Whether it’s a vulnerability, AppSec or an exposure finding, security teams typically manage findings on an individualized - or atomic - basis, and are heavily dependent on the tool that detected the issue for information on what to do next.
This atomic approach can usually only scale linearly - or by adding more security analysts. More fundamentally, this approach compels teams to focus on quantitative metrics (such as lowering the overall number of un-remediated vulnerabilities), rather than qualitative metrics (how much have we reduced risk, or how have we improved the efficiency of the remediation process, for example).
By ‘reverse engineering’ the application through Silk Security’s asset linking capability, security teams gain a systemic and actionable understanding of both the relationship between, and the directionality of security findings. This ‘application composite view’ allows security teams to clearly visualize how assets (and sets of assets) are architecturally related as components of a specific application. An asset can be a physical host, VM, container, cloud resource, service and a code repository.
Security teams can use root cause analysis to clearly pinpoint high-impact fixes that resolve multiple upstream findings, marshall finite resources where risk reduction counts most for business imperatives and engage with the right fixer for better collaboration.
Since security teams can perform assessment for a set of related findings (as opposed to individual findings in isolation) based on both security and business risk, they can provide informed judgment on how resolution decisions (remediate, accept or mitigate) impact the enterprise’s overall risk posture.
Two (separate) halves of the resolution pie don’t equal one whole
Improving findings prioritization is more urgent because of growing alert backlogs, fragmented detection tool sets, and greater awareness of the risk posed by the resulting partial visibility across the expanding attack surface. But better prioritization is only one half of the picture: the finding still needs to be put into the hands of the right fixer to appropriately resolve - ideally in accordance with enterprise risk tolerance thresholds.
Without an effective platform for collaboration, security teams are engaged in information collection - not taking action to reduce the exposure window for findings with the most business impact.
The expanded attack surface is itself the result of operations, development and IT adopting new technologies and building applications on new infrastructure. Being more effective in prioritization through the use of modern data pipelines, and correlating with asset intelligence and threat intel still leaves the other half of the equation open: how to effectively collaborate with a more distributed set of fixers with different operational responsibilities.
More often than not, tools that emphasize prioritization stop short in terms of enabling operationalization, or mobilization as Gartner describes this phase of the process, since they fail to consider what are the organizational, development and process changes that contribute to the expanded attack surface.
From atomic myopia to composite awareness
As an integral building of our platform, Silk has integrated deduplication, assessment and analysis of findings with profiling of the assets where they are detected. This not only turbo-charges deduplication, but also provides the foundation for the asset linking capability to understand how assets and findings are related, and to build perspective of the application that these relationships comprise.
The composite view underpins more efficient assessment processes to identify high-impact fixes that resolve many more upstream findings, and allows teams to orient resources on findings that are high risk from both a security and a business perspective.
Security teams can incorporate business impact into risk assessment, and operationalize based on mapping of organizational structure and fix responsibility.
These features underpin a series of iterative benefits:
Asset relationship linking for high impact fix identification via root cause analysis
- Identify high-impact fixes using root cause analysis to pinpoint the earliest point in the software development cycle, whether at the code repo or in Infrastructure as Code (IaC) template, that a vulnerability or exposure was introduced.
Application composite visualization for integrated security and business risk assessment
- Security teams can answer how a linked asset relates to an application, and what is the business value of that application? This view also leverages Silk’s use of asset labels, subjective weightings and custom rules to reflect relative priority.
- A holistic view of risk that takes into account severity, likelihood of exploit, and linkage context alongside business value risk improves the ability of constrained security teams to not only reduce the number of upstream vulnerabilities, but also to positively impact risk posture - as opposed to constantly mopping up CVE counts.
Contextual Risk Scoped Orchestration
- With the application composite view in place, security teams can start to operate strategically, align with the right set of stakeholders on overall security priorities, and clearly frame remediation activities in the context of enterprise risk tolerance. They can draw a clear connection between risk resolution decisions, and the potential impact of the business.
Taking a broader perspective for better decision making
In place of simply operating on individual findings on specific single asset, Silk’s application composite view allows security teams to take in a broader perspective of security and business risk, while improving orchestration of communication and collaboration with development and operations stakeholders.
With a stronger, and more automated linking of security risk with business risk, security teams can make better decisions on not just what to fix, but how quickly, and in what sequence. With a view of ownership and organizational interaction across the application components, they can also gain a clear picture of who is responsible for the fix.
Building another layer of context allows teams to start to think about the impact of risk resolution to the business - as well as consolidate reporting.