Part 1: Getting rid of the noise and focusing on the vulnerabilities that matter most
In this blog series, Tim Lawrence, a Synack solutions architect and former chief security officer, breaks down the essentials for a more effective and powerful cybersecurity strategy.
By Tim Lawrence
Building a stronger cybersecurity strategy starts with a solid foundation. That means looking first at the vulnerability management process to ensure it’s fine-tuned, so your organization can quickly find and remediate the threats that put businesses at risk. Fine-tuning reduces the noise so teams know where and how to focus their efforts—on the vulnerabilities that matter most.
During my 22-year career in cybersecurity, I’ve been guilty of bombarding the vulnerability management team with too much noise. As security professionals, we tend to rely too heavily on vulnerability scanners for our vulnerability results. We take those findings and send them to the remediation side of our team without really verifying whether those results are actually exploitable or represent a serious risk.
To address this problem we need to move to a scan, validate, remediate and test mentality.
Scanners are great as they get us going in a general direction. We need to be able to take that scan data and turn it into something actionable for the team. To do that we need to validate the scan finding to make sure they are truly exploitable and a risk to our business. Once there is tangible data that proves the vulnerability is exploitable and poses a risk to our business, then we pass that information to the remediation experts. Once the remediation team has completed the remediation, we verify it is no longer a risk to our business. This means we need to test that the remediation did the job.
The reality is that security teams never grow as fast as the companies they support. This is one of the key reasons that teams are overworked and have trouble keeping up with increased risk as businesses’ overall threat surface expands. I saw this first hand having spent 16 years in an extremely fast-growing company, with six of those years as the chief information security officer.
Now as a solutions architect at Synack, I talk with IT and security leaders every day, and they echo these same problems. It’s from these experiences that I’ve developed five steps for building a better security strategy.
- 1. Evaluate the current vulnerability management process
We need an understanding of the current process: how the vulnerability inputs get generated and what the remediation output looks like. Are we tracking all assets that matter to the business? We need to rank the assets by criticality to the business. How does the vulnerability get proven that it is exploitable before passing off to the remediation team? How is a risk to the business determined? These are some of the questions we should start thinking about.
- 2. Establish a baseline for measurement
The famous business consultant Peter Drucker said, “If you can’t measure it, you can’t improve it.” For security leaders, this means establishing key performance indicators (KPIs) that measure vulnerability count (ranked by severity) during a specific time period, remediation timeframe (ranked by severity), the quality of first-time patch or patch efficacy (by severity) and vulnerability categories that show the highest percentages of vulnerability types.
- 3. Eliminate noisy inputs
Noisy vulnerability inputs come from noncritical vulnerabilities or vulnerabilities that haven’t been proven exploitable. These inputs create too much overhead and don’t reduce organizations’ overall risk. To reduce noise, first look at the volume of vulnerabilities the remediation team is working on and the time it takes to remediate those vulnerabilities, then ask the teams if they know whether the flaw is exploitable. If the answer is no, then noise is getting in the way of more important work.
- 4. Look for clear signs of improvement.
Once you’ve established a baseline for key measurements such as vulnerability count and remediation timeframe, it’s important to consistently track and evaluate the threats to the business as well as the performance of the security team. You’ll also begin to notice if there’s a need to increase headcount, training or tools. (You might need to evaluate if you should reduce tools, too.) The quantitative data is the basis for reporting to the CEO or the board of directors to show the success of the security team and provide better insights into business risk.
- 5. Iterate. Tweak. Measure again.
Always make adjustments in the process and try to understand where teams might fall short or start making real strides on established KPIs. If teams are struggling, tweak the process or add additional resources.
Overall, the goal is to approach vulnerability management with a shift-left mentality and build efficiencies into the process for security teams to maximize their results, build trust across their organization and demonstrate their value.
For more information about how Synack can help your organization build a better security strategy, get in touch today.