New Google vulnerability: Learn about zero-day CVE-2022-3075 in Chorme web browser  | Fix now >> 

The CyberRisk Summit on-demand: Watch the latest #CRS anytime, anywhere | Watch now  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

Cyber security risk - no silver bullet

Cyber security risk presents a unique problem to organizations. But the teams working tirelessly to counter it find that there is no easy answer.

Mike Parkin | March 21, 2022

Cyber security is always evolving. Developers are constantly coming out with new applications and updating old ones. The goal is to improve their customers’ lives with new ways of doing business and improvements to the tools they already have. The downside is that new products and updates to old products can introduce new and unexpected vulnerabilities and cyber security risk. 

Threat actors are constantly looking for new ways to break into target systems, so they’re always keeping their eyes on new developments looking for an edge. That’s not even counting on them looking at existing applications, libraries, etc., to find something someone else has missed that they can turn into an attack. Log4J anyone? 

Against that ever-changing threatscape, cybersecurity practitioners are doing everything they can to keep their organizations safe. We use the best tools available to deliver defense in-depth, from perimeter firewalls through segmented networks to endpoint defenses. We implement procedures and processes that reduce the likelihood of a breach, and others that reduce damage to the organization when the attackers get through. 

And they will get through. 

Cybersecurity practitioners often have areas they gravitate to. Individuals have certain specialties that they believe deliver the best defense against their adversaries. Some focus on the perimeter, figuring that keeping attackers out is the best way to secure their organization. Others focus on the endpoint with the realization that no perimeter defense is flawless, and we can’t protect our users when they’re outside. Still others focus on remediation, supplying needed fixes when the inevitable happens, while some look to deception techniques to divert attackers into wasting time while showing their hand to SecOps. 

The reality is we all know that there is no single area that supplies a “silver bullet” to slay the attacking werewolves, or threat actors, as the case may be. No matter which part of the security stack a practitioner favors, they know there are flaws they must compensate for. Firewalls have openings dictated by business needs. Endpoint defenses can’t stop everything that reaches the endpoint or report every piece of malicious code that lands. Deception techniques are only effective once the attacker is in the environment trying to plot their next move, and then only if they fall for the traps, etc. It becomes even more complicated when you factor in an organization’s own application development or the software and services they source from others. 

The challenge many cybersecurity teams face is the separation of responsibility between the people who are monitoring the environment and the people who handle fixing it. In a lot of cases, Security Operations is in a separate silo from network administration, application development, IT support, and the rest. The threat scanner might find a problem service, but it takes someone in another department to implement it and then only after they’ve gone through a change management process. In the meantime, that vulnerability is exposed where threat actors could potentially use it to compromise the environment. 

Vulnerability management and patch management tools help alleviate the issue, but there is still the issue of prioritizing the fixes and getting them into the hands of the people tasked with deploying them. And this is where a cyber risk management tool like Vulcan Cyber comes into play. 

The goal isn’t simply to identify and manage vulnerabilities and patches. The object is to assess the real-world cyber security risks so an organization can prioritize which vulnerabilities are most relevant in their environment, and which patches should take priority. 

By putting vulnerabilities in an organization’s own specific context, they can prioritize what is most important to them and their situation. When you add a layer of communication that lets the organization bridge the gaps between silos, they can act on that information and get the right mitigations in place to reduce the risk they’re facing. Whether it’s patches, workarounds, or other mitigation techniques, knowing what will do the most good lets the organization get the most out of its resources. 

While there is no silver bullet, there are ways to let an organization make the most out of the resources they have and let them get the right solutions to the right people, which is the next best thing.