Friday is my favorite day of the week. This is the day I set aside to connect with CISOs in Balbix’s advisory council, in our customer base, and in the broader industry. These are not selling sessions – instead they are about listening, introspecting, and brainstorming. My objective is to hear them talk candidly about their latest challenges, learn about what they are trying to do from a big picture perspective, and discuss strategic capabilities needed to move the industry forward. I find these sessions 100x more useful than thought leadership talks, webinars, and panels. Some of my most powerful professional moments have been in these conversations.
As some of you will correctly guess, our recent discussions have been about supply chain risk and SolarWinds, exchange servers and Microsoft’s motivations, why organizations still don’t have good asset inventory for cybersecurity purposes, communicating with the board when things are good and when they are bad, and how to win as a CISO. One theme that has been consistent in all discussions going back several months is the need for speed.
Time is of the essence
In the business of cybersecurity, the one thing that determines success is the time it takes you to contain a new risk event. This is your security program’s mean time to respond to an indicator of risk, which could be a newly discovered vulnerability, evidence of an ongoing attack or an indicator of compromise. Every second that you spend not acting to mitigate such indicators of risk is a window of opportunity for the adversary.
As a cyber-defender, imagine you are in a race with cyber adversaries. In order to win, you need to deal with risk faster than they can exploit your issues. If they get ahead, they will impact your business. This is what happens if your organization fails to patch vulnerabilities in a timely fashion and the adversary exploits a vulnerable host to breach your enterprise. Or if you don’t detect a compromised system for weeks or months while the adversary slowly steals your data.
If you are not fast, you will not win in cybersecurity.
Ingredients of a high velocity security program
Let’s whiteboard what you need for a high-performance cybersecurity program.
First, you need a system for continuous monitoring of your attack surface for risk. This set of tools and (hopefully automated) processes will need to do 2 things:
- Constantly discover new assets, and analyze all assets for any vulnerabilities including CVEs, password issues, misconfigurations, phishing risk, and more
- Continuously look for indicators of attack and indicators of compromise that imply attackers were able to get past your defenses and have gotten inside
How good do you need the above capabilities to be? Is a one-day delay in discovery of a newly deployed critical application good enough? Is 85% coverage for continuous vulnerability assessment sufficient? Not if you want to win!
Both of the capabilities mentioned above will surface risk events from time to time. The 2nd component of a high velocity security program is the ability to continuously evaluate and dispatch indicators of risk, indicators of compromise and indicators of attack to risk owners for mitigation.
The last component you need is a set of tools and processes that risk owners use to contain risk quickly. These are playbooks for patching, incidence response and recovery.
For high velocity, you need to automate these three components monitor attack surface, evaluate and dispatch indicators, and contain risk.
On the face of it, there is nothing new in what I have said above. The process described above is aligned with the NIST cybersecurity framework and its 5 functions: Identify, Protect, Detect, Recover and Respond. What’s different though is the call for automation. If you want to win in cybersecurity, you need to maximally automate the 5 NIST functions: Identify -> Protect -> Detect -> Respond ->Recover. Once you have built the automation, you need to Rinse and Repeat.
That is the game you are playing to win: automating the containment of risk.
Don’t shake your head—100% automation is not feasible and also not needed. You need to automate maximally and incorporate just the right amount of supervision in your automation. This may not be how your organization does things today, and your security programs for 2021 might be locked and loaded with no line item for automation of cybersecurity posture. However, the more you delay your investment in automation, the further you will fall behind in the cybersecurity race.
A rocket engine for your security program?
From the beginning, transformational cybersecurity capabilities have been our goal at Balbix. Your cybersecurity posture program consists of many activities, tasks and linked workflows, all of which are fraught with challenges, inefficiencies and roadblocks – hurdles that slow you down. Every day we ask ourselves, “How can we make the jobs of our customers simpler and less stressful, while simultaneously transforming the economics of infosec programs?”
Balbix is an AI-powered cybersecurity platform purpose built for cybersecurity posture automation. Balbix sensors and connectors gather information about your attack surface and perform continuous analysis of your cybersecurity posture to drive mitigation of risk.
Here are the 4 main capabilities of Balbix.
- Automatic Asset Inventory
- Continuous Vulnerability Assessment, Evaluation and Mitigation
- Real-time Cyber-risk Visibility and Reporting
- Context for Other Security and IT Tools
Automatic Asset Inventory
You can’t protect what you don’t know about. Balbix continuously discovers, identifies and categorizes enterprise assets. This includes devices, apps, and services; managed and unmanaged; on-prem and cloud; fixed and mobile; IoT, etc., and your users. Conflicting and duplicate data is cleaned and merged automatically. The system keeps tabs on which assets are Internet facing or not, and how they are distributed across physical locations.
Assets and traffic flows are analyzed to determine asset criticality and cyber-risk. Gamified workflows enable risk owners to provide input on the value of applications, and Balbix automatically propagates to related assets and updates overall asset criticality.
Balbix’s integration capabilities enable the alignment of inventory and business context.
Continuous Vulnerability Management
Once Balbix is deployed, vulnerabilities are automatically identified, and vulnerable systems are continuously tagged with relevant CVEs as soon as information becomes available from vendors or the NVD. Information about non-CVE vulnerabilities is continuously sourced from relevant community, dark web, and proprietary sources. There is no need to initiate a scan.
Vulnerabilities are tagged for each asset and prioritized based on risk. This involves automatically evaluating 5 key factors:
- Vulnerability severity – typically the CVSS score.
- Threat level, i.e., is this vulnerability being actively exploited?
- Exposure to the CVE based on how the affected software component is used (or not) and the asset’s network-level placement.
- Any security controls, such as EDR or a firewall rule, that might offset the vulnerability.
- Asset Criticality, i.e., the business value of the asset.
When a new vulnerability emerges, the risk associated with these new vulnerabilities is automatically recalculated for each asset. After evaluation, prioritized sets of vulnerabilities are automatically dispatched to the various patching group owners for supervised and automatic mitigation.
This end-to-end workflow is shown below.
Balbix also has all the tools to help you define asset groups and risk owners and configure workflows for risk mitigation. Each owner can partition the assets they are responsible for into different sub-groups such as: Auto-update, Test and Patch, Unmanaged and Do Not Patch, and set policy for MTTR target SLAs and how each sub-group should be handled from an operational standpoint.
Real-Time Cyber-Risk Visibility and Reporting
Part of what Balbix automates is cyber risk visibility and reporting. Balbix produces three types of views.
- The Big Picture: A unified, up-to-date and comprehensive view of cybersecurity posture with accurate risk calculations that incorporate both security and business context.
- An Operational View: This view has dashboards, planning tools, workflows, notifications, reports and other capabilities that are integrated with various security and IT tools. The operational view of cyber risk posture helps the CISO and the infosec team to prioritize security tasks and projects, while enabling the maximal automation and gamification of risk mitigation activities.
- A Board Level View: This is an executive view of the big picture, suitable for demonstrating the overall state of the cybersecurity program to senior executives and board members in business risk terms, while still being firmly tied to the actual on-network conditions. CISOs want to show the progress they are making, and make sure that everyone is on the same page on the residual risk being carried at any given time.
Context for Downstream Security Tools
As a system of record for business and security context, Balbix can also help by providing information to other IT and security tools. SOAR tools can pull in risk and inventory information about users and assets that are part of an indicator of attack or indicator of compromise by calling relevant Balbix APIs. This is shown in the picture below.
Godspeed CISO Glenn!
On Feb. 20, 1962, as John Glenn took off from Cape Canaveral, Scott Carpenter, backup astronaut for the mission appropriately said: “Godspeed, John Glenn.” Glenn climbed into space, circled the globe three times at a speed faster than any human before. Just like space exploration, the stakes are high in cybersecurity and failure is not an option. Your cybersecurity program needs a rocket to propel it to 17K miles/hour – out of the reach of cheetahs as well as rogue superheroes – and that rocket is automation. Our customers report that their security teams are 10x more efficient with Balbix and that has helped them reduce breach risk by 95% or more.
For the recent exchange server vulnerability, the fastest organization in our customer base was able to report a resolution time of just under an hour, including identification, evaluation and mitigation. Plus the second or two it took for the CISO the send a text message with a dashboard screenshot to the board member who inquired.
It’s easy to get started with the process of automating your cybersecurity posture. Please contact Balbix and we’ll get you on your way!