SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved.

SOLUTIONBRIEF

Risk-Based Vulnerability Management

SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved. Cyber-RiskReportingforYourBoardOfDirectors

Overview

Yourvulnerabilitymanagementprogramissupposedtobethecornerstoneofyourcybersecurityinitiatives– howyoustayaheadoftheadversary.However,traditionalvulnerabilitymanagementhasanumberofbigproblems.

Legacyvulnerabilitytoolsspewoutalertsinthe(tensof)thousandseverytimeascancompletes,leavingyourteamoverwhelmedandstrugglingwithhowtoproceed.Itishardtotellwhichofyourvulnerabilitiesarecritical,whichcanwait aday,vsonesthatarejustnoise.Youcannotaffordtodedicateresourcesremediatingvulnerabilitiesthatposelittleornothreat,whileignoringthemostcriticalvulnerabilitieswhichputyourorganizationatrealriskofbreach.

Risk-Based Vulnerability Management

2

Figure1:Cyber-risk spectrum

Anotherbigissueiscoverage.Traditionalapproachestovulnerabilityassessmentunderstandandmonitorlessthan5%oftheenterpriseattacksurface,primarilyCVEs(unpatchedsoftwarevulnerabilities)andsomesimplesecurityconfigurationissuesmostlyacrosstraditionalassets.

Thereare100+otherwaysinwhichyournetworkcanbebreached— startingfromsimplethingslikeweakpasswords,defaultpasswords,passwordreuse,passwordsstoredincorrectlyondisk,ortransmittedintheclearonthenetwork.Traditionalvulnerabilitytoolswillnottellyouwhichofyourusersareparticularlypronetobeingphished,orwhichuserswithprivilegedaccesstoyourenterprisesystemshavepoorcybersecurityhygiene.

Intermsofassetcoverage,veryfeworganizationshaveanaccuratereal-timeviewofexactlywhatassetsarepresentintheenterprise.Non-traditionalassetssuchasbring-your-owndevices,IOTs,industrialequipmentandcloud-servicesareparticularlyhardtoenumerateandthenanalyzeforrisk.

LegacyvulnerabilitytoolsdonotaccountforwhichCVEsarereallyexploitable,andweknowthatatanygiventimelessthan20%ofCVEsareactuallyusablebyattackers.Thesevulnerabilitysystemsalsodonotunderstandthedifferentlevelsofbusinesscriticalityofyourassets.Nordothesetoolsaccountforthedegreeofexposureofdifferentassets(basedonhowtheyareused),orthemitigatingimpactofyoursecuritycontrols.Muchoftheworkcreatedbylegacytoolsissimplynoiseandwasteful.

Consequently,legacyvulnerabilitymanagementisquiteoffthemarkinproactivelymanagingyourorganization’scybersecuritypostureandbreachrisk.Inarecentsurvey conductedbythePonemon institute,only15%ofsecurityteamsfeltthattheirpatchingeffortswerehighlyeffectiveand67%saidthattheydonothavethetimeandresourcestomitigateallvulnerabilitiesinordertoavoidadatabreach.

SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved.

Risk-based vulnerability management

Inorderto trulyenhancesecuritypostureandimproveresilience,youneedarisk-basedapproachtovulnerabilitymanagementthatidentifiesvulnerabilitiesdueto100+attackvectors(notjustCVEs)acrossallyourassets,andalsoprioritizesthembasedonactualriskbyunderstandingthecontextaroundeachvulnerabilityandtheenterpriseassetthatitaffects.

Armedwiththisinformation,yoursecurityteamwillbebetterequippedtotackleyourvulnerabilitiesinthemostefficientmannerandincreasetheeffectivenessyourcyber-riskmanagementefforts.

Cyber-riskReportingforyourBoardOfDirectors3

Balbix overview

Balbix replaceslegacyvulnerabilitytoolsandmultiplepointproductstocontinuouslyassessyourenterprise’scybersecuritypostureandprioritizeopenvulnerabilitiesbasedonbusinessrisk.

WithBalbix youcancontinuouslyobserveandanalyzeyourenterprise’sextendednetwork,inside-out andoutside-in,todiscoverandidentifyweaknessesinyourdefenses.Oursystemcombinesinformationaboutopen vulnerabilities,activethreats,realexposure,businesscriticalityandyourcompensatingsecuritycontrolsacrossallyourassettypesand100+attackvectorstoprioritizesecurityissuesbasedonrisk.

Only 15% ofsecurityteamssaythattheirpatchingeffortsarehighlyeffective.

Ponemon Report2019–TheChallengingStateofVulnerabilityManagementToday

Balbix helpsyoualignyourpatchingandriskmitigationactivitieswithbusinessrisk

Automatic inventory

Thefirststeptowardsrisk-basedvulnerabilitymanagementisactuallyknowing“what”toscan– i.e.startingwithanaccurateinventoryofalltheenterpriseassets.Traditionalvulnerabilitymanagementtoolscanonlydiscovercorporateownedandmanagedassetsandlackvisibilityintonon-traditionalassetssuchasbring-your-owndevices,IoTs,mobileassetsandcloudservices.

WithBalbix youdonotneedtospecifywhattoscanasBalbix automatically(andcontinuously)discoversandcategorizesyourassets,i.e.,anydevices,applicationsanduserspresentonyourextendednetwork,andanalyzesthemforvulnerabilities.Balbix alsoestimatesbusinesscriticalityforeachassetbasedonanalysisofusageandnetworktraffic.

Figure2:Automatic Inventory

SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved.

Real-time and continuous, with natural-language search

Legacyvulnerabilitytoolsarecumbersometooperate,andaretypicallyconfiguredtoperformperiodic(oftenmonthly)scans.Asaresult,theenterprise’sunderstandingofriskfromvulnerabilitiesistypicallyseveralweeksout-of-date.Youmightrecallthesuperhumaneffortsrequiredthelasttimeyouhadanemergencypatchsituation,orwhentheCFOinquiredabouttheriskfromWannacry.

Balbix isreal-timeandoperatescontinuouslyandautomatically.TheriskmodelsurfacedbyBalbix isusuallysecondsorlessbehindtheactualonnetworkconditions.

Cyber-riskReportingforyourBoardOfDirectors4

WithBalbix,youcananswerquestionsaboutyourassetinventory,yourcybersecuritypostureandbreachriskusinglikenaturallanguagesearch.Forexample,youcanqueryyourinventoryusingITvocabulary,e.g.,windowsserversinmountainview,andnetworkadmins.Inyoursearchqueries,youcancombinetechnicaltermsfromsecurityandIT,e.g.,unpatchedswitchesinLondon,expiredcertificates,passwordreuse,phishing,etc.,enteraCVEnumberCVE-2017-0144,oritscommonnameWannacry (ifoneexists).Balbix alsosupportshigherlevelqueriessuchas:wherewillattacksstart,whatwilltheygoafter,whatassetshaveintellectualproperty,andcyber-risktocustomerdata.OurobjectiveistogiveyouaGoogle-like,highlycontextualsearchexperienceforyourcybersecurityandITdataandinsights.

Comprehensive visibility across all asset types and attack vectors

Asallcyber-defendersknow,anyenterprisenetworkisonlyassecureasit’sweakestlink.Aneffectivevulnerabilitymanagementprogrammustcoveralltypesofassetsandallsortsofsecurityissuesbeyondunpatchedsoftware.

Unlikelegacyvulnerabilityassessmentproducts,Balbixprovidescomprehensivevulnerabilityassessmentacrossallassettypes:managedandunmanaged,IoTs,infrastructure,on-premisesandinthecloud,fixedandmobile.Balbix alsoanalyzeseachassetagainst100+attackvectors.Forustheword“vulnerability”meanssomethingclosertotheEnglishdefinitionof“vulnerability”,andnotjustaCVE,andincludesissueslikepasswordreuse,phishable users,andencryptionissues.

Figure 3: Natural language search to find answers quickly

Figure 4: Comprehensive vulnerability assessment

SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved.Cyber-riskReportingforyourBoardOfDirectors

5

Five-pronged risk calculation

Legacyvulnerabilityandpatchingtoolsuseprimitiveriskmetricstoprioritizevulnerabilities.TheircalculationistypicallybasedonCVEscoreandasimplebusinessimpactmodel(high,medium,low),andleadstopriorityinversionandwastedeffort.

Balbix’s risk-basedprioritizationofvulnerabilitiesconsidersin5factors— vulnerabilityseverity,threatlevel,businesscriticality,exposure/usageandtherisk-negatingeffectofcompensatingcontrols.Thisresultsinveryaccurateprioritizationandhelpsyouavoidneedlessbusyworkfixinglowpriorityissues.

Customizable notion of risk

Organizationshavedifferenttopriskconcernsbasedonthenatureoftheirbusiness.Legacyvulnerabilitymanagementtreatsallsecurityissuesthesameway.

Balbix letsyoutodefineriskareasappropriateforyourbusinessusingnaturallanguagesearch,andthenmapsyourvulnerabilitiestotheseareas.Forexample,onesuchriskareacanbe“intellectualproperty”,andBalbix willletyouanalyze,prioritizeandremediatevulnerableassetsthatcontainintellectualproperty.Inaspecificquarter,forexample,youmaychoosetofocusonreducingrisktooneoftheseareas,andshowrealprogress.

Implement MTTP SLAs

Patchingsystemsperiodicallyisabigportionofenterprisevulnerabilitymanagement.Withlegacytools,mostorganizationhaveanormalpatchingcadenceandaseparateprocessfordealingwithemergencypatching.Thisleadstomanyimportantenterpriseassetsbeingunpatchedforweeksonend.

WithBalbix,youcansetuptargetmean-time-to-patchSLAsforvulnerabilitiesofdifferentlikelihoodvaluesforassetgroupsofdifferentbusinessimpactlevels.TheseSLAscanbeusedtocreateticketsanddrivepatchingworkflowsinaprioritizedfashiontominimizecyber-riskexposureduetounpatchedsystems.

Figure 5: Five-pronged risk calculation

Figure 6: Cyber-risk metrics aligned to business concerns

Figure 7: Target SLAs for mean-time-to-patch

SOLUTIONBRIEF

Copyright©2019Balbix,Inc.Allrightsreserved.

3031Tisch Way,Ste 800SanJose,CA95128866.936.3180info@balbix.comwww.balbix.com

End-to-end identification, prioritization and resolution of vulnerabilities

Ultimately,Balbix allowsyousetupyourbusinessriskareasandmanagehowvulnerabilitiesintheseareasareautomaticallymappedtotheirasset-groupownerswithrisk-basedpriority.BasedondesiredSLAs,ticketsareautomaticallycreated,assignedtotherelevantownersandtracked.Ticketownersareofferedalternativesbetweenfixingthevulnerability(e.g.,bypatching)orimplementingsomecompensatingcontrol.Balbix continuouslymonitorsthenetworkforfixesandmitigatingcontrols.

Balbix alsoenablesthecomparativebenchmarkingandreportingofdifferentgroups’vulnerabilitymanagementpractices.

Cyber-riskReportingforyourBoardOfDirectors 6

Knowwhichofyourvulnerabilitiesarecritical,thosewhichcanwaitaday,vs.onesthatarejustnoise…

Figure 8: End-to-end vulnerability management