How companies can respond better to security risks [Q&A]
One of the biggest issues when dealing with security risks is the time that it takes to address problems when they come to light.
We spoke to Yoran Sirkis, CEO of remediation operations specialist Seemplicity, to discuss why there's an issue and how workflow problems around responding to risks can be improved.
BN: It's taking companies a long time to address critical risks -- some studies show 90 days to address critical application security risks. So, MTTR is still higher than it should be at most companies. Why do you think this is?
YS: Remediation processes at most organizations today consist of a sequence of disjointed, manual tasks distributed across many teams.
First, the security team collects findings from multiple, siloed tools, typically manually, which yields an incomplete view of vulnerabilities and risks across a company’s attack surface that lacks context. Under these circumstances, the team does its best to prioritize risks, but ranking these without a broader context is a tedious, resource-intensive process.
Further along the chain are other departments that remediate risk based on reports they receive from the security team. They, too, operate in silos using different technology stacks and methods. Quite often, they process alerts in FIFO (first in, first out) mode, as opposed to prioritizing high-risk versus low-risk.
Flooded with findings, these teams lack the time to dig for clues about context in order to manage and prioritize. And this is likely not their only job, so they are overwhelmed. The result is cross-team friction and chaos.
BN: We know that remediating any given vulnerability is not just a tech problem, but a process, communications and cross-departmental workflow issue. Can you explain that?
YS: There are five steps in the fragmented remediation process today. First, the security team runs testing scanners and pulls findings.
Then, the security team checks to make sure these issues haven’t already been resolved or are in progress.
From there, the security team calculates the importance of a risk to establish its priority -- what assets are threatened, how valuable they are, and the consequences of the vulnerability being exploited, etc.
If a high-priority vulnerability is found, it's assigned to a 'fixer'. This involves first finding the right team or individual, opening service tickets, etc -- which takes time.
Finally, after the issue is remediated, the security team needs to confirm it's actually resolved and they have to make sure it’s eradicated and absent from the next scan.
And, as I mentioned earlier, this entire process is done manually today by collecting information from a fragmented set of tools and sources. It’s incredibly inefficient.
It's a slog.
BN: It seems knowing who should fix issues, operationalizing that knowledge and sometimes even finding the right 'fixer' across an organization is harder than it should be. What solution is there for CISOs?
YS: Sometimes the process of prioritizing a vuln and finding the fixer is tougher than fixing the vuln itself.
I can sum up the solution in one word: automation. Vendors tout it, CISOs want it, but not all solutions and processes offer a unified automated way to gather findings from various tools, and then to different work processes and teams.
But proper automation must understand context, which is one of the most difficult outcomes to achieve. Without context, you can't fix vulnerabilities according to the organization's Risk Matrix. It’s no wonder security teams are always scrambling.
Finding the right fixer to assign the vuln is another challenge in the chain because developers and teams have changing roles and responsibilities. The people and teams are frequently moved around in the complex, dynamic hierarchies of today’s enterprises.
Therefore, CISOs should try to automate those processes to make their team more productive and efficient. Spending less time on manual work will enable them to focus on securing their organization rather on the operations.
BN: Do you see the overall level of complexity of risk and vulnerability remediation getting better or worse? If the latter, what’s making it worse?
YS: It's getting worse, all the time. The overall number of vulnerabilities is growing; one customer we know recently counted 27 million. At such a scale, it is extremely difficult to distinguish between true and false positives.
The growing security testing stack is adding to the complexity. Not long ago, security organizations had just one vulnerability scanner, maybe an AppSec scanner, and they typically did some periodic penetration testing. Today, the same organization has many siloed testing solutions, each detecting different problems and threats.
The push to shift left spurred this rapid adoption of specialized security testing tools. Unfortunately, this created friction between security and engineering teams, and communication and collaboration suffered as a result.
Bottom line: security teams need to be able to answer questions on the fly like 'What are the top findings that need to be fixed?' and 'What must be fixed today?'
Unfortunately, the problems I state above, compounded with a shortage of security experts, make the remediation process incredibly slow and challenging.
That's dangerous because the longer the validation process, the longer a vuln is exposed -- which can quickly escalate into a full-blow breach.
BN: There's a lot of talk about AI these days. Some companies view it as a threat, others as a weapon to fight threats. Where do you stand on this?
YS: Generative AI is already impacting cybersecurity. It's important for security teams to prepare and understand the potential threats. For example, there are ‘AI-powered’ applications popping up left and right, which is adding to the tech-stack complexity and expanding attack surfaces.
But Generative AI is a double-edged sword. If bad actors can use it, security teams can also use it to fend off threats.
We've built a product based on deep domain knowledge using proven technology. We already use AI in several areas of our product, and I expect that will continue to evolve in the future.
We're early in all of this so take it with a grain of salt. One thing is certain: we must continually evolve in order to stay ahead of attackers.
Photo Credit: Olivier Le Moal / Shutterstock