Cyber Scoring with Risk-Based Funnels

About an hour’s drive south of Albuquerque sits an impressive technology-based university on roughly 350 acres near the Rio Grande. New Mexico Tech (officially New Mexico Institute of Mining and Technology) is home to about 1500 undergraduates – about 15% of whom are studying computer science and engineering. With a rich history of achievement, the school boasts deep contributions and famous alumni (including Conrad Hilton).

On the campus of New Mexico Tech, with its warm days and cool nights, one will find the prestigious Institute for Complex Additive Systems Analysis (ICASA) – a public-private alliance which focuses on the study of complex systems. As you’d guess, complex systems are prone to exhibit vulnerabilities, which in turn lead to security risks – and hence, the ICASA team includes cyber protections in the research they focus on for their sponsors.

It was in the context of this alliance that I first began to investigate the fine work of Dr. Srinivas Mukkamala, who has served as an ICASA research scientist for two decades. In the past two years, however, I’ve come to know him as the visionary CEO of the cybersecurity start-up RiskSense – created based on work he’d been doing at the Institute. I spent some time with Mukkamala last week to catch up on his progress, and here’s what I learned:

“As you know, enterprise security teams need to understand the vulnerabilities that exist in their environment,” he explained. “To achieve this, they usually do their best to estimate known cyber risks, and will triage anything that becomes a significant issue. This manual approach obviously does not work well for zero day vulnerabilities, and results in a lot of frustration for anyone managing security in an organization.”

To address this challenge, the team at RiskSense has created a platform that supports the prioritization of remediation tasks by reducing the attack surface of an organization. Such reduction is accomplished by means of a so-called risk-based funnel. The purpose of the funnel is to support the massive challenge of ingesting large amount of vulnerability-related information and deciding, ultimately, how to take appropriate action.

The funnel process begins with the National Vulnerability Database (NVD), supported by NIST, and enhanced through vulnerability disclosures from vendors and researchers. The resulting repository is a valuable resource that includes the widest range of data about security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics to support vulnerability management and security compliance.

RiskSense supports augmentation and stepwise refinement of the NVD data, determining which items are trending, and hence relevant to a given organization. Identifying trending is the ultimate purpose of the RiskSense platform. Risk-based funneling is done based on context, threat, and analysis. As one would expect, the practical goal is prioritization based on trending: Security teams benefit by knowing what is relevant and what is not.

I asked Mukkamala about how his platform covers zero-day exploits and his answer was interesting: “Most zero-day exploits are constructed from lower-level NVD building blocks,” he explained. “While no one can always predict how these components will be arranged into a new exploit, we can identify trending on these components. In this way, we have a chance of preventing a zero-day attack before it has even been designed.”

I also asked Mukkamala how the funneling process might make binary determinations about vulnerabilities, and he offered this correction: “The goal here is not binary,” he explained. “Instead, we use AI-driven predictions and combine them with our exploit research to produce a risk score in the range of 300-850. This allows for a more contextual decision about risk, which we find helps to reduce time spent in data analysis by as much as 90%.”

We also spent some time discussing the penetration testing the RiskSense team offers. This seemed a valid component of the company’s offering, because while it obviously adds test value to a customer’s security posture, it also provides practical insights for RiskSense researchers on live issues being found in real enterprise networks. Many vendor tools often miss this important practical knowledge and insight.

Just about everyone in enterprise cyber security is performing some form of data analysis to make vulnerability-related decisions. It therefore makes perfect sense for you all to be in touch with the RiskSense team (especially if you happen to be near the Rio Grande). Ask the team to show you a demo. It's impressive and provides hope that enterprise teams will soon have improved tooling to deal with their risk-based challenges.

As always, please share your learnings and insights with all of us.