noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

City of Clarksville, TN

City offices to close November 28-29 for Thanksgiving
National Institute on Aging

Undernourishment while in the womb may speed aging in adulthood
City of St. Petersburg, FL

Santa Parade and Tree Lighting Usher in St. Pete Holidays in the[...]

Technology

SecureWorks Corp.

11/26/2024 | News release | Distributed by Public on 11/26/2024 07:49

A Practical Way to Prioritize Risk Reduction

One of the struggles security leaders face is prioritizing risk reduction activities in a way that effectively decreases the attack surface, while optimizing associated costs and effort. In practice, different variables play a role in these decisions and ultimately choosing the right security controls. Keep reading to get insight into these different factors and how to address one of the most common dilemmas - evaluating high probability/low impact risks versus low probability/high impact - without losing sight of control coverage and total cost of ownership (TCO).

What Risk Means in Cybersecurity

There are various definitions of risk, but in cybersecurity it's generally seen as the potential for loss or damage when a threat exploits a vulnerability. This encompasses the likelihood of a cyberattack and the impact it would have on an organization. Quantifying risks involves assessing this likelihood and impact, often using a risk matrix or formula, such as "Risk = Likelihood x Impact". Likelihood is the probability of a threat exploiting a vulnerability, while impact measures the potential damage. This quantification helps organizations prioritize risks, guiding resource allocation and mitigation strategies to protect critical assets effectively.

Looking in detail at the two factors that influence risk, we see that likelihood is determined by a combination of external and internal variables, while impact is almost entirely based on an asset's specific internal context.

Likelihood can be influenced by factors such as:

Threat actor capability: Skill level, resources, and motivation
Vulnerability exposure: Public-facing systems or those with known vulnerabilities are more likely to be targeted
Existing controls: The effectiveness of current security measures
Historical data: Past incidents and trends
Environmental factors: Changes in the threat landscape, emerging technologies, and geopolitical tensions

Impact, in contrast, is very specific to the internal context of an organization. The following factors influence impact:

Asset value: Importance and value (customer information, intellectual property, business/production processes etc.)
Business operations: The extent to which a cyber incident disrupts business operations
Regulatory and legal consequences: Non-compliance with industry-specific regulations
Reputational damage: Breaches can lead to long-term brand damage and loss of business
Recovery costs: Resources required to respond to and recover from an incident

By understanding these factors, organizations can better quantify risks and develop strategies to mitigate them effectively.

Strategies to Address Risk

A sound risk analysis usually starts with an asset inventory. From a high-level perspective, security leaders look at identities, endpoints, email, network, cloud environments, data, business applications, and more. After classifying, categorizing, and performing a business impact analysis, "heat maps" can be used to map assets to their corresponding risk. Heat maps evaluate likelihood and impact, highlighting the risk posed by each of the identified assets.

Armed with this insight, it's time to start looking at solutions that address these findings and decrease risk to a level within the organization's risk appetite. Some actions will relate to internal activities such as hardening, tightening access and revoking permissions, segmentation, and others. Others will require additional investment - and this is the hardest nut to crack - ensuring the right balance between risk reduction, coverage, and TCO.

Risk reduction looks to address as much of the risk heat map as possible, by decreasing risk to a level accepted by the organization. In practice, one challenge security leaders face is prioritizing mitigation between:

Higher likelihood and lower impact risks - threat actors exploiting widespread vulnerabilities, using common attack vectors and targeting the weakest links (often the human factor)
Lower likelihood and higher impact risks - related to specific business assets such as banking applications, sensitive information databases, competitive intelligence, and similar

Coverage relates to the attack surface and attack vectors controls aim to address. There are many types of controls and no shortage of security vendors and services. However, from a coverage standpoint, we see two clear categories:

Generic controls are deployed to address the early stages of the kill chain, covering a larger area of the attack surface and successfully preventing or detecting many different attack vectors. Examples of controls that offer this broad coverage include network monitoring, endpoint detection and response (EDR), and email security.
Specific controls address the later stages of the kill chain, covering the final attack vectors that threat actors use to breach an organization's "crown jewels". These specialized controls provide targeted coverage, addressing business-critical applications or data, usually hosted within a well-protected perimeter that isn't directly exposed to threat actors.

TCO per control is the cost of implementing and maintaining a control. This needs to be considered in relation to the potential impact of the risk, the coverage provided, and the cost of doing nothing. In other words, is the asset being protected worth the cost? When we combine coverage and TCO, we see that the more specific the control, the higher overall cost for the organization. Security monitoring use cases exemplify this. An EDR tool delivers hundreds, if not thousands, of different prevention and detection use cases. When we divide the TCO of an EDR tool by the number of use cases and attack vectors it blocks, what emerges is an effective and efficient control. At the opposite end of the spectrum, deploying and maintaining custom use cases for a business application has a significantly higher cost per use case / attack vector, because of the expert technology deployed and the need for highly skilled individuals.

Aligning Risk Reduction to the Threat Landscape

Even with all this information at hand, prioritizing and implementing the most effective controls is still a difficult equation - with multiple variables for security leaders to consider. At Secureworks, we know the value of an outside-in perspective.

By stepping outside the context of an organization and looking at the external threat landscape, you get the insight you need to make the right choices. In the end, the more we tailor controls to how threat actors actually operate, the better we'll get at preventing and detecting malicious behavior early, well before any impact occurs.

Secureworks data really drives this home. Our Incident Response and Counter Threat Unit™ (CTU™) teams have observed the following trends over the past two years:

Most cybercrime is opportunistic, seeking out easy victims with cash or assets worth stealing. Ransomware continues to be the most pressing cybercrime concern.
Secureworks 2024 State of the Threat Report
The basics of cyber defense remain as essential as ever - phishing-resistant MFA, timely patching, and comprehensive XDR implementation with threat-led detections. One or more of these defenses were absent in over 50% of the incidents worked by Secureworks Incident Responders last year.
Secureworks 2024 State of the Threat Report
Vulnerabilities in internet-facing devices were the most frequently seen initial access vector (IAV) in ransomware engagements worked by Secureworks, accounting for half of incidents where the IAV was known.
Secureworks 2024 State of the Threat Report
The three largest IAVs observed during ransomware engagements were scan-and-exploit, stolen credentials, and commodity malware from phishing emails.
Secureworks 2023 State of the Threat Report
95% of organizations have a critical identity misconfiguration, as discovered by Secureworks Incident Response and CTU™ teams in thousands of customer engagements.

How Best to Prioritize Risk Reduction Implementation

With all of this in mind, the following practical strategies will help organizations pursue rapid and cost-effective risk reduction:

Prioritize deploying controls that address higher likelihood and lower impact risks. Focus on mitigating risks that are more likely to occur, even if their impact is lower, as these are often the entry points for threat actors. These risks often stem from common vulnerabilities and attack vectors that are frequently exploited by threat actors. By focusing on these areas first, organizations can quickly mitigate a significant portion of their risk exposure. IAVs can either be prevented or detected at an early stage by using, for example, a combination of prompt and regular patching, multifactor authentication, and comprehensive implementation of monitoring solutions. And by mitigating the IAVs, we immediately decrease the attack surface of more specific business assets later in the kill chain, thereby also reducing their risk.
Implement broad-spectrum security measures that address a wide range of threats and provide extensive coverage across the attack surface. Generic controls are designed to cover a broad range of attack vectors and are typically deployed in the early stages of the kill chain. These controls allow organizations to efficiently protect a larger attack surface area. These controls include:
1. Open, modern XDR platforms
2. Network Detection and Response (NDR) and Identity Threat Detection and Response (ITDR)
3. Vulnerability Management
4. Managed Detection and Response (MDR) services
Optimize TCO by implementing more generic controls, in contrast to controls that only focus on individual assets. Generic controls are generally more cost-effective and offer a higher return on investment, because they address multiple threats and vulnerabilities simultaneously. By spreading the cost across numerous prevention and detection use cases, organizations can achieve better efficiency and performance from their security program. Choosing controls that offer a favorable balance between cost and coverage ensures the investment is justified by the level of risk reduction.

By following this strategy, organizations can swiftly reduce their risk profile and align their security efforts with their overall risk appetite - all while maintaining cost effectiveness.

Secureworks has been successfully reducing cyber risk for global customers of all sizes and industries for over two decades. Using an open cybersecurity platform that integrates your existing technology stack with our native controls, AI, threat data, and decades of expertise, we are able to help you strike the ideal balance between risk mitigation and cost effectiveness. To speak to a security expert about the ideal approach to risk reduction in your organization, don't hesitate to get in touch.

Sharing and Personal Tools

Please select the service you want to use: