SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved.
SOLUTIONBRIEF
Risk-Based Vulnerability Management
SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved. Cyber-RiskReportingforYourBoardOfDirectors
Overview
Yourvulnerabilitymanagementprogramissupposedtobethecornerstoneofyourcybersecurityinitiatives– howyoustayaheadoftheadversary.However,traditionalvulnerabilitymanagementhasanumberofbigproblems.
Legacyvulnerabilitytoolsspewoutalertsinthe(tensof)thousandseverytimeascancompletes,leavingyourteamoverwhelmedandstrugglingwithhowtoproceed.Itishardtotellwhichofyourvulnerabilitiesarecritical,whichcanwait aday,vsonesthatarejustnoise.Youcannotaffordtodedicateresourcesremediatingvulnerabilitiesthatposelittleornothreat,whileignoringthemostcriticalvulnerabilitieswhichputyourorganizationatrealriskofbreach.
Risk-Based Vulnerability Management
2
Figure1:Cyber-risk spectrum
Anotherbigissueiscoverage.Traditionalapproachestovulnerabilityassessmentunderstandandmonitorlessthan5%oftheenterpriseattacksurface,primarilyCVEs(unpatchedsoftwarevulnerabilities)andsomesimplesecurityconfigurationissuesmostlyacrosstraditionalassets.
Thereare100+otherwaysinwhichyournetworkcanbebreached— startingfromsimplethingslikeweakpasswords,defaultpasswords,passwordreuse,passwordsstoredincorrectlyondisk,ortransmittedintheclearonthenetwork.Traditionalvulnerabilitytoolswillnottellyouwhichofyourusersareparticularlypronetobeingphished,orwhichuserswithprivilegedaccesstoyourenterprisesystemshavepoorcybersecurityhygiene.
Intermsofassetcoverage,veryfeworganizationshaveanaccuratereal-timeviewofexactlywhatassetsarepresentintheenterprise.Non-traditionalassetssuchasbring-your-owndevices,IOTs,industrialequipmentandcloud-servicesareparticularlyhardtoenumerateandthenanalyzeforrisk.
LegacyvulnerabilitytoolsdonotaccountforwhichCVEsarereallyexploitable,andweknowthatatanygiventimelessthan20%ofCVEsareactuallyusablebyattackers.Thesevulnerabilitysystemsalsodonotunderstandthedifferentlevelsofbusinesscriticalityofyourassets.Nordothesetoolsaccountforthedegreeofexposureofdifferentassets(basedonhowtheyareused),orthemitigatingimpactofyoursecuritycontrols.Muchoftheworkcreatedbylegacytoolsissimplynoiseandwasteful.
Consequently,legacyvulnerabilitymanagementisquiteoffthemarkinproactivelymanagingyourorganization’scybersecuritypostureandbreachrisk.Inarecentsurvey conductedbythePonemon institute,only15%ofsecurityteamsfeltthattheirpatchingeffortswerehighlyeffectiveand67%saidthattheydonothavethetimeandresourcestomitigateallvulnerabilitiesinordertoavoidadatabreach.
SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved.
Risk-based vulnerability management
Inorderto trulyenhancesecuritypostureandimproveresilience,youneedarisk-basedapproachtovulnerabilitymanagementthatidentifiesvulnerabilitiesdueto100+attackvectors(notjustCVEs)acrossallyourassets,andalsoprioritizesthembasedonactualriskbyunderstandingthecontextaroundeachvulnerabilityandtheenterpriseassetthatitaffects.
Armedwiththisinformation,yoursecurityteamwillbebetterequippedtotackleyourvulnerabilitiesinthemostefficientmannerandincreasetheeffectivenessyourcyber-riskmanagementefforts.
Cyber-riskReportingforyourBoardOfDirectors3
Balbix overview
Balbix replaceslegacyvulnerabilitytoolsandmultiplepointproductstocontinuouslyassessyourenterprise’scybersecuritypostureandprioritizeopenvulnerabilitiesbasedonbusinessrisk.
WithBalbix youcancontinuouslyobserveandanalyzeyourenterprise’sextendednetwork,inside-out andoutside-in,todiscoverandidentifyweaknessesinyourdefenses.Oursystemcombinesinformationaboutopen vulnerabilities,activethreats,realexposure,businesscriticalityandyourcompensatingsecuritycontrolsacrossallyourassettypesand100+attackvectorstoprioritizesecurityissuesbasedonrisk.
Only 15% ofsecurityteamssaythattheirpatchingeffortsarehighlyeffective.
Ponemon Report2019–TheChallengingStateofVulnerabilityManagementToday
Balbix helpsyoualignyourpatchingandriskmitigationactivitieswithbusinessrisk
Automatic inventory
Thefirststeptowardsrisk-basedvulnerabilitymanagementisactuallyknowing“what”toscan– i.e.startingwithanaccurateinventoryofalltheenterpriseassets.Traditionalvulnerabilitymanagementtoolscanonlydiscovercorporateownedandmanagedassetsandlackvisibilityintonon-traditionalassetssuchasbring-your-owndevices,IoTs,mobileassetsandcloudservices.
WithBalbix youdonotneedtospecifywhattoscanasBalbix automatically(andcontinuously)discoversandcategorizesyourassets,i.e.,anydevices,applicationsanduserspresentonyourextendednetwork,andanalyzesthemforvulnerabilities.Balbix alsoestimatesbusinesscriticalityforeachassetbasedonanalysisofusageandnetworktraffic.
Figure2:Automatic Inventory
SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved.
Real-time and continuous, with natural-language search
Legacyvulnerabilitytoolsarecumbersometooperate,andaretypicallyconfiguredtoperformperiodic(oftenmonthly)scans.Asaresult,theenterprise’sunderstandingofriskfromvulnerabilitiesistypicallyseveralweeksout-of-date.Youmightrecallthesuperhumaneffortsrequiredthelasttimeyouhadanemergencypatchsituation,orwhentheCFOinquiredabouttheriskfromWannacry.
Balbix isreal-timeandoperatescontinuouslyandautomatically.TheriskmodelsurfacedbyBalbix isusuallysecondsorlessbehindtheactualonnetworkconditions.
Cyber-riskReportingforyourBoardOfDirectors4
WithBalbix,youcananswerquestionsaboutyourassetinventory,yourcybersecuritypostureandbreachriskusinglikenaturallanguagesearch.Forexample,youcanqueryyourinventoryusingITvocabulary,e.g.,windowsserversinmountainview,andnetworkadmins.Inyoursearchqueries,youcancombinetechnicaltermsfromsecurityandIT,e.g.,unpatchedswitchesinLondon,expiredcertificates,passwordreuse,phishing,etc.,enteraCVEnumberCVE-2017-0144,oritscommonnameWannacry (ifoneexists).Balbix alsosupportshigherlevelqueriessuchas:wherewillattacksstart,whatwilltheygoafter,whatassetshaveintellectualproperty,andcyber-risktocustomerdata.OurobjectiveistogiveyouaGoogle-like,highlycontextualsearchexperienceforyourcybersecurityandITdataandinsights.
Comprehensive visibility across all asset types and attack vectors
Asallcyber-defendersknow,anyenterprisenetworkisonlyassecureasit’sweakestlink.Aneffectivevulnerabilitymanagementprogrammustcoveralltypesofassetsandallsortsofsecurityissuesbeyondunpatchedsoftware.
Unlikelegacyvulnerabilityassessmentproducts,Balbixprovidescomprehensivevulnerabilityassessmentacrossallassettypes:managedandunmanaged,IoTs,infrastructure,on-premisesandinthecloud,fixedandmobile.Balbix alsoanalyzeseachassetagainst100+attackvectors.Forustheword“vulnerability”meanssomethingclosertotheEnglishdefinitionof“vulnerability”,andnotjustaCVE,andincludesissueslikepasswordreuse,phishable users,andencryptionissues.
Figure 3: Natural language search to find answers quickly
Figure 4: Comprehensive vulnerability assessment
SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved.Cyber-riskReportingforyourBoardOfDirectors
5
Five-pronged risk calculation
Legacyvulnerabilityandpatchingtoolsuseprimitiveriskmetricstoprioritizevulnerabilities.TheircalculationistypicallybasedonCVEscoreandasimplebusinessimpactmodel(high,medium,low),andleadstopriorityinversionandwastedeffort.
Balbix’s risk-basedprioritizationofvulnerabilitiesconsidersin5factors— vulnerabilityseverity,threatlevel,businesscriticality,exposure/usageandtherisk-negatingeffectofcompensatingcontrols.Thisresultsinveryaccurateprioritizationandhelpsyouavoidneedlessbusyworkfixinglowpriorityissues.
Customizable notion of risk
Organizationshavedifferenttopriskconcernsbasedonthenatureoftheirbusiness.Legacyvulnerabilitymanagementtreatsallsecurityissuesthesameway.
Balbix letsyoutodefineriskareasappropriateforyourbusinessusingnaturallanguagesearch,andthenmapsyourvulnerabilitiestotheseareas.Forexample,onesuchriskareacanbe“intellectualproperty”,andBalbix willletyouanalyze,prioritizeandremediatevulnerableassetsthatcontainintellectualproperty.Inaspecificquarter,forexample,youmaychoosetofocusonreducingrisktooneoftheseareas,andshowrealprogress.
Implement MTTP SLAs
Patchingsystemsperiodicallyisabigportionofenterprisevulnerabilitymanagement.Withlegacytools,mostorganizationhaveanormalpatchingcadenceandaseparateprocessfordealingwithemergencypatching.Thisleadstomanyimportantenterpriseassetsbeingunpatchedforweeksonend.
WithBalbix,youcansetuptargetmean-time-to-patchSLAsforvulnerabilitiesofdifferentlikelihoodvaluesforassetgroupsofdifferentbusinessimpactlevels.TheseSLAscanbeusedtocreateticketsanddrivepatchingworkflowsinaprioritizedfashiontominimizecyber-riskexposureduetounpatchedsystems.
Figure 5: Five-pronged risk calculation
Figure 6: Cyber-risk metrics aligned to business concerns
Figure 7: Target SLAs for mean-time-to-patch
SOLUTIONBRIEF
Copyright©2019Balbix,Inc.Allrightsreserved.
3031Tisch Way,Ste 800SanJose,[email protected]
End-to-end identification, prioritization and resolution of vulnerabilities
Ultimately,Balbix allowsyousetupyourbusinessriskareasandmanagehowvulnerabilitiesintheseareasareautomaticallymappedtotheirasset-groupownerswithrisk-basedpriority.BasedondesiredSLAs,ticketsareautomaticallycreated,assignedtotherelevantownersandtracked.Ticketownersareofferedalternativesbetweenfixingthevulnerability(e.g.,bypatching)orimplementingsomecompensatingcontrol.Balbix continuouslymonitorsthenetworkforfixesandmitigatingcontrols.
Balbix alsoenablesthecomparativebenchmarkingandreportingofdifferentgroups’vulnerabilitymanagementpractices.
Cyber-riskReportingforyourBoardOfDirectors 6
Knowwhichofyourvulnerabilitiesarecritical,thosewhichcanwaitaday,vs.onesthatarejustnoise…
Figure 8: End-to-end vulnerability management