Risk-Based Vulnerability Lifecycle - Prediction and Validation

When an enterprise examines its cyber risk, an attack surface emerges. This is the set of entry points where vulnerabilities can be exploited by malicious actors. Viewing cyber risk in this way results in the strategic objective to reduce that attack surface, generally through discovery of vulnerabilities, combined with purposeful action designed to reduce the risk of exploits to such weak points. Prediction and validation are key activities in this regard.

RiskSense is a leader in this growing area of enterprise vulnerability and cyber risk management. The company was instrumental in predicting WannaCry and BlueKeep, and released useful safeguards after the initial infiltration. We recently sat down with Srinivas Mukkamala, CEO of RiskSense, to learn how his platform addresses this area, including how they utilize intelligence-driven risk analytics for actionable cyber security mitigation.

Ed Amoroso: What are the primary internal and external inputs to intelligence-driven threat analytics?

Srinivas Mukkamala: Well, Ed - today, the best input to intelligence-driven threat analytics involves collected data from vulnerability scanners. This provides a good starting point, which covers networks, applications, and databases. You then need to enrich this scanner data with threat data to truly understand what is actively being exploited. Next, users can assign criticality to those assets that have been scanned. This helps produce an overall picture of the risk of the IT infrastructure being analyzed. The resulting combination of this data supports a truly intelligence-driven threat analytics platform.

EA: How can ingested vulnerability data be normalized into an enterprise view of risk?

SM: We aggregate vulnerability data and normalize it for common terminology and data scales, mapping it to CWE, CVE, CPE, and OWASP. We then contextualize the data by correlating vulnerability relationships with multiple external threat data sources. This includes zero-day, malware feeds, exploit databases, exploit and penetration testing frameworks, dark web, and DShield. RiskSense penetration test results, as well as business criticality – for example, asset classification and assigned asset risk – deliver a complete view of the risk a given vulnerability represents to the business. This allows us to map the results into our risk scoring model and to provide a single, credit-like risk score for every device, thus providing useful information for each business unit in an organization.

EA: Tell us about the RiskSense platform and how it addresses the attack surface.

SM: We already see that enterprises have expanded to mobile devices, networks, applications, and databases. Enterprise teams are also moving toward use of containers and IoT devices across IT and OT infrastructure. The attack surface is thus expanding rapidly and dynamically. This increases the likelihood that an attack can occur from all entry points. The RiskSense platform focuses on these attack surface entry points and allows us to incorporate vulnerability scanner data, enrich it with our 100+ threat data sources, and then factor in the criticality of your assets to derive a risk rating for each asset. The resulting risk rating drives your remediation efforts, guides your IT team on the best order for installing fixes, and ensures that you are focusing your security and IT resources wisely. The asset risk rating rolls up into department/LOB/agency risk rating, and then into an overall risk score that we call the RiskSense Security Score (RS3). This score provides executives with a simple credit-like scoring framework to assess organization risk and to track over time.

EA: What is the best way to drive proper remediation once vulnerabilities have been identified?

SM: Once you have identified your vulnerabilities, you need to add threat context, basically enriching the data around these vulnerabilities, and specifically identifying which ones are exploitable in your IT infrastructure and which ones will be weaponized. Then you will want to assign business criticality to each of your assets. This provides a true risk score for your specific organization, and provides prioritization on what really needs to be fixed first.

EA: Have you seen any significant trends in how your customers view and manage cyber risk?

SM: The most security-mature organizations are going beyond just what to fix, and are now building out an overall security rating framework for each LOB or department or agency. They are then rolling that up into an overall cyber risk score (RS3). This allows organizations to track their journey in reducing risk, while keeping a continuous watch on it. These best-in-class organizations understand that their attack surface changes constantly with new devices, applications, and databases being added and removed every day. With attackers developing new attack models, they must be vigilant. Building a Threat and Vulnerability Management Program mandates a risk scoring model that guides both the security and IT Operations team which inform executives of current risk standing for an organization. This is a game changing model.