Cybersecurity Risk Assessment: Business Context Is Key
Sure, your laptop might have a dozen security vulnerabilities at any given time. But does that mean connecting to your company’s network will cripple the enterprise’s most valuable databases? Possibly not.
Not every cybersecurity vulnerability is a raging fire that needs to be put out, maintain Malcolm Harkins, Chief Security & Trust Officer and Rob Bathurst, Co-Founder & Chief Technology Officer, at Epiphany Systems, a cybersecurity decision intelligence platform provider. Organizations are facing a landscape where vulnerabilities x devices x individual identities = ever present, potentially dynamic exploitable conditions on a daily or hourly basis.
Given this massive volume of vulnerabilities—from IoT endpoints and other potential attack surfaces—firefighting is not realistically feasible.
Enterprises are so often dazzled by processes and tools that they get mired in them. “Instead of blindly patching every vulnerability that shows up on the security team’s radar, focus on those that will actually impact your business,” advises Harkins. “There is a difference between being vulnerable and being exploitable. Understanding that separation in the context of your business is critical to making informed decisions about cybersecurity.”
“To get there, think like an adversary,” advises Bathurst. “Too often, enterprises focus on bolting every door in the cybersecurity fortress, following a rigid checklist of to-dos,” Bathurst says. “Adversaries, on the other hand, think of the large picture. They figure out which enterprise asset might have the largest payout and work backward from there.”
For example, visualize a company’s in-house security team. They are probably focused on securing every single IoT endpoint to protect what the C-Suite may consider its most value asset: intellectual property. Attackers have an alternate point of view about value. When planning a cybersecurity breach on a company, adversaries might focus on extracting the human resources database, loaded with case files about personnel, and use that as a blackmail weapon. To get at such a database, hackers might target the employees who have access to it.
Understanding this other-side-of-the-fence adversarial point of view helps defenders to be able to orient themselves around that information and make cyber risk management decisions prioritizing exposure to the organization as if they were on the outside looking in.
Applying this revised context to our example, understanding who in the company has data administration privileges for the HR database will be key to securing those locks.
Enterprises have a critical checklist for must-haves in #cybersecurity: lowered risk, low cost, easy to deploy, and frictionless to use. @EpiSys checks all these boxes. via @insightdottech
The Computer Security Services That Companies Want
Enterprises have a critical checklist for must-haves in cybersecurity: lowered risk, low cost, easy to deploy, and frictionless to use. Epiphany Systems checks all these boxes. The decision intelligence platform works with a company’s existing cybersecurity portfolio to point out relevant problems.
Highlighting only high priority conditions that create a material risk helps enterprises zero in on problems that really matter and saves time and money.
Context Helps IoT Security
For example, one company experienced a critical vulnerability when Log4j—commonly used open-source code software for tracking past activity—surfaced on their network.
They faced a dizzying number of IoT and other devices that needed to be patched. The client leaned on Epiphany to prioritize risk and help them focus on the Log4j issues that would directly impact business. “The company didn’t have to pull itself through a knothole, trying to patch everything in a week,” Harkins says.
Instead, they created a more realistic to-do list: 50 systems that needed direct attention in the Log4j context; 500 additional points that would be “a kick in the shin, but would not kill the business;” and everything else moved to a quarterly patching cycle.
“Without our intelligence platform, it would’ve taken hundreds of hours of people’s time to go through and find not only where Log4j potentially was, but also what was important for remediation,” Bathurst says.
Making Work Easier for System Integrators
This ability to zero in on vulnerabilities that really matter also helps systems integrators serve their clients better. “You put Epiphany in, it’s going to shine a light on the particular areas where the organization might need improvements so SIs can focus their projects on the most impactful projects that reduce risk,” Bathurst says. In this way, the company identifies strategic projects for a global SI within a client environment.
Underneath the hood, Epiphany Systems leans on Intel® processors and is excited to explore neural compute technologies to expand machine learning at scale. The company also uses Intel to understand how potential hackers could target hardware. “Having a close collaboration with Intel really helps us understand how we can view those processes,” Bathurst says.
Context Is the Way of the Future and Time to Context is Key
As cybersecurity becomes more complex, and threat alerts grow, it is becoming clear that enterprises need a smarter strategy. “The defensive approach to cybersecurity risk assessment has oriented us in a way that has generated waste,” Harkins says. “We’ve got decades of data that says that we’re losing. It’s time to change.”
That change—the reset to a business relevance approach—is smarter and saves valuable time and effort. When companies are unable to answer the “How does this security vulnerability affect us?” question, Epiphany diverts resources to problems that truly impact business continuity. For smart cybersecurity today and tomorrow, context continues to be everything.
This article was edited by Georganne Benesch, Associate Editorial Director for insight.tech.