Gidi Cohen is the founder of Skybox Security, where he helps customers secure their attack surface and stay ahead of emerging threats.
John Lund
This is a critical moment in cybersecurity history. Organizations of all sizes are defending against rapidly rising cyberattacks threatening to disrupt everyday business operations. To combat the ever-expanding attack surface, private-sector companies across industries have adopted voluntary cybersecurity frameworks like NIST and MITRE ATT&CK, designed to provide best practices that help security teams better manage and reduce cybersecurity risk.
Today, all 16 critical infrastructure sectors leverage NIST, while 80% of enterprises use the MITRE ATT&CK framework. These frameworks are regularly updated to reflect new and emerging tactics, techniques and procedures. For example, in early May, NIST released new guidance on identifying and responding to supply chain cybersecurity risks.
With threats increasing at an unprecedented rate, organizations cannot rely on reactive strategies to defend against the evolving security landscape. NIST and MITRE ATT&CK provide organizations with an easy-to-understand framework for managing and reducing cyber risk to protect networks and data. However, organizations must now advance beyond cybersecurity frameworks to accurately identify, quantify and address critical risks.
Ditch The Check-The-Box Mentality
Looking at the NIST cybersecurity framework, two of its five core pillars focus on detecting and responding to a cybersecurity incident only after the attack has happened. While the MITRE ATT&CK framework is a valuable repository of known adversary tactics, techniques and procedures, that information is also tied to the response phase of an attack.
Traditional reactive approaches centered on scanning and patching are slow, laborious and costly. They also often fail to catch actual threats while wasting valuable resources on false alarms. As a result, companies can no longer depend on this reactive detect-and-respond strategy alone to protect their critical assets against today’s top threats.
Although cybersecurity frameworks are voluntary guidelines for private sector organizations, federal agencies and government contractors are required to comply with NIST security standards. Unfortunately, this leaves the public sector inclined to focus more resources on compliance instead of developing a proactive strategy to reduce risks.
It’s an age-old misconception that maintaining compliance ensures security. Too many organizations operate via a “check the box mentality” of meeting the minimum requirements of their chosen framework. Given the agility and tactics of today’s adversaries, organizations must take responsibility for understanding their unique security weaknesses/attack pathways and close security gaps quickly. Now is the time to implement measures to strengthen security posture that extend beyond meeting minimum-security requirements and adhering to compliance regulations.
Take A Risk-Based Approach To Prevent Breaches
Today’s complex and evolving threat landscape demands risk-based strategies that accurately identify the most dangerous vulnerabilities and mitigate business risk across their entire network. A risk-based approach is crucial to preventing breaches. It enables organizations to identify, measure, prioritize and manage all risks in line with frameworks like NIST and MITRE ATT&CK. However, according to our company’s own research, only 23% of organizations have achieved a risk-based approach to cybersecurity.
While there are several aspects to adopting a risk-based, proactive cybersecurity strategy, three critical components for successful implementation stand out:
1. Risk scoring and quantification: Cyber risk scoring provides an objective measurement for evaluating security posture that considers a wide range of risk factors. By converting data-driven metrics and threat intelligence into an easy-to-grasp representation of actual cyber risk, organizations can better understand how safe their assets are and identify security weaknesses with the greatest potential financial impact.
2. Vulnerability prioritization: To truly understand cyber risk and prevent breaches, advanced vulnerability prioritization automatically considers threat intelligence, asset context and attack path analysis. This enables smarter and more precise remediation strategies in comparison to just considering CVSS severity. Organizations with complex environments and limited resources can target their effort where it matters by prioritizing vulnerabilities that pose the greatest risk.
3. Exposure analysis: Where are you actually exposed to a cyberattack? An exposure is an exploitable vulnerability that a threat actor can access and compromise. Exposure analysis answers that critical question by identifying exploitable vulnerabilities and correlating them with an organization’s unique network and security controls to calculate high-risk assets exposed to threat actors. Without exposure analysis, organizations can waste a great deal of time and resources chasing vulnerabilities unlikely to lead to a breach.
A risk-based approach to cybersecurity gives defenders a never-before-achievable understanding of their continuously expanding attack surface. In fact, major organizations that successfully implemented a risk-based approach prevented breaches, based on our company’s findings. Beyond that critical achievement, risk-based metrics can be tracked over time to prove the value of your cybersecurity program. These modern strategies provide a foundation for improving any security program, especially those charged with protecting complex environments and proactively securing digital transformation.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
