Apr 06 2016

Known Knowns: The Problem with Vulnerabilities and Unmeasured Risk

prioritizing-security-risk-infosecVulnerabilities are growing faster than information security staff capacity. There was a time when knowing your vulnerabilities was the critical challenge in protecting the enterprise. Today, there are many tools that provide near real-time access to vulnerability notification. The question is no longer, “what are my vulnerabilities?” The more important question is, “what is my greatest risk?”

If you had sufficient capacity to quickly patch all vulnerabilities, risk wouldn’t be an issue. All vulnerabilities would be closed before risk became a factor for consideration. That is not where most enterprises are today. Information security teams must make choices. Secunia Research reported in 2015 that vulnerabilities increased by 55% over the previous five years. If you can’t close all vulnerabilities immediately, then you should have a rationale for what order to prioritize and address them. The obvious answer to this is to rank your assets based on their business value and overall potential risk of compromise to the enterprise.

In a recent IKANOW white paper, we outlined three areas that demand attention from information security professionals. Vulnerabilities are characterized as known knowns, whereas Threats are unknown unknowns and breaches unknown knowns.


Risk best fits into a fourth category for most organizations: known unknowns. Typically, IT teams have a pretty good idea of what assets are deployed. They are known. However, they have little information on what those assets contain. That context is typically unknown. They have even less information on the criticality of the information on the assets.

To Measure Risk, You Must Know Your Assets

The question for information security teams then is how well they know their businesses assets. This becomes a triage activity in an era that is increasingly characterized by breaches. Information security teams are tasked with determining what assets were compromised and assessing the enterprise impact. No conclusions can be drawn without understanding the role of the asset and the information it contains. A typical asset configuration management database doesn’t contain this level of context so it becomes an incident response task.

A proactive asset prioritization can certainly help streamline breach assessment; it can also help drive resource allocation for prevention activities. When you have a long list of vulnerabilities and unpatched applications, wouldn’t it be nice to have a way to prioritize which to tackle first?

Prioritization is Critical to Security

infosec-security-risksThe problem with vulnerabilities today is that too often they are undifferentiated in the context of the enterprise. An exploit may be listed as moderately critical by researchers, but impact an extremely critical asset within an affected company. This is why IKANOW Information Security Analytics (ISA) enables both integration with asset management databases and the ability to add contextual information such as asset criticality. The capability enables an automated prioritization of vulnerabilities so analysts and managers know which assets pose the highest enterprise risk if a breach were successful.

In addition, IKANOW also provides a method for adding other context that may be relevant to managers. The ISA Vulnerability Matrix enables users to input risk adjustment details along with cost and level of effort to remediate. The solution then automatically updates prioritization. When managers can see cost, risk and time all in one place, they can proactively manage vulnerabilities from a value standpoint.

Vulnerabilities Persist, A Risk-Driven Model is Needed

prioritizing-risksData from the Verizon Data Breach Investigations report revealed that 95% of all breaches in 2014 involved vulnerabilities from previous years. This is important. If you ever needed confirmation that not all breaches are closed immediately, the Verizon data is convincing. More convincing is the experience of every information security team we meet.

There are more vulnerabilities than capacity to close them immediately. That means vulnerabilities must be prioritized and the most effective way to do that is to rank them based on risk with considerations for cost and time to patch. Patch management solutions do not provide this type of visibility, but IKANOW ISA enables information security teams to employ risk-driven vulnerability prioritization that complements existing patch and vulnerability management solutions.

Once you start measuring asset risk and applying that to your prevention resource allocation, all sorts of other data becomes visible. You can see risk in terms of asset classes, departments or other categories. The key is to start with a concept of asset criticality so you are not treating all assets as equal when they clearly are not.

To learn more about how Information Security Analytics marries big data with asset risk measurement, click the button below to request a demo or download our latest white paper.

Share Post
Chris Morgan

Cofounder and Chief Technology Officer. Chris Morgan is responsible for technology innovation and delivering high-quality security analytics solutions to clients. He has more than 15 years of experience in research and development, software engineering, software development and product management. Morgan studied management at the Wharton School of Business of the University of Pennsylvania and economics and computer science at Virginia Polytechnic and State University.