How Brinqa addresses the technical capabilities outlined in the 2019 Forrester Wave™: Vulnerability Risk Management study
October 18, 2019 by Syed Abdur

Brinqa has been named as a ‘Contender’ in the Forrester Wave™: Vulnerability Risk Management study released in Q4 2019. This is Brinqa’s first placement in this annual study conducted by Forrester to evaluate the competitive landscape of this crucial cybersecurity field. While we may not entirely agree with the methodology used, we are grateful and appreciative of the opportunity to participate in this study. We also commend Forrester for their efforts to reshape the traditional vulnerability scanning market to better reflect modern vulnerability risk management programs.

The analyst team has done an excellent job of outlining the critical product capabilities used to compare vendors in this space. Practitioners should look to these criteria not only as they evaluate vendors but also as they assess the effectiveness and maturity of their existing Vulnerability (Risk) Management processes. Read on to learn how we at Brinqa recommend organizations interpret and implement these critical capabilities for effective vulnerability risk management. Please note that this does not, in any way, represent Forrester’s position on these criteria.


Vulnerability Enumeration

Vulnerability enumeration capabilities determine how accurately, efficiently, and completely a VRM program identifies and catalogues the vulnerabilities and weaknesses in an organization’s IT infrastructure. As each enterprise IT environment is unique, organizations should focus on ensuring that all significant components of their infrastructure are covered and accounted for.

Brinqa implements this function by utilizing our vast collection of integrations to the leading vulnerability scanning and assessment products. We take a vendor-agnostic approach that allows our customers to leverage the tools that best suit their environment and scanning requirements. This means providing the most comprehensive integrations with security tools for each important facet of the IT infrastructure :

  • Networks — BeyondTrust, Digital Defense, OpenVAS, Qualys, Rapid7, Tenable, Tripwire, VulnDB
  • Applications — Acunetix, BurpSuite, Checkmarx, Contrast Security, Fortify, IBM AppScan, Netsparker, Qualys WAS, Rapid7 Appspider, Sonatype, Synopsys, Veracode, Whitehat, Whitesource
  • Cloud — AlertLogic, Amazon Inspector, Prisma Public Cloud
  • Containers — AquaSecurity, Twistlock
  • Configurations — Microsoft SCCM, Qualys PC, Tripwire Enterprise
  • Mobile — NowSecure
  • Bug Bounty — BugCrowd, Synack
  • Penetration Testing — Generic Flat File, Direct-to-database

However, effective vulnerability enumeration is about more than just collecting vulnerabilities. To handle real world scenarios (scanner replacement, separate scanners for internal vs. external assets, M&A activity, passive scanning, deduplication, false positives) organizations need advanced data management capabilities. The Brinqa solution allows organizations to normalize vulnerability data from disparate assessment tools to a common, standardized ontology. This is essential for implementing consistent vulnerability risk management practices across the entire scope of the program. The solution enables configurable scoping so that organizations can focus on the most critical infrastructure components and vulnerabilities first, and then gradually expand their program. In the case of overlapping scanning or assessment tools, the solution provides features to de-duplicate and coalesce vulnerability records from multiple sources.


Digital Footprinting

Digital footprinting can help organizations gain an understanding about which of their assets are publicly accessible and which are relatively protected behind firewalls and DMZs. This classification should be established, if possible, and used to inform determinations of asset criticality, ownership, escalation chains, SLAs, and other operational considerations.

Brinqa Vulnerability Risk Service implements this function through integrations with asset discovery services like BitSight and incorporates an organization’s digital footprint (including determination of publicly accessible assets) into VRM processes. The real power of the solution is in operationalizing an organization’s digital footprint towards better asset management and hygiene.

Rouge (or unknown) assets can be organized and monitored through rules that ensure the footprint matches the asset source of truth, and trigger automated tasks and tickets for corrective actions when necessary. By updating in near-real time, the digital footprint can be leveraged to determine the existence of new or unmanaged assets which can then be automatically assigned to the appropriate asset groups or risk owners.


Asset Criticality (or better yet, Asset Management)

An organization’s ability to correctly assign asset criticality directly impacts the accuracy and soundness of risk-based vulnerability prioritization. However, we would argue that asset management  (and not just asset criticality) is a crucial function that VRM teams and programs should address with great attention. Effective asset management is accurate (results in an exhaustive inventory of all the assets in the scope of the program), comprehensive (covers every relevant factor of asset identity and usage), and functional (includes criticality, ownership, escalation chains, and all other operational aspects).

Asset Management is likely the least standardized component of VRM programs. Almost every organization represents, classifies, and tracks assets in their own unique way. Further, asset information resides in a variety of systems and programs all across the organization.

Brinqa addresses this unpredictability by

(a) providing a comprehensive asset data model that represents most common technical (type, vendor, network segment, operational status, internal/external, publicly accessible) and business impact (data classification, monetary value, supported business services, compliance requirements, location, data center, business unit) factors, and

(b) providing a completely dynamic, extendible data model (enabled by our graph database backend) so that organizations can easily incorporate any factors that are unique to them.

This information is populated through purpose-built integration with a variety of systems — Asset Discovery (Nmap), CMDB (BMC, Cherwell, HP, ServiceNow), Network Management (RedSeal, InfoBlox), and GRC (Archer). Often this information resides in other programs (data protection, business impact analysis, disaster recovery) or in proprietary systems and is collected using flat file, LDAP, or direct-to-database connectors. The asset criticality calculation is part of the extensible data model and can be modified by administrators to accurately reflect the organization’s IT environment. This ensures complete transparency and control over the determination of asset criticality.


Network Exposure

Accurately determining network exposure can help organizations understand the true structure of their network infrastructure and establish the relationships and dependencies between assets that can be leveraged for attack path analysis. Building this information into the risk analysis model gives organizations a true picture of the risk associated with a vulnerability or asset.

Brinqa Vulnerability Risk Service implements this function through integrations with network management (Cisco, InfoBlox, RedSeal) and CMDB (BMC, Cherwell, HP, ServiceNow) systems to present a complete picture of the network architecture. Network metadata like network criticality, type (e.g. DMZ), leap-froggable, accessible from untrusted networks, etc. and attack path data like attack depth and downstream risk can be incorporated in the risk prioritization model.

The solution includes an OOB network segmentation model and assets can be dynamically associated with segments  based on IP ranges and other factors. Organizing assets along network segments also gives IT users a perspective of vulnerability risk that aligns with their day-to-day operations.


Vulnerability Severity

The ability to accurately and expeditiously determine and incorporate threat intelligence into risk prioritization can mean the difference between a breach and a secured environment. VRM programs should ensure that factors of exploitability and indicators of compromise are evaluated continuously and there are measures in place to trigger the appropriate workflows if any changes are detected.

Brinqa leverages our vast collection of purpose-built integrations with most common open source and commercial threat intelligence providers (Accenture iDefense, AlienVault, CrowdStrike, Digital Shadows, FireEye, NVD, Recorded Future, Secureworks, Symantec DeepSight Intelligence, TruSTAR) to establish the most accurate view of vulnerability severity. This incorporates factors like exploit availability, weaponization, zero-day, popularity, pervasiveness, and patch availability. The solution gives administrators complete control over how various threat intelligence criteria come together to determine vulnerability severity. Intelligent correlation easily sifts through large volumes of threat intel to identify and incorporate those factors that have an impact on the organization’s unique technology environment.


Risk Based Prioritization

Risk based prioritization brings together all the underlying asset, vulnerability, and threat information to accurately identify and highlight the vulnerabilities that pose the biggest risks to the organization. Risk is inherently subjective, so it’s imperative that VRM programs and teams incorporate in the prioritization process any unique aspects of the organization that have an impact on risk.

Brinqa implements this function by first establishing a customer’s unique Cyber Risk Graph — a real-time representation of infrastructure and apps, delineation of interconnects between assets and to business services, and knowledge of overall cyber risk. This serves as the single, unified view and source of truth that drives an informed, risk-based prioritization of vulnerabilities.

Brinqa Vulnerability Risk Service includes an OOB best-practices-based risk prioritization model that customers can use as is or that can be extended to incorporate any additional factors. The solution does this by providing administrators with access to editable Groovy scripts that represent calculation logic, a regulated means to referentially access the underlying cyber risk graph. This is a common design pattern for software platforms that brings the benefits (simple syntax and semantics, easy to learn and write) of scripting languages like Groovy to the implementation of powerful customizations without the need to rely on vendor product or service teams.

The flexibility and control provided by the open calculations is key to VRM success in complex and dynamic environments. Enterprise technology environments are often in flux – scope expands, asset types diversify, scanners multiply, threat intel feeds are added, business context factors become relevant. Brinqa’s open data model and risk scoring is critical to our customers’ ability to adapt and continue to deliver effective results in these scenarios. Solutions that provide rigid and prescriptive risk models cannot handle this type of dynamic environment, a big reason why customers choose Brinqa.


Metrics & Reporting

Comprehensive metrics and reporting capabilities are crucial to VRM programs’ ability to effectively and intuitively engage and inform all the varied stakeholders across IT, security, and business at the appropriate instant in the risk lifecycle. The ability to visually communicate key risk and performance indicators through powerful metrics and reports are crucial to program success. Organizations must empower and encourage stakeholders to develop and communicate the metrics and reports that matter to them.

Brinqa Vulnerability Risk Service includes an extensive library of risk and performance metrics and reports. The solution includes a sophisticated, BI-like analytics interface that is used to build all the views, reports and dashboards in the solution. This gives users complete access to the underlying graph data model and can be used to create powerful, self-service metrics and reports with the ability to configure nearly every aspect of visualization (layout, color schemes, metrics calculations, data representation).


Role Based Management

Role-based management of access, permissions, and data is necessary to ensure that the varied stakeholders in the VRM process can work together without any risk of data compromise.

Brinqa delivers fine-grained access controls within the platform that are configurable from the UI. Default roles such as Configurator, Risk Analyst and Security Administrator are available out of the box, but most customers use default and custom roles to reflect the uniqueness of their organization. Large customers segment and define access levels based on responsibilities (executive/business owner/security), geography, business unit and regulatory restrictions.

Limiting access to data makes it easier for individuals to own, manage and communicate risk responsibilities through a subset of vulnerability data, risk scores, metrics and reports. Role management capabilities and access controls are also used by enterprises and MSSPs to segregate data/knowledge to limit who can see what on a need-to-know basis, and to control who is empowered to customize the vulnerability risk solution. Brinqa also enables UI components such as menus and dashboards to be customized based on users’ roles.


Remediation Management

While the Forrester Wave study does a good job of outlining most important considerations for VRM programs, a crucial scoring criteria that is conspicuously missing is remediation management. While better prioritization can highlight the most important vulnerabilities from the backlog, better remediation management can significantly reduce the overhead associated with risk remediation and improve remediation effectiveness, efficiency, and consistency. Organizations should look to improve their vulnerability remediation practices and replace ad hoc decisions with well thought out, repeatable policies that leverage automation to achieve predictable results.

Brinqa implements a rule-based ticketing mechanism for automated remediation management. Brinqa customers are encouraged to formulate policies that govern how tickets should be created and managed. These rules are run automatically when new vulnerabilities are discovered. The rules allow vulnerabilities to be grouped together based on common criteria, thereby significantly reducing the volume of tickets being created (and the overhead associated with managing them). Rule configuration also allows ownership and SLAs to be set and enforced dynamically, ensuring consistency of remediation efforts.

Brinqa solution includes native ticket lifecycle management but it’s more common for Brinqa customers to utilize an external ITSM tool for managing ticket lifecycles. This is achieved through bi-directional integrations with leading ITSM systems (Jira, BMC Remedy, CA Service Desk, Cherwell, ServiceNow). Similar to ticket creation rules, ticket closure rules can be set up to validate risk remediation effectiveness and close tickets automatically.

 


Access the full 2019 Forrester Wave™: Vulnerability Risk Management report here.

 


Recent Posts
June 24, 2021
What is the Role of Cybersecurity in your Enterprise?

What does cybersecurity mean to your business? This might seem like an odd question, but how an enterprise responds to it can say a lot about the culture and practice of cybersecurity within that organization. There are many different ways to ask the same question — Which function does cybersecurity report to within the enterprise? Who are the internal clients of cybersecurity? Does cybersecurity leadership have a voice at the highest levels of corporate decision-making? There are 2 main schools of thought about the role and orientation of cybersecurity within the enterprise. The traditional school places cybersecurity within the Information Technology (IT) function of a business. In this model cybersecurity reports to IT, IT is the internal client for cybersecurity, and the CISO might report up to the CTO or CIO. It’s easy to see why one might make this association. IT and cybersecurity professionals often have similar or adjacent skillsets and overlapping educational and professional backgrounds. Both functions often deal with highly technical, specialized, and complex information and processes. However, the goals and KPIs of IT and cybersecurity are not only unaligned, they are often in direct conflict. The internal clients for IT are other business functions that essentially pay for the various technology assets (applications, servers, cloud instances, etc.) required to keep the enterprise running. IT performance is evaluated by how seamlessly, continuously, and cheaply they are able to deliver their services. IT doesn’t really have visibility into or an understanding of how these assets are being used by the business, what kind of data they process, which critical business functions they support. When cybersecurity comes to IT and tells them that a particular technology asset or part of the IT infrastructure has problems or weaknesses that could be exploited by malicious actors, they have to weigh the benefits — stopping a potential attack that may or may not happen vs. the costs — resources allocated to fix the problem, unhappy internal clients due to technology assets being unavailable during fixing, valuable time spent fixing and validating the issue. This is a hard sell and essentially amounts to self-regulation. A significant percentage of breaches exploit known vulnerabilities and weaknesses within an organization. Looked at from this lens, it's not difficult to see how such problems can go unaddressed. The modern school of thought recognizes Cybersecurity as its own independent vertical within the enterprise — like sales, marketing, HR, or any other function whose purpose is to help the business function and thrive. In this model, cybersecurity has various different business functions as internal clients, and the CISO might have a seat at the C-level table. Cybersecurity informs business stakeholders of the risks they face as a result of the technology infrastructure they utilize. The business stakeholders provide the context necessary for informed risk triage and collaborate with cybersecurity to identify which vulnerabilities or weaknesses pose the biggest threats to the part of business they own. These prioritized risks are then sent to IT for remediation. Cybersecurity provides guidance to IT on how they may remediate or mitigate a particular problem. Since risk remediation or mitigation is being driven by the business stakeholders, IT is incentivized to fix these problems. Risk-based cybersecurity is a methodology for program design that can help organizations put this modern approach into practice. By putting an emphasis on incorporating business context in the risk analysis process and data models, and by ensuring that business stakeholders are involved in the decision chain, risk-based cybersecurity programs provide a shared space where IT, business, and cybersecurity can come together and collaborate.

June 8, 2021
Brinqa Growth and Future

I'm proud and excited to announce that Brinqa has raised $110 Million in growth capital from leading global venture capital and private equity firm Insight Partners. This is our first institutional investment and represents a significant milestone for the company. Brinqa was bootstrapped and remained founder-backed as we shaped the Cyber Risk Management space, achieved strong organic growth and profitability, and acquired some of the biggest brand names in the world as customers. This new injection of funds combined with Insight Partners' ScaleUp expertise will fuel the next stage of our growth and accelerate ongoing efforts to make Brinqa an essential, unifying component of every enterprise cybersecurity ecosystem. Our mission, values, and objectives as a company remain the same; this partnership will help us achieve them faster and better. We decided to take this step with Insight Partners because of how aligned they are with our vision for Brinqa and the priority of long-term and short-term goals. We firmly believe that Brinqa is an essential platform for all enterprise cybersecurity organizations. As digital transformation proliferates across industries and saturates every aspect of business, the IT infrastructure to enable and the security ecosystem to protect become larger and more complex. Imagine a scenario where hundreds of different teams, systems, and programs — each focused on a task so demanding and technical that it requires specialized skills and tools — work towards the same overarching goal but rarely communicate with each other. Unfortunately, this is often the reality for most cybersecurity organizations. To be effective and a true contributor to business success, it must function as ONE TEAM aligned in purpose, connected in data, and transparent in communication. This is the vision that Brinqa helps our customers achieve. We know that this is possible because we have proven it at some of the world's largest and most complex enterprise IT environments. We are fortunate to count among our customers three out of the five largest retail companies in the world, the largest healthcare providers in the US, and the most prominent global brands in technology, financial services, insurance, healthcare, manufacturing, aviation, and critical infrastructure. This partnership will help us bring this vision to cybersecurity practitioners and organizations everywhere. The capital infusion will be used to accelerate sales and marketing initiatives, enhance customer experience and community building, and strengthen partner and channel ecosystems. I am so thankful to the Brinqa family — our employees, customers, and partners. You are the source of the immeasurable hard work, innovation, creativity, and conviction it has taken to reach this huge milestone, and all credit for this accomplishment goes to you. I am excited as we embark on this next stage of our journey and look forward to achieving greater heights together.

March 31, 2021
March InfoSec Roundup

Microsoft Exchange Zero-Day Attackers Spy on U.S. Targets Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Read More Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes The first Patch Tuesday security bulletin for 2021 from Microsoft includes fixes for one bug under active attack, possibly linked to the massive SolarWinds hacks. Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its January Patch Tuesday roundup of fixes. In total it patched 83 vulnerabilities. Read More Critical Cisco SD-WAN Bugs Allow RCE Attacks Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. Read More SonicWall Breach Stems from ‘Probable’ Zero-Days   SonicWall is investigating 'probable' zero-day flaws in its remote access security products that have been targeted by 'highly-sophisticated' attackers. The company says it is investigating the attack and will update customers within 24 hours. Read More Cisco DNA Center Bug Opens Enterprises to Remote Attack   A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover. The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks. Read More Industrial Gear at Risk from Fuji Code-Execution Bugs Industrial control software (ICS) from Fuji Electric is vulnerable to several high-severity arbitrary code-execution security bugs, according to a federal warning. Authorities are warning the flaws could allow physical attacks on factory and critical-infrastructure equipment. Read More