How to Tackle Cybersecurity Threats with a Risk-Based Approach


David Anteliz, senior technical director at Skybox Security, focuses on why organizations must move from a severity-focused outlook to a risk-centric one, giving the advantage back to security teams through proactive and comprehensive security strategies.

It’s no secret that cybersecurity strategies are falling behind. In a rapidly shifting threat landscape, a recent report found thatOpens a new window 40% of chief security officers believe their organizations are not well prepared. This statistic concerns how digital transformation efforts have accelerated and attack surfaces expanded over the last few years. 

Meanwhile, cybercriminals are also growing in complexity, and the number of new vulnerabilities continues to increase. Even older vulnerabilities, such as Log4j, which was named an endemic vulnerability earlier this year, will remain a threat to organizations for years to come.

Earlier this year, the Skybox Research Lab revealed that 20,174 new vulnerabilities were published in 2021, up from 18,341 in 2020, highlighting how fast vulnerabilities are rising in the wild. In the past year, CISA has released over 30 alerts warning organizations of known exploited vulnerabilities, with many of these vulnerabilities affecting a wide range of industries. One example of an alert that impacted many devices and organizations was the Icefall vulnerabilitiesOpens a new window , which CISA alerted the public to back in June. The alerts addressed 56 vulnerabilities that impacted operational technology (OT) devices in several critical infrastructure environments worldwide. The affected vendors included major names such as Honeywell, Motorola, Omron, Siemens, Emerson, JTEKT, Bentley Nevada, Phoenix Contract, ProConOS, and Yokogawa.

The vulnerabilities that affected these devices were not sophisticated to minimize friction and focus on health safety and environmental (HSE) impact. This enabled threat actors to discover and weaponize new exploits more quickly, resulting in many vulnerabilities. 

Cybersecurity has become a board-level concern. Security teams struggle to cope with increasing workloads driven by an expanding skills gap, increasingly fragmented networks, visibility and remediation, and scanning gaps. Security teams are tasked with solving the growing challenge of discovering and remediating vulnerabilities with the highest business risk. The business impact of breaches can be monumental for organizations. Those who continue relying on traditional reactive approaches to cybersecurity will continue to fall behind as threats and pressure increase.

Vulnerability Scanners Aren’t Enough 

The commonly used “scan-and-patch” strategy neglects critical components of modern vulnerability management, particularly when setting remediation priorities. Scanners alone do not provide a complete enough sense of network topology, overload security operations with alerts, and, as a result, will not be able to identify a company’s real exposure correctly.

Traditional approaches, such as depending on spreadsheets and manual evaluation to obtain insight into vulnerabilities, can frustrate resource-constrained teams. These methods fail to include all elements that impact vulnerability risk, leading to security teams inadvertently squandering resources on issues that cybercriminals may never discover or know how to utilize.

Without well-timed and precise detection and prioritization of high-risk vulnerabilities, security teams will not succeed at decreasing the risk to the company, even if they are shutting down large quantities of vulnerabilities. It’s time for a new approach that turns cybersecurity from a reactive measure into an effective process that will proactively identify and reduce risk.

Recent NSA and CISA guidanceOpens a new window emphasize the importance of organizations moving on from traditional approaches to vulnerability management, stating that “traditional approaches to securing OT/ICS do not adequately address current threats to those systems.” The organizations recommend creating a full ‘connectivity inventory’ as a critical step in mitigation. The guidance also emphasizes the importance of addressing vulnerability exposure risks before hackers do. To successfully follow these recommendations, organizations must take a proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. 

See More: Top 10 Vulnerability Management Tools

Adopting A Risk-Based Approach

Security teams should seek to adopt a risk-based approach to vulnerability management by increasing attention to eliminating the vulnerabilities visible to cybercriminals using a more sophisticated evaluation strategy, prioritization, and remediation capabilities. 

A risk-based approach to cybersecurity is essential to any cyber risk management program. By quantifying the probability of risk and the impact it’s going to have, organizations can make informed decisions about whether to mitigate, accept, or transfer that risk. This approach can help organizations allocate resources more effectively, which is more important than ever and respond more quickly and effectively to threats. Risk-based management also aligns security priorities with the business and helps security leaders become more strategic in their views and outcomes. 

See More: Why a Risk-Based Approach to AI Regulation Is Critical for Future Implementations

While there are multiple aspects to a risk-based cybersecurity strategy, organizations should look to three critical components for successful implementation:

  • Exposure analysis: By conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate data within an organization’s network configurations and security controls to determine where cyberattacks pose the highest risk. This strategy determines the attack vectors or network paths that could be used to access vulnerable systems.   
  • Risk scoring: Cyber risk scoring gives organizations an objective measurement for evaluating security posture that considers a range of risk factors, including the financial impact of a critical asset going offline, exploitability via threat intelligence, exposure, and asset importance. Risk scoring allows organizations to quantify the cost of the business per day if adversaries compromise systems.  
  • Vulnerability assessment and prioritization: This strategy allows organizations with complex environments and limited resources to zero in their effort where it matters most by prioritizing vulnerabilities that pose the most risk. To determine severity, vulnerability assessment and prioritization can automatically consider threat intelligence, asset context, and attack path analysis.

A risk-based approach to cybersecurity management is transformative, enabling organizations to focus on their most important assets, get out of firefighting mode, and proactively stay ahead of threats. Automated solutions make it possible to implement a risk-based approach quickly and effectively and save valuable time for security teams. They also provide the ability to monitor risk continuously and automatically respond to changes in real-time. A recent industry benchmarking study found that 48% of organizations with no breaches in 2021 were leaders in risk-based cybersecurity.

Which strategies have you implemented to deal with cybersecurity threats? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock