How likely is it that your organization will face a security breach in the near future? Is there any way to quantify the vulnerability of your IT infrastructure? Or is it sheer guesswork? It would be neat to be able to assign a probability to different kinds of threats your information systems and network may be facing, but whether that would be helpful in any practical way is another question. Kelly Shortridge knows something about this because she’s worked in a variety of positions involving cybersecurity and analytics. Kelly is currently the product manager for the analytics team at SecurityScorecard. She has spoken at conferences internationally with a focus on the applications of behavioral economics and game theory to information security, including at Black Hat USA, AusCERT, Countermeasure, Hacktivity, Troopers, USENIX, and ZeroNights. I recently talked with her about quantifying system risk in IT operations and her answers were illuminating so I decided to share them here with our TechGenix readers. See also my own observations at the end of this interview and be sure to follow Kelly on Twitter.
MITCH: Kelly how difficult is it for enterprises to quantify the level of system risk in their IT operations that could lead to a security breach?
KELLY: Enterprises to date struggle with even measuring the level of individual risk generated by certain systems or assets — let alone tackling systemic risk. We’ve seen this in other industries as well, such as during the financial crisis in 2008. There was a greater focus on the individual risk of a homeowner defaulting on their mortgage rather than analyzing the systemic risk presented by a diverse set of homeowners facing similar economic pressure at once.
For an enterprise to quantify systemic risk, they must identify and understand the interconnectedness and interdependence within their ecosystem, which is no easy feat. It is also prohibitive for most enterprises to employ data scientists to maintain an effort dedicated toward this effort when most enterprise security teams are already resource-challenged.
MITCH: In your experience what are some of the most common issues across an enterprise’s ecosystem that might lead to a breach happening?
KELLY: The issues that commonly lead to compromise are those that are typically underestimated — phishing, unpatched vulnerabilities, and lack of segmentation between networks or data. Security practitioners sometimes romanticize the notion that attackers will exploit zero-day vulnerabilities in their systems, while the reality is that attackers will use the lowest-cost method of attack that helps them reach their goal — the metaphorical low-hanging fruit.
The notion of technology or people leading to compromise is consistently discussed, but far less attention is paid to the fact that weak processes in a security program can also lead to compromise. If a security program has repeatable processes with continuous feedback loops that allow for adaptation over time, a more strategic approach towards reducing the potential impact of a breach can be taken. Without this, security programs will remain inherently reactive, which is a death sentence against a proactive adversary.
MITCH: How have enterprises traditionally tried to mitigate against the effects of such issues?
KELLY: Enterprises tend to gravitate toward point solutions and focus on robustness — trying to prevent attacks from happening — rather than adaptability and minimization of impact in the event of an attack. Too many organizations neglect the importance of repeatable, iterative processes and treat security as an end-state rather than a journey, therefore gravitating toward relying solely on technology to bolster their security posture. Unfortunately, when so many security solutions are bolted on what results is not improved security but instead an increase in complexity, which leads to greater interconnectedness and thus higher systemic risk.
Overall, enterprises tend to focus on trying to either eliminate or perfectly predict potential threats, rather than accepting that compromises will happen and adopting a strategy based on preparation.
You will never be able to predict a breach — exactly who, what, when, where, how, and why — but you can forecast the risk of compromise within your ecosystem to ensure you’re prepared.
MITCH: Does the risk an enterprise faces of a breach extend to their relationships with vendors, partners, and other third and fourth parties?
KELLY: Absolutely. For example, companies may be solely focused on prevention on their perimeter while neglecting to monitor or secure their API connecting customer data to a third-party partner. If the third-party partner is compromised, then their perimeter prevention will be fruitless.
Generally speaking, if a third party — whether a vendor, partner, service provider, or subsidiary — is compromised, any of data shared with them must be considered breached. Even if you are not sharing data, a third party can still potentially be used as a pivot point for attackers to gain footholds into your system by impersonating a “trusted” third party.
MITCH: What is SecurityScorecard offering enterprises that can help them get a better handle on their systemic risk and how to reduce their exposure?
KELLY: We recently released Breach Insights, which helps companies forecast the risk of compromise among a select group of their vendors, service providers, partners, or other third parties. We uncover systemic risk by identifying the pervasiveness of security issues within the group since this compounds potential impact. As part of this, we consider the correlation between current security issues within the group and issues present at the time of breach within companies recently compromised. A common issue across a group of organizations means that an attacker could potentially repeat their attack by exploiting that issue across a broad range of targets, amplifying the risk of multiple compromises within that group.
In addition to visualizing the risk forecast, we automatically identify which specific issues at which organizations are contributing the most to systemic risk of breach. This allows our customers to proactively adapt their defenses to these risks as well as prioritize their efforts in working with their third parties to reduce risk.
MITCH: Anything else you’d like to add for enterprises worried about their increasing vulnerability to IT security breaches?
KELLY: You will never be able to predict a breach — exactly who, what, when, where, how, and why — but you can forecast the risk of compromise within your ecosystem to ensure you’re prepared. Just like in financial systems, you need to prioritize resilience to ensure your organization doesn’t succumb to cascading failure and compounded impact due to unchecked systemic risk.
MITCH: Kelly thanks very much for giving us some of your valuable time!
KELLY: Thank you, Mitch — it was a pleasure.
Final thought: Closing the holes in our defense-in-depth security plan
Kelly’s observation about the possible risks your business might incur as a result of a breach happening at a partner or vendor your company works with is something we don’t often think about as IT professionals. We try to develop a defense-in-depth security plan for our own organization’s IT infrastructure, then we blindly assume that the third-party companies we do business with are taking the same level of care in securing their own networks. Breach Insights from SecurityScorecard is definitely something worth looking into and I plan on recommending the companies I do business look to consider checking it out.
What do you think? Share your comments below.
