Risk Management for Vulnerabilities

By Ed Cabrera, Chief Cybersecurity Officer, Trend Micro, Inc.

As a founding member of the Cybersecurity Tech Accord, Trend Micro has looked to contribute our expertise and voice to ensure the world is safe for exchanging digital information. One of the main areas of focus for the Tech Accord is vulnerabilities that can be exploited by malicious actors and the policies of member organizations. Organizations have struggled with this over the years, and I wanted to share my thoughts on a way businesses can address this risk.

Resiliency is the goal and frankly the “why” we engage in all forms of risk management. In cybersecurity, resiliency is achieved when you effectively manage risk where it resides at the intersection of people, process and technology. The problem is that organizations often address risk in silos due to organizational structures, competition of scarce resources, and limited acceptance of the interdependent fact of risk. If we accept this assertion, then whatever risk management strategies we choose to adopt, we first need to identify and prioritize the risks that lay in people, process and technology. Next, we need to identify their respective Key Risk Indicators (KRI) and their interdependencies. Mitigating KRI interdependencies is the secret sauce of resiliency.

Ineffective vulnerability management is a known risk within all organizations. Large enterprises, for example, manage on average over 80,000 IT assets, including laptops, servers, routers and internet-connected printers. These assets may hold 40 million vulnerabilities at any given moment. However, most organizations only address the technical or technology-based KRIs and fail to address the fundamental ones found in processes and people. The promotion and adoption of continuous monitoring, albeit necessary, fails to address the critical KRI interdependencies of vulnerability management. Even disclosed vulnerabilities themselves must never be assessed in a vacuum. What is really needed is a Cyber Risk-based vulnerability management (CRVM) strategy. CRVM is a strategy in which organizations prioritize remediation of vulnerabilities that pose the highest risk to an organization.

CRVM strategy components:

  • Threat intelligence collection and analysis of vulnerabilities that threat actor groups are discussing, experimenting with or using in the wild.
  • Identification of the organization’s vulnerable assets, their users and the critical data being processed, transmitted and/or stored in these assets.
  • Internal and external threat intelligence is correlated to generate risk scores based on their severity and likelihood of exploitation specific to the organization.
  • Using CRVM risk scores, remediate only the vulnerabilities that are most likely to be exploited and reside on the most critical systems.

As malicious actors continue to utilize this attack surface, organizations can minimize their risk by applying an effective CRVM strategy to address their own vulnerabilities. At Trend Micro, we’re trying to do our part to support effective and coordinated disclosures with vendors through our Zero Day Initiative, the largest vendor-agnostic bug bounty program in the world. This program has helped disclose thousands of bugs with a multitude of vendors over the years to ensure organizations are protected from the malicious exploitation of vulnerabilities. We will continue to support the Cybersecurity Tech Accord and the world in this area.