Musings on predictive cyber risk and resilience.


Avoiding Breaches by Using Security Analytics to Reduce Risk

The term, “security analytics” can cover a broad range of analytics from behavioral analytics and anomaly detection to predictive and threat analytics. All of them, however, have been created to reduce risk for the organization by spotting the problems faster to hopefully resolve them before damage is done. In this context, we will be discussing using analytics to proactively identify high risk assets within the business infrastructure to reduce attack surfaces and ultimately business risk.

EMA research called, A Day in the Life of a Security Pro1 which investigated issues encountered by security operations identified a widening gap between security staff, assets, and vulnerabilities as companies get larger. The variance appears to grow nearly exponentially because employee count in security is linear while asset growth and vulnerabilities are closer to an exponential curve. Midsized organizations having as few as 10 security personnel had an average of just under 2,000 systems in place and just under 20,000 vulnerabilities. Enterprises of 5,000 to 10,00 people having about 30 security people had just under 13,000 systems in place but the vulnerability gap got wider with nearly 131,000 vulnerabilities to manage. Very large enterprises of 10,000 to 20,000 people grew to about 100 security personnel but their total vulnerability liability exceeded 1.3 million. Thus, though smaller companies have fewer security personnel, they also manage proportionately fewer asset and associated vulnerabilities.

In addition, 74 percent of security teams identified they were overwhelmed by the sheer volume of maintenance work assigned to them and 79 percent said they were overwhelmed by the volume of threat alerts. To add to that, 79 percent of the respondents also said their organization’s patching process was significantly manual.

What does all this mean for security analytics as it applies to avoiding breaches? A Day in the Life of a Security Pro2 also identified the vulnerability pool for operating systems and common applications is expanding at an approximate average of 10 new vulnerabilities per system, per month.2 With the additional burden of new threats targeting custom applications and products, security and IT teams can’t address them all in a timely manner. This makes prioritization of the most potentially business impacting vulnerabilities crucial for gaining optimal security with the available resources.

Just using the severity from the researchers and vulnerability management platforms is woefully insufficient to properly prioritize because those systems do not have enough information about the environment and business context of the asset and business impact if the vulnerability is exploited. Even the CVSS vulnerability scoring system cannot effectively address these variables because it does not have enough information without looking to external sources.

New analytic approaches that use machine learning (ML) and artificial intelligence (AI) can make assessments based on model driven experience that leverages large pools of collected information. These tools create better risk profiles for assets changing the paradigm from whack-a-mole on vulnerabilities to a direct a risk-based prioritization to first remediate or mitigate the assets that would have both the highest likelihood of being exploited and the greatest business impact should they be compromised.

1 EMA, “A Day in the Life of a Security Pro
2 EMA, “A Day in the Life of a Security Pro