In our last post, we discussed the importance of conducting annual cybersecurity assessments to identify potential threats. However, organizations also need a plan for how to act on that information to mitigate threats.
Given the scale and speed of modern cyberattacks, there’s no time to organize a meeting to discuss possible options for handling an emerging threat. Instead, businesses need to have a well-developed risk remediation methodology comprising standardized, repeatable processes for identifying and fixing vulnerabilities.
Repeatable processes ensure a consistent approach to problem resolution. Inconsistent, ad hoc approaches increase the likelihood of mistakes or omissions that create security gaps. Surprisingly, however, many organizations lack any type of overarching remediation framework.
More than half (56 percent) of organizations admit they cannot remediate vulnerabilities at the speed and scale necessary to protect themselves from exploits, according to a new study by Pulse. Forty-six percent say they simply rely on “gut feel” for threat response. A risk remediation framework can help companies implement consistent methods for prioritizing and responding to risk.
Prioritizing Risk
All networked systems are at risk, but some risks are more tolerable than others. For example, unpatched applications certainly create vulnerabilities, but they require far less urgency than an ongoing ransomware attack that’s locking you out of critical systems and data. The prioritization of risk is influenced by numerous factors such as the likelihood of an attack, potential for data exposure, probable financial loss, reputation-based considerations and shareholder sentiments.
The National Institute of Standards and Technology (NIST) recommends that all organizations develop a risk register — a centralized database for identifying and prioritizing cyber risks. It helps ensure the use of repeatable processes that save time, labor and other valuable resources when responding to a threat.
The NIST outlines elements of a risk register in the NISTIR 8286 document, although there are dozens of templates available online from various sources. In general, most suggest a comprehensive register should include the following elements:
- A brief description of the risk
- The event or vulnerability that created the risk
- The likelihood that the risk will be exploited
- The potential impact on the organization if the risk is exploited
- The priority level assigned to the risk
- Actions required to mitigate the risk
- Costs of an attack, including downtime, damage, recovery and remediation
How to Respond
Depending on the risk, there might be dozens of different policies, standards and security controls appropriate for your response and remediation efforts. Defining recommended responses for a variety of precisely defined threats can eliminate the need to reinvent the wheel with each security alert.
A well-crafted risk register will help you move quickly with an appropriate response. If a potential threat falls within your acceptable risk tolerance levels — say, for example, a suspicious network probe — you might simply choose to continue routine monitoring.
A threat that exceeds your tolerance level would trigger a more aggressive response. A distributed denial of service attack, for example, might involve multiple mitigation efforts such as running deep-packet inspection of incoming traffic to identify malicious bots, implementing rate limiting to control the frequency of requests coming from an IP address, and working with your ISP to scale bandwidth and block traffic from specific hosts.
Many businesses are moving toward a more automated threat response to ensure more immediate action. Security orchestration, automation and response (SOAR) frameworks use API connectors to orchestrate automated responses from multiple security technologies. Based on your existing security policies, a SOAR platform can automatically coordinate multiple mitigation protocols.
The ability to quickly and efficiently respond to threats is key to minimizing the damage from cyber threats. The security pros at Technologent can help you develop a comprehensive remediation plan featuring continuous monitoring and evaluation. Call us to learn more about our risk-based remediation services.
November 16, 2021
Comments