Cyber Security Priorities are Changing. AI Can Help.
April 9, 2020
Priorities change in a crisis. The wife of one of our Delve colleagues is a family counselor at a hospital in New York City. These days, she’s been redeployed to support mothers in delivery rooms, substituting for spouses and family members that are barred from hospitals in response to the crisis. In a monumentally less serious example, hockey goalies are removed from the net to make room for another forward when the team is losing late in the third period, as defending the goal is not a priority when time is running out on a losing effort. As the threadbare adage goes, desperate times call for desperate measures.
Unsurprisingly, the IT and security worlds are not immune to crises-induced re-prioritization. In the past few weeks, information technology teams have been forced to invest untold resources in the deployment of workforces to a work-from-home paradigm, while security teams have been forced to adjust priorities to the security concerns of a remote workforce. And, dependably-adaptable cyber criminals have tailored their efforts to capitalize on the pandemic, crafting phishing emails that solicit pandemic donations to non-existent charities, offer expert virus updates with a click, and government aid by simply downloading a form. These Covid-themed phishing schemes, combined with fake virus websites and other pandemic-related scams are now understandably consuming the time and mind-share of security and IT teams.
Re-prioritization in a crisis is necessary, and wise, but it’s important to appreciate not only what has been prioritized, but also at what expense. Resources are prudently moved from task A to task B, but what risks are incurred by neglecting task A? As a vulnerability management company, we worry that resources previously focused on vulnerability remediation are likely being redeployed to address Covid-related challenges. That makes sense. When a trauma victim is bleeding, EMTs are trained to stop the bleeding first; the broken leg can wait. But in this crisis, savvy cyber criminals are likely to eschew sexy, Covid-related attack mechanisms for tried and true vulnerability exploitation, a strategy that may now meet less resistance from pandemic-distracted security and IT teams.
Even before the pandemic, aging vulnerabilities were responsible for perhaps more than 50% of successful breaches. Indeed, the respondents to a recent survey by the Ponemon Institute estimated that “60% of breaches in 2019 involved unpatched vulnerabilities,” and there’s every reason to believe that more unpatched vulnerabilities will be available to attackers as remediation resources are redeployed to address pandemic realities. And, although the virus may slow the world’s economies, it’s unlikely to have any impact on the pace of new vulnerability discoveries, more of which are published daily.
The good news? Technology can help.
This choice between the need to address urgent, crisis-related tasks or continue the blocking and tackling work of fundamental security operations like vulnerability remediation doesn’t have to be as painful or stark as it may seem at first glance. As is the case with any endeavor, the only way to do more with less is to take advantage of data to make the smartest decisions possible on when and where to deploy scarce resources.
In the case of vulnerability remediation, although most networks house hundreds of thousands or millions of vulnerabilities, not all of them need to be addressed immediately. Some represent immediate risks to the enterprise, while others are unlikely to expose the organization to an attack in the near or even long terms. The challenge is to confidently know the difference, and deploy what remediation resources are available to only the highest risk vulnerabilities. This would be a trivial exercise for an experienced IT or security professional if the network had 10, 100, or even a 1000 vulnerabilities to triage. But when the number is in the thousands, tens of thousands, or even hundreds of thousands, manually determining which vulnerability is the most critical, which is the second-most, and so on, is not practical.
Today’s AI technology is enabling the meaningful, automated prioritization of vulnerabilities at scale. The word meaningful is highlighted in the previous sentence because legacy vulnerability prioritization methods provide vulnerability risk scores, but they are often myopic in their analysis, or based on just 2 or 3 factors. In reality, the risk to an organization posed by a vulnerability is complex, and influenced by a constantly evolving network, changing external threats, and other fluid elements. Simplifying a vulnerability risk score to a couple basic factors can’t yield what is required: a list of remediation priorities from 1 to n based on the continuous analysis of dozens of internal and external factors. That’s only possible with the robust application of AI technology.
Absent a crisis, businesses strive to automate manual processes to improve efficiency and remain competitive. In the midst of a crisis, redeployed resources render automation a non-negotiable necessity, something every organization is appreciating in real-time today.