As companies better understand the potential negative impact of cyber breaches, global organizational cybersecurity maturity is increasing every year. However, with this awareness comes complexity: Organizations now receive extensive information about their security gaps from multiple sources such as vulnerability management and infrastructure assessment tools, endpoint protection tools, penetration tests, and more. This vast amount of generated data compels organizations and security personnel to organize and prioritize the remediation process, especially when they rely on different internal teams.
So how does one manage so many findings and data when other teams are involved? An effective risk mitigation planning strategy.
The Problem: Too Many Findings
Our case study focuses on a 30-year-old software development company that carried its legacy IT infrastructure into the new era of the cloud. The company’s security professionals had partial visibility into its security risk from their security and IT tools. Not surprisingly, the limited information about the company’s security posture that was presented to its management and board was extremely positive.
As the company grew, customers and regulations demanded more security requirements, so the company conducted a thorough organizational risk assessment that included a questionnaire and hands-on penetration testing. The assessment highlighted more than 50 findings across different technological domains, such as networking, identity management, and others.
The security team, led by the CISO, reviewed the findings and began addressing the critical and high priority cyber gaps, which resulted in an endless list of tasks and tickets. After a few months, the team understood they needed to change their approach, as the list got only slightly shorter.
The Solution: A Different Strategy for Prioritizing Risk Mitigation
The immediate prioritization of findings by criticality is often the first mistake security teams make. Of course, organizations want everything to be fixed, but that can’t happen immediately.
Working with CYE and its mitigation prioritization methods, the company changed its approach to prioritizing risk mitigation:
- Identify “low-hanging fruit”
- Understand the attack route
- Consider roles and responsibilities
- Dig into the “root cause”
After this change in prioritization, half of the findings were addressed within a month, and more importantly, the potential attacker’s route was blocked. This meant that the attack could not be repeated, and the organization was protected via this vector.
So how did this company do it, and how should you approach prioritizing risk mitigation?
Identify “Low Hanging Fruits”
Based on CYE’s experience in remediation and conversations with different technical IT teams, the team highlighted what might be easier to address in their specific case. Every network is different from the others and has unique challenges and improvement opportunities.
Visualize the Attack Route and Block It When Possible
The complete picture of the attack route is not visible when looking at a list of the findings from a penetration test. It is not clear what exactly was done and how the assessors were able to successfully access systems.
When looking at an attack with a graph, including a start position, the findings that can be exploited, and end position (business impact), the team can “cut” the attack route and make sure the route and methods used in the attack vector cannot be leveraged anymore.
Taking this different approach to risk mitigation benefits the organization by reducing the exposure of its business-critical assets—even without remediating all the findings.
Consider Internal IT Teams Roles and Responsibilities
As organizations grow, they become more complex. Understanding the internal organization’s IT teams’ roles and perspectives is the key to success in the risk mitigation phase. The team and CYE separated the findings into different domains based on the teams’ roles and met with only the relevant stakeholders. Remediating some findings was possible only with a clear understanding of these roles and responsibilities.
Treat the “Root Cause” and Not Only the Symptoms
CYE focuses on “root cause” to treat the findings once and for all and ensure they do not return in the future. Identifying the root causes of findings requires vast familiarity with different IT issues and experience in fixing them.
To identify the root cause, CYE and the security team met with the different IT teams based on their roles, and dug into the environments and how they work, primarily by questioning and understanding how things are configured and, more importantly, why.
CYE’s approach for organizations is based on the resulting maturity of their fixes and not only about treating the symptoms. This way, the remediation is comprehensive and provides the right solution.
Following the above, the organization was able to remediate a lot faster and, more importantly, in a way that increased their cybersecurity maturity. This ultimately enabled them to avoid future security challenges.
Want to learn more about CYE’s approach to mitigating cyber risk? Download our ebook.