Sep 19, 2023
Stop Chasing the Adrenaline Rush of Reactive Security
There has always been a lot of talk about cybersecurity becoming more proactive, yet so much of the culture of the security industry thrives off of the adrenaline rush of a detect-and-respond approach to security:
- War rooms
- Tabletop exercises that start with a simulated phone call from law enforcement.
- The initial dopamine hit of the all-hands-on-deck reaction to Log4J turned into a months-long exercise that slowed the ability of engineering teams to deliver.
However, no one ever does a tabletop exercise about finding a vulnerability, prioritizing it, and patching it. There’s no all-hands-on-deck. No save-the-day rush to proactive security. Our industry’s focus on detection and response has its benefits and is critical, but it is not the answer to building cybersecurity into the mature business function it needs to be.
Patchwork Proactive Security
What is it that makes proactive security so difficult? For one, it is part of the human condition that we all struggle at times to have the discipline to do today, that which will pay dividends tomorrow (i.e. eating well, regular exercise, and patching vulnerabilities).
When it comes to cybersecurity, there are a few factors that have made proactive security particularly challenging.
Detection Commoditization
The digitalization of operations and services has created an explosion of detection tools, each claiming to be the source of truth on detecting vulnerabilities in their specific area – application security, endpoint, cloud, supply chain, external attack surface, and more. The list is endless.
Each of these tools promises enhanced visibility and protection. While this might seem advantageous, it inadvertently burdens organizations with a daunting task: addressing every perceived threat. This leads to operational burnout and often detracts from the most critical vulnerabilities, causing them to get lost in the deluge.
Fractured View of Risk
The traditional approach of vulnerability management has, for the longest time, been characterized by a compartmentalized approach. Legacy systems often operate in silos, with distinct teams for each domain, singularly focused on their specific vulnerabilities. Whether it is vulnerability management teams dedicated to the network and platform side, AppSec teams, or cloud security teams, the emphasis is on addressing vulnerabilities within their designated buckets. This approach, however, overlooks an essential aspect: when it comes to developing modern business applications, there are no silos. Cloud, code, infrastructure all work together to deliver optimal customer value.
Complex Asset Ownership
Finding out who owns a particular asset is no simple task in today’s complex digital operating environment. The data exists somewhere in the organization, but it is often scattered across numerous tools and systems. The work of aggregating and correlating this ownership data is a difficult task, and there is no way to integrate that into the hundreds of siloed detection tools security teams use in an attempt to proactively manage vulnerabilities.
Security Doesn’t Speak Risk Very Well
There’s a palpable disconnect regarding the traditional approach to communicating and motivating action on cyber risk. Driven by security-specific vocabulary, how risk is conveyed often renders it difficult for business and engineering teams to understand and act on. Rather than simplifying and contextualizing the risk narrative into business terms that stakeholders can easily understand and act on, security professionals typically leave the onus on others to decode and interpret their instructions.
The traditional approach to vulnerability management is labor-intensive and heavily reliant on old-fashioned methods like spreadsheets and manual tracking. Prioritization is largely manual and predominantly based on CVEs, with scant consideration for the specific controls or mitigation factors that each unique business has in place, which influence what is truly risky or not.
This all leads to a disjointed workflow where findings are relayed—or, more aptly, tossed over the wall—to development and engineering teams for remediation without adequate context or guidance. Furthermore, reporting primarily derived from CVEs tends to be cryptic and only decipherable to those deeply entrenched in the security domain. While technically accurate, such reports often lack a connection to tangible business impacts.
This approach not only breeds misunderstanding but also sows seeds of distrust between security and other departments. Consequently, the CISO and the broader security team appear out of sync with the organization’s needs and challenges. This misalignment doesn’t just strain interdepartmental relations; it also leads to tangible operational repercussions:
- vulnerabilities are unaddressed for longer
- increased exposure to threats
- sidetracked teams expending effort on non-critical risk
- diluted focus away from what truly represents a threat to the business
Clearly, we need a new approach.
We believe it is time for the Vulnerability Management discipline to evolve into a Risk Operations Center. A proactive security approach that combines operational rigor, comprehensive management of vulnerabilities and security policies across the entire attack surface, and business level communications about risk. It also serves to elevate proactive security to be on par with detection and response strategies represented by the SOC.
Learn more about how Brinqa clients Nestle, VMWare, Adidas and others incorporate a Risk Operations Center into their security program.
