Many security teams seem to be caught in a tightening vise: between more alerts from more detection tools on one side, and a remediation fix bottleneck on the other, that may - or may not - be exposing their organization to elevated risk. Identifying what to focus on is a challenge, but so is implementing the fix. In this blog, we explore some key tips on how to take the next step.
1. Convert (Big) Data into Information
Implementing more detection tools to account for an expanded attack surface doesn’t just mean more alerts - it also means security teams are dealing with a fragmented set of security data sources.
Because of this diversity and the different formats of duplicative alerts, the first order problem faced by security teams is definitely a data problem. However, it’s not only a data volume and format problem.
Security teams need to simultaneously eliminate duplicate findings, as well as elevate the most urgent risks by determining how findings are related across tools, and which assets are both the most at risk, as well as the most valuable to the organization.
Big data techniques can bring clarity. Flexible and extensible data models and pipelines can serve as the cornerstone to normalize, enrich, correlate as well as contextualize findings from a greater range and number of data sources - further amplified when combined with asset deduplication and profiling.
2. Assess and Understand Risk
Arriving at a prioritization of findings and exposures is often a complex mathematical exercise, involving manual manipulation of spreadsheets. Instead, security teams should be able to communicate the relative security and business impact of fixing a finding or compensating for the associated risk, compared with the risk of doing nothing.
The operational intent behind risk assessment is, of course, to validate and prioritize. After all, if security teams can’t effectively determine and then communicate what to fix (with some degree of certainty), in what order, and why, they can’t effectively collaborate with the fixer. Moreover, without a common risk understanding as a baseline, the organization as a whole can’t effectively manage risk posture.
Investments in risk-based prioritization also pay dividends across the remediation lifecycle. Automation and contextualization mean security teams spend less time in “Excel hell”, and they can better communicate downstream with operations, engineers and developers where to focus first. Tracking remediation tasks in order of priority provides a more realistic view of risk remediation state - rather than a count of vulnerabilities remediated, with no clear linkage to the relative impact on risk posture.
Three-dimensional context about the asset, where vulnerabilities and exposures, are discovered, as well as the application context, and the business value of the application, enables security teams to automate a subjective assessment of technology risk.
Supplemented with threat intelligence, as well as exploit likelihood scores from the CISA KEV catalog and Exploit Prediction Scoring System (EPSS), security teams can radically reduce time spent on assessing priorities and maintain a much more automated process for determining the highest risk exposure findings - and how they are related to each other through asset linking.
3. Find the Right Fixer
Just as new technology adoption has put existing vulnerability management approaches under enormous strain, security teams often struggle to identify a fix owner across distributed teams - as well as differentiating between asset owners and fix owners.
Closing the ownership gap reduces the time that security teams spend spinning their wheels, as well as avoids gaps in the understanding of the accountability for risk.
By enriching asset profiles with analysis of organizational structure, access logs and identity directory store logic, organizations can start to make solid assumptions about who is responsible for the fix. Interaction and feedback with the fixers can guide ongoing refinement of assignment.
4. Mobilize, Don’t Paralyze
Mobilization - as Gartner terms the process in the analyst firm’s Continuous Threat Exposure Management model - involves acknowledging and communicating to all stakeholders with the aim of remediation and measurement. The key element here is communication, as part of an iterative discussion. Instead of pushing a list to operations, developers and engineers, mobilization should be part of a feedback process.
The first component of this is how and what information security teams provide. Fix guidance should incorporate business context, be specific to the assets for which the fixer (or the fixer team) is delivered, and are responsible for as part of their daily workflow through ticketing integration. In addition to the relative risk, security teams should provide recommendations for practical steps to implement a fix.
The second component is facilitating the response from fixers. If the fixer requires more information, or wants to provide feedback on remediation guidance, the interaction should be managed through a consolidated, centralized console - without the security team having to log in to ticketing or workflow tools.
The third component is ongoing communication. Bidirectional integration into the ticketing and workflow tools used by the remediation fix owner, can help not just with the initial communication, but also with maintaining ongoing communication between the security team and the fix owner.
5. Resolution Is The Sum of the Parts
Not every vulnerability can be fixed - and maybe not every patch can be automated. Often, security and operations teams can implement a compensating control for an unremediated risk. And, sometimes teams will flag a false positive, even after going through a validation process. Having a range of options and paths, allows organizations to collaborate, iterate and improve on a cross-functional resolution lifecycle.
The issue for many organizations is that remediation is a linear exercise, instead of the last mile of a feedback loop. By bridging the security team identification of risk with the operations team treatment of the risk, teams can bring consolidated visibility into the process. Instead of finger pointing, security and operations can track the lifecycle of individual findings, as well as groups of findings, by teams and across teams through a unified process.
How Silk Helps
Silk is the first platform for unified risk prioritization and resolution - built by practitioners for practitioners. Silk automates technology risk assessment and prioritization by consolidating, correlating and contextualizing findings across tools, and facilitates operationalization with predictive ownership assignment, bidirectional workflow communication and end-to-end tracking and reporting of resolution tasks.