Frontline Defense

Next Article

The Innovator

Researchers at Tenable Ireland are leading the charge against cyber threats in the ever-changing landscape of our online economy. Thomas Parsons, Head of Tenable in Ireland, explains.

WORDS BY Thomas Parsons

ORGANISATIONS OF ALL SIZES HAVE EMBRACED DIGITAL TRANSFORMATION TO CREATE NEW BUSINESS MODELS AND ECOSYSTEMS, DELIVER NEW PRODUCTS AND SERVICES, AND OPERATE MORE EFFICIENTLY IN THE DIGITAL ECONOMY.

New digital compute platforms and development shifts such as cloud, mobile, SaaS and DevOps have made it possible to move from concept to capability on a daily basis. Physical devices and systems of all types – from corporate conference systems to power grids – are now network-connected and programmable, creating even more opportunities for digital transformation. However, as with life, this connectivity and functionality isn’t without risks.

INCREASED THREAT LANDSCAPE

While technology has revolutionised the workplace, in tandem, cyber threats have also materialised. We’ve seen corporate defences fall with malware that encrypts data or causes systems to fail. Vast databases have been discovered with personal information exposed. Websites are knocked offline or payment systems compromised to steal card details.

Today’s reality is that cyber risk is business risk, which means cybersecurity is a critical business function and needs to be treated as such. It’s part and parcel of doing business today and getting it wrong can be extremely costly and damaging. It’s not just about protecting customer data, although that’s obviously a key element, but also the systems that organisations rely upon for critical business functions.

Traditional ways of tracking systems and vulnerabilities with spreadsheets are insufficient when it comes to addressing today’s dynamic threat landscape. In addition, security professionals are not the only ones who must be aware of the risks facing their environments. Given the potential impact of any damage, executive leaders and company boards also need to understand where their organisation is exposed and to what extent.

DATA-DRIVEN INTELLIGENCE

When it comes to security, business leaders want clear, concise answers that explain how much risk the company is exposed to; if there are critical assets within the company that need immediate attention, and how the business compares with others in the industry as well as the general corporate population. Chief Information Security Officers (CISO) need to demonstrate a holistic cybersecurity approach and help the board understand how to view and quantify cyber risk, right alongside every other business risk

. To produce these concise answers, a datadriven analytical approach is required. After all, there are many different sources of cybersecurity information and threat data that are needed to properly explain the current threat landscape. Cyber exposure is an emerging discipline for managing and measuring cyber risk in the digital era. It translates raw vulnerability data into business insights to help security teams prioritise and focus remediation based on business risk.

Tenable has built one of the industry’s largest dedicated research teams to do just that – bringing together deep vulnerability expertise with human intelligence, much of which is based out of our EMEA HQ in Ireland. The Irish site opened in 2017 and houses Development, Tenable Research, Support and Renewals teams and other related functions.

As defenders, we need to have a wealth of experience and knowledge to draw upon in order to outpace the attackers. The Tenable Research team bridges experiences as varied as cybersecurity, insurance, academia, and even professional poker playing, bringing unique perspectives to assessing risk using data while under pressure and in dynamic environments. We rely on this expertise to share with the community and help our customers to find and fix vulnerabilities faster and more accurately. Our data scientists collect over 150 different aspects of data on each of the 130,000+ vulnerabilities Tenable tracks, which can range from threat intelligence, to vulnerability data, to information from exploit kits and frameworks, to data gleaned from the US National Institute of Standards and Technology’s National Vulnerability Database (NIST NVD). Other information can come from tracking discussions on vulnerabilities in social media and blog posts, security vendor advisories, technical reports and malware scans. The work these teams do builds on the Common Vulnerability Scoring System (CVSS) rating by not only determining how severe a vulnerability is, but predicting the likelihood bad actors are to leverage it in the wild.

The Tenable Research team bridges experiences as varied as cybersecurity, insurance, academia, and even professional poker playing, bringing unique perspectives to assessing risk using data while under pressure and in dynamic environments.

RATING RISK

Using new, cutting-edge technology, they’ve developed a proprietary machine-learning algorithm that analyses the collected data to identify which vulnerabilities have the highest likelihood of exploitation. These are given a Vulnerability Priority Rating (VPR), which automatically indicates the remediation priority for each. For example, a vulnerability currently being exploited on a widely deployed service would have a significantly higher rating than a vulnerability for which no working exploit has been observed. The VPR is a dynamic value and changes with the threat landscape. VPR dramatically reduces the number of critical and high vulnerabilities – allowing organisations to focus first on the vulnerabilities that pose the greatest business risk.

The team has also developed another unique, machine learning algorithm that helps enterprises and CISOs prioritise their assets based on indicators of business value and impact to the firm. Unlike VPR, which is an absolute value, the Asset Criticality Ranking (ACR) is a subjective measurement, modifiable by the user. ACR automates asset-criticality assessment by using metadata collected from the environment and applying a rules-based approach that relies on three key pillars: internet exposure, device type, and device functionality. With ACR, the research team has built in a feature that allows for customer feedback when it comes to ranking an asset. The reason is simple: users know their applications and assets best, and can determine if a particular component needs more or less attention. A lower-criticality asset usually has less impact under threat. For example, IT management, proxy servers and mail servers tend to have high criticality. Meanwhile, IP telephones and printers typically have medium or low criticality.

The team has also developed another unique, machine-learning algorithm that helps enterprises and CISOs prioritise their assets based on indicators of business value and impact to the firm.

PLUGIN POWER

Tenable also has a team of reverse engineers and vulnerability researchers that leverage their deep vulnerability expertise to ensure organisations and consumers are secure. As information about new vulnerabilities is discovered and released into the public domain, Tenable Research designs programmes to detect them. These programmes are named plugins and are written in the Nessus Attack Scripting Language (NASL). The plugins contain vulnerability information, a simplified set of remediation actions and the algorithm to test for the presence of the security issue. Over the years, the team has published 136,761 plugins, covering 53,445 Common Vulnerabilities and Exposures IDs and 30,317 Bugtraq IDs.

Members of Tenable Research are focused on transforming vulnerability data into strategic insights. They have published a number of papers, including The Attacker’s Advantage, which explores who has the first-mover advantage – cybercriminals or security teams. The paper examined the difference in time between when an exploit is publicly available for a given vulnerability and the first time that security teams actually assess their systems. Having analysed the 50 most prevalent critical and high-severity vulnerabilities from just under 200,000 vulnerability assessment scans over a three-month period, the team found that all too often the attackers have the advantage. On average, they have a seven-day head start on defenders.

ZERO-DAY DISCOVERIES

We are also the first and only vulnerability management vendor to surpass 100 zero-day discoveries in a single year. Some of the team’s most notable discoveries this year include a vulnerability in Slack that could be used for corporate espionage or file manipulation, and flaws in Verizon routers that left millions of consumers exposed. We firmly believe that the more zero-days we find and disclose, the fewer there are for bad actors to covertly leverage. We’re committed to working alongside both vendors and the entire security community to identify, disclose and patch vulnerable technology to help keep everyone more secure.

Taking a data-driven, risk-based approach that is underpinned by human intelligence is a game changer when it comes to managing and measuring cyber risk. The work we’re doing in Ireland is empowering organisations to translate their technical data into business insights, by leveraging the power of machine learning and data science, to provide the most holistic view of their cyber exposure. Using this intelligence, both CISOs and business leaders understand one another and more importantly understand what is needed to drive improvements and optimise security investments that ultimately reduces the risk to the business.