At the recent U.S. Bank Strength in Security conference, Jeremiah Grossman, CEO of Bit Discovery, contemplated how organizations respond to security vulnerabilities.
For Grossman, reactions to an identified vulnerability usually follow a frantic pattern. Organizations try to plug every single leak in their systems, even if the potential danger from those leaks is minimal at best. Grossman sought to push back against this pattern at the conference, arguing that organizations need to be strategic – and less frantic – in how they address vulnerabilities.
Here are some of the key points from Grossman’s presentation to the conference. It was based on a recent blog post, which can help any organization improve their security efforts.
Grossman noted that many identified vulnerabilities aren’t easily exploitable, and prove too difficult for most hackers. Some may only be exploitable by insiders, which greatly refines the search process once a breach occurs.
Given the ratio of exploited vulnerabilities to overall security threats, Grossman argued that companies are wasting time investigating low-impact leaks.
“If attackers aren’t finding and exploiting these vulnerabilities, what’s the value in discovering, or even looking for them?” Grossman noted.
If a vulnerability is a great risk to the organization’s bottom line, then it becomes a high priority to fix. If, conversely, a leak poses little threat, then a simple monitoring process might work better. For Grossman, the key lies in assessing the potential threat for its potential material losses.
“Exploitation of a vulnerability does not automatically lead to a ‘breach,’ which does not necessarily equate to a material business loss – which is all the business or their insurance carrier care about,” Grossman argued.
Grossman argued that the vulnerability assessment industry tends to over-analyzing. Vendors often try to prove their value by over-delivering on vulnerability identification – and organizations generally reward them with contracts.
“Nine times out of ten, the vendor who produces the best results in terms of high-severity vulnerabilities with low false-positives will win the deal,” Grossman said. “As such, every vendor is heavily incentivized to identify as many vulnerabilities as they can to demonstrate their skill and overall value.”
This trend creates a disconnection between the vendor’s capabilities and the customer’s needs.
“Vendors are incentivized to report anything they can, but their customers just want the reports that are likely to get them hacked,” Grossman said. “Every finding beyond that is a waste of time, money and energy.”
At the end of the presentation Grossman called for a more efficient vulnerability assessment process. By focusing specifically on the threats that could actually cause material losses, an organization can better prioritize its investment and ignore the vulnerabilities that simply take up resources.
For more discussion on this trend, listen to a podcast with Grossman and U.S. Bank Chief Information Security Officer, Jason Witty.