding a risk can help your team anticipate potential attack paths, including those involving subsidiaries, suppliers and other connected third parties. Evaluating risks through the lens of business importance and attractiveness to attackers is one of the most vital yet neglected elements in security. It lets organizations know whether there’s a legitimate threat to a material business process.

Determining the business purpose and public exposure of an asset entails many factors. Typically, companies waste precious hours …

… manually evaluating several data sources, which slows the pace, given the size of the attack surface. Plus, it provides cyberattackers more time to find and exploit additional security gaps.

Sophisticated attackers build robust infrastructure and automation to find blind spots. To effectively defend against them, security teams also should leverage automation as much as possible. Look for context data in places an attacker could easily find, such as:

Finally, don’t ignore scalability. Efforts at classifying business context for prioritizing risks must scale to rapidly address all of the assets associated with an attack surface, which could be hundreds of thousands for some organizations.

Assign Scores to Risks

Scoring systems can be an effective way to analyze, sort and rank risks. For example, a low score of “0” could be assigned to a certificate about to expire on a rarely used Apache server. On the other hand, a high score of “10” could stem from sensitive business documents stored on an unpatched file server where exploitation complexity is low and asset discoverability is high. The priority score rationalizes marching orders for remediation, starting with the highest priority risks first. When prioritization works well, high-risk attack vectors can be clearly communicated between security teams and executive management. When this doesn’t work, even the vulnerability management team can’t explain why one risk is more prevalent and urgent than another, and conversations are purely technical rather than business-risk oriented.

Five criteria can help with risk scoring. These include:

The importance of prioritizing risks discovered across the enterprise attack surface can’t be emphasized enough. Most organizations are swamped by thousands, even tens of thousands, of so-called urgent risks. No one has the resources to remediate everything immediately, so a rational, programmatic and automated approach to prioritizing risks is needed to help isolate those that genuinely require urgent attention.

Lori Cornmesser is vice president of worldwide channel sales for CyCognito, a company focused on solving a fundamental business problem in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. You may follow her on LinkedIn or @CyCognito on Twitter.