HOW TO PRIORITIZE CYBERSECURITY RISKS:A PRIMER FOR CISOS

Intro 3

Most CISOs will experience a breach on their watch 4 Problem #1: The attack surface is expanding 4 Problem #2: CISOs lack visibility into and across information assets 6 Problem #3: Digital transformation creates cyber risk 7

Conclusion 14

How CISOs should prioritize vulnerabilities 12

Step 1 is visibility across all assets 11

How CISOs prioritize vulnerabilities today 10

Vulnerabilities are growing and attackers have the advantage 9

Operational reasons CISOs lack visibility 8

CONTENTS

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 2

Intro

CISOs and other security leaders know they can’t find and fix every vulnerability. Yet, that’s what boards of directors, CEOs and other C-suite members expect them to do.

Vulnerabilities continue to lurk in physical and virtual assets, and CISOs lack complete knowledge of their existence. They also don’t have a means of assessing emerging threats or the relative business risk associated with a given vulnerability. Even if CISOs could provide IT Ops with a list of every vulnerability that needs to be patched, IT Ops wouldn’t be able to comply because the volume of vulnerabilities is simply too overwhelming. Moreover, IT Ops is largely focused on keeping systems up and running – not causing disruptions or delays, which patching is prone to do. Sooner or later, a failure will occur and the CISO will be held responsible.

So, what’s a CISO to do? The short answer: They have to work smarter, not harder. To do that, they need to reduce the vast universe of potential vulnerabilities down to a subset of the vulnerabilities that matter most. Using CVSS scores to prioritize is a good start, but it isn’t enough to address the complexity of today’s attack surface. This ebook explains the other elements required for CISOs to gain a clear outlook on their organization’s true business risk, so they can prioritize their efforts accordingly.

“Through 2021, the single most

impactful enterprise activity

to improve security will be

mitigating vulnerabilities.”1 -

Gartner

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 3

Most CISOs will experience a breach on their watch

There are no guarantees in cybersecurity. Yet, CISOs are assessed based on how they manage breaches. According to a 2018 survey conducted by the Ponemon Institute, 91% of organizations have experienced at least one damaging cyberattack over the past two years.2

Are you confident you can prove you took proper steps to protect your organization’s assets?

Problem #1: The attack surface is expanding

Many security teams say their greatest challenge is simply seeing all the assets in their environment. Legacy tools haven’t kept up with the new technologies adopted by IT and the various lines of business. Further, as the mix of technology becomes more complex, adversaries have a larger attack surface to probe and exploit.

Think of your security team standing at the bottom of this graphic (see Figure 1 on next page) looking up across all your company’s IT assets – and struggling to track the laptops, cloud deployments, containers, IoT systems and more.

Here’s the problem: Adversaries can see everything and will attack you wherever they find a weak link. This drives up the cybersecurity risk to the business.

91%of organizations have experienced at least one damaging cyberattack over the past two years.2

A fair question: “How many vulnerabilities do we have?”

A better question: “Which vulnerabilities pose the greatest risk?”

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 4

Asset Description

Server, desktop, and network infrastructure Security practices are mature, but not perfect

Web apps Software dependencies

Mobile devices Hardware, software, network and app diversity; all are literally mobile

Laptops Uncontrolled use such as connecting to public Wi-Fi and laptops not connected to the corporate network that can’t be monitored

Containers Ephemeral nature, immaturity of container security

Enterprise IoT

May be physically vulnerable May be capable of compromising core systems May be controlled remotely May have embedded software that lacks appropriate security May run critical real-world processes and tasks Attacks may breach the kinetic barrier through to the physical world

Legacy ICS/SCADAMay be physically breached or controlled by someone with apparent authority May be remotely controllable Depending on age, may lack any type of built-in security

Figure 1. Today’s modern attack surface

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 5

Problem #2: CISOs lack visibility into and across information assets

IoT, cloud, mobile, DevOps – your attack surface grows exponentially with the breakneck speed of digital transformation. In the cloud, containers spin up and down, living minutes – often seconds. Meanwhile, 9 billion IoT devices are expected to inundate the enterprise by next year. It’s no easy battle. You need visibility into every vulnerability – you need a foundation to win.

CISOs and their organizations need a single source of truth that reveals all their IT assets and surfaces key insights.

“Risk is always present. It’s the

lack of visibility and intelligent

management of risk that can be

catastrophic.”3 — Gartner

Asset Description

Server, desktop, and network infrastructure Visible, but patching everything isn’t possible

Web apps, mobile, laptop Inconsistent visibility

Containers No visibility or inconsistent visibility

Enterprise IoT No visibility or inconsistent visibility

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 6

Problem #3: Digital transformation creates cyber risk

Most organizations are executing some kind of digital transformation strategy. According to a 2018 digital transformation survey conducted by Tech Pro Research, 70% of survey respondents said their companies either have a digital transformation strategy in place or are working on one.4

CISOs lack visibility into everything. Here are some of the forces at play:

Cloud • Dramatically increases an organization’s attack surface • CISOs lack visibility into cloud assets • On-prem and cloud-specific solutions only provide siloed visibility

Shadow IT • CISOs and IT lack visibility into assets • CISOs and Legal lack insight into terms and conditions that may violate security policies, laws and regulations Hyper-growth • Fast asset acquisition may disregard product-related security risks • CISOs and IT lack visibility into assets

Mergers and acquisitions • CISOs cannot assess the actual inventory • Consolidation may cause lost or hidden assets

Remote employees/road warriors • Assets may be lost, stolen or compromised • Lack of company ownership may preclude visibility • If a tracking agent isn’t installed, asset usage may violate company policies • Often use dynamic IP addresses • Connect to public Wi-Fi for convenience

New assets are constantly entering the organization. CISOs are responsible for security breaches, regardless.

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 7

Operational reasons CISOs lack visibility

Limited resources

• Security team is small. Modern security requires such a broad and varied set of skills and expertise that security teams inevitably have gaps. • Finding and retaining security staff is difficult.

IT disconnects

• CMDB data is often outdated. • Firewalls are preventing network scans. • IT Ops can’t patch software fast enough. • The relationships between IT and IT Ops can be contentious.

Limited budgets

• Budgets can’t keep pace with evolving threats. • It’s not just the cost of buying the technology, the technology has to be managed and maintained. • Proving ROI can be hard.

No aggregation layer

• Security technologies lack a common language. • Missing integration and interoperability mean that security domains live in isolated silos. • There’s no single source of truth that provides visibility into everything.

Figure 2. Organizational challenges compound the problem

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 8

Prioritizing threats makes security and IT Ops more efficient. CISOs can focus on the vulnerabilities that matter most to the business and demonstrate better ROI on cybersecurity investments.

Vulnerabilities are growing and attackers have the advantage

Vulnerabilities are growing. More than 25% of them are classified as Critical or High.5 But only 10% of all vulnerabilities have known exploits.

In Tenable Research’s recent report, Quantifying the Attacker’s First-Mover Advantage, they analyzed the 50 most prevalent critical and high-severity vulnerabilities from just under 200,000 vulnerability assessment scans over a three-month period. What did they find?

Alarmingly, all too often, the attackers have the advantage. On average, they have a seven-day head start on defenders. Threat actors are sprinting ahead, exploiting vulnerabilities before security teams have even left the starting blocks – before businesses even know they’re at risk.

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 9

How CISOs prioritize vulnerabilities today

Challenges

Focus • CISOs focus on Critical vulnerabilities • Hackers know that, so their focus includes High and Medium exploits

Context • What are hackers focusing on now? • Which vulnerabilities would have the most severe business impact? • Is an employee, contractor or customer using the asset? • Is the asset involved in running a critical business process?

Vulnerability-to-exploit relationship • Vulnerability-to-exploit ratio: There’s a vulnerability, but are attackers targeting it? • Emerging methods hackers plan to use – and are using – to bridge the gap

“65% of surveyed organizations

say they find it difficult to

prioritize what needs to be

patched first.”6

– Ponemon Institute

Figure 3. Prioritization using CVSS scores

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 10

Step 1 is visibility across all assets

CISOs need complete visibility into all their company’s IT assets, both physical and virtual. Without that, it’s impossible to understand the actual scope of vulnerabilities and take appropriate remedial action.

In the absence of a platform capable of providing that level of visibility, CISOs are constrained by budget, resources and the ephemeral nature of virtual assets.

IoT devices and cloud assets compound the problem because CISOs might not have relationships with the business leaders whose lines of business use them, whether they’re medical devices or sensor-based equipment operating in the field. Yet, those IoT devices are connected to the Internet and may be compromised.

In short, the modern attack surface has created a massive gap in an organization’s ability to truly understand their Cyber Exposure.

The assets in red can’t be seen and analyzed effectively with traditional vulnerability management tools. This represents the Cyber Exposure gap. The larger the gap, the greater the risk of a business-impacting cyber event occuring.

Opportunistic attackers focus on a subset of vulnerabilities. Identifying those vulnerabilities should be your first priority. Here’s how to do it.

Figure 4. Organizations face a Cyber Exposure gap

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 11

How CISOs should prioritize vulnerabilities

CVSS scores alone are not adequate. You need a risk-driven approach that prioritizes critical assets and vulnerabilities known to be targeted by attackers.

Cyber Exposure analysis and scoring weighs vulnerabilities, threat data and the asset’s business value and criticality, giving you clear guidance about where to focus remediation efforts based on risk. Instead of being limited to raw vulnerability data, you can manage by context-relevant Cyber Exposure scoring, allowing you to prioritize remediation according to the actual risk to your organization.

Vulnerability Data + Threat Intelligence + Asset Criticality = Cyber Exposure Risk Score

Cyber Exposure risk scores enable CISOs to focus their efforts.

“Prioritization of vulnerabilities

is also essential—for example,

based on scanner scores or CVSS

scores as well as understanding

the business importance of the

affected system. By integrating

threat intelligence, security

teams can factor in whether

a vulnerability has been

weaponized or is part of an

active campaign.”6

– Ponemon Institute

Vulnerability Data• How critical is the vulnerability? • Have we looked everywhere?

Threat Intelligence• Is the vulnerability currently being exposed? • How probable is it that a vulnerability will be exploited in the future?

Asset Criticality• What are the characteristics of the asset? • What’s the potential risk to the business if the asset isn’t protected?

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 12

Focus CISOs can focus on the subset of vulnerabilities that would have the greatest business impact.

Resource Allocation Prioritizing vulnerabilities requires fewer

resources – and resources can be allocated more effectively.

Figure 5. The Key to Prioritization – Shrinking the Scope

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 13

Conclusion

Most CISOs are able to say that X many people are working on Y number of cases or that their company has Z number of critical vulnerabilities open. How do those numbers translate to a lesser likelihood that the company will be breached? They don’t.

Reducing numbers alone does not lower cyber or business risk. Minimizing the vulnerabilities that matter is what makes the difference. Want to learn more?

Watch the Predictive Prioritization webinar

1. Gartner Security and Risk Management Summit 2018 Presentation, Fix What Matters: Provide DevOps Teams With Risk-Prioritized Vulnerability Guidance, Dale Gardner, June 4-7, 2018.2. http://lookbook.tenable.com/ponemonreport/ponemon-report-20183. Gartner, “Seven Imperatives to Adopt a CARTA Strategic Approach,” April 20184. https://www.zdnet.com/article/survey-despite-steady-growth-in-digital-transformation-initiatives-companies-face-budget-and-buy-in/5. Tenable.io analysis based on NVE data6. Ponemon Institute, “Today’s State of Vulnerability Response: Patch Work Demands Attention”

HOW TO PRIORITIZE CYBERSECURITY RISKS: A PRIMER FOR CISOS 14

7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046

North America +1 (410) 872-0555

www.tenable.com

COPYRIGHT 2019 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.

01/07/19 V02