WE FOUND THAT AVERAGE PATCHING TIMES FOR MALWARE AND RANSOMWARE WERE SHORTER THAN WEAPONIZATION TIMES , MEANING THESE ATTACKS MUST EXPLOIT OLDER ISSUES THAT HAVE NOT YET BEEN PATCHED .
DISRUPTIVE TECH
Paul Proctor , VP Analyst at Gartner investment strategies and resource allocation should account for this long tail of risk .
Misconfigurations
Using business outcomes and outcome-driven metrics in a security strategy
Cybersecurity outcome-driven metrics , on the other hand , link security and risk operational metrics to the business outcomes they support . They provide a more accurate picture of the success of cybersecurity capabilities in achieving desired outcomes .
Gartner benchmarks 16 outcome-driven metrics including time to patch , third-party risk engagement , endpoint protection , and ransomware recovery . These benchmarks create peer comparisons for board oversight and executive engagement for cybersecurity investment . Outcome-driven metrics should be measured in the context of assets , alerts , vulnerabilities , and incidents that are in the highest risk categories for an organisation .
Critical and high-risk assets : Assets for which a breach of confidentiality , integrity or availability would have a severe effect on organisational operations , organisational assets , or individuals .
Critical and high-risk third parties : Third parties for which a breach of confidentiality , integrity or availability would have a severe or catastrophic adverse effect on organisational operations , organisational assets , regulatory action , organisational reputation , or other material business outcomes or impacts .
Critical and high-risk alerts : Alerts that are related to an asset with a critical or high-risk classification and result from high-fidelity alerting and correlation , endpoint detection , IDS and highly tuned SIEM use cases .
Critical and high-risk vulnerabilities : To determine the vulnerability risk level , apply the Common Vulnerability Scoring System , CVSS to the findings in your environment . Most commercial vulnerability scanners will calculate CVSS automatically as they report findings , but it is important to apply environmental context to the findings , such as network position and impact rating , to ensure scores are properly applied .
Critical and high-risk incidents : Incidents or conditions that must be addressed to avoid severe or catastrophic adverse effects on organisational operations , organisational assets , or individuals .
Critical and high-risk policy exceptions : Formally tracked policy exceptions with expiration times or dates that must be addressed to avoid severe adverse effects on organisational operations , organisational assets , or individuals .
Systems : Systems are all IT assets and applications that support business and mission outcomes .
Business or mission outcomes : Business and mission outcomes are measurable goals that support a business . Business outcomes can be defined at various levels , such as all manufacturing production for a business , the production for a single plant , or the production across a product line that may be split across several manufacturing plants . Outcomes are defined by each organisation .
By using outcome-driven metrics , CIOs can drive priorities and investments that balance the need to protect , with the need to run , the business .
Also worth addressing is the misconfiguration of web applications and cloud infrastructure . The OWASP Top Ten list can help with applications , as can close collaboration between security and developer teams to improve products before they are deployed . In our research , Qualys found 25 million flaws in 370,000 deployed Web applications , so prioritising risk-mitigation at design time is a shrewd use of resources and budget .
WE FOUND THAT AVERAGE PATCHING TIMES FOR MALWARE AND RANSOMWARE WERE SHORTER THAN WEAPONIZATION TIMES , MEANING THESE ATTACKS MUST EXPLOIT OLDER ISSUES THAT HAVE NOT YET BEEN PATCHED .
On the infrastructure side , one of the most common causes of data leaks is sources mistakenly left accessible without passwords or encryption . Discovery of such misconfigurations should be automated so they can be flagged for immediate response . The Centre for Internet Security provides benchmarks for security teams that operate under the three main hyperscale providers , Amazon Web Services , Microsoft Azure , and Google Cloud Platform .
The CIS measures make life much harder for threat actors , but in many cases , large majorities of organisations have not implemented the most important benchmarks , or indeed , any of them . We live in a cloud-first world . Any security team that does not address the cloud and other infrastructure holistically , there is that word again , ignores risk and invites disaster . The CIS Hardening Benchmarks are extremely effective and directed towards plugging known gaps based on potential threats . p
74 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com