Many tools and ad hoc processes create chaos. We see this all the time with cyber security. Additional tools are created and deployed to deal with the changing cyber environment. New processes are defined and implemented. Unfortunately, this frequently leads to a chaotic approach to security that paves the way to security loopholes. Whether driving a car or flying an airplane, being in control is critical. It is the same with security.

We need tools and processes that keep us in control. We need continuous visibility and control over our IT environments.

Ad Hoc Risk Assessment

Military science and technology have advanced for centuries but that did not eliminate the need for continuous risk assessment, monitoring, and process improvement. Just like human evolution. Our bodies have been improving since the appearance of homo sapiens 300,000 years ago. Our skin, hair and eyebrows are all defense mechanisms, but we still patch and cure a wound almost immediately. We know that to be healthy we must consciously watch what we eat and make an effort to stay fit.

In the age of continuous development, continuous integration and continuous delivery, why isn’t security risk management a visible and continuous process?

Although regulatory standards such as PCI and HIPAA recommend that organizations perform periodic assessments to discover IT assets and risks, and mitigate those risks, that strategy is insufficient. It can be a secondary check, but we need continuous up-to-the-minute information on IT assets, risks, and threats. New vulnerability and attack methods are being discovered daily. A new security risk can be created and spread in minutes. It’s more critical than ever to have tools and processes in place to ensure continuous risk monitoring and risk mitigation.

Continuous Risk Assessment without Mitigation

Identifying a security risk is only half the issue. With every security strategy, whether it is in the military or the human body, there is always a built-in action plan. Every game plan involves assessing the weakness of the opponent and having a strategy to exploit weaknesses, not just knowing the weaknesses. At the same time, a game plan also involves assessing one’s own weaknesses and having a defensive strategy in place.

IT Security products are built with an assessment mindset with a goal of discovering problems. Accordingly, organizations create IT Security Operations Teams to assess and find problems. IT Operations Teams were then supposed to fix the problem. The tussle thus began. The risk averse tool vendors added salt to the wound inflicting fear in the minds of IT teams by telling them remediation is a manual effort. Tools were built without remediation or a response strategy.

SOCs and NOCs were built for 24/7 continuous monitoring to look for possible symptoms of an attack. However, many risks are wide open, and threats are well known. It’s like a flood gate without a valve. Threats are detected, but risk mitigation is limited.

Continuous Risk Assessment and Continuous Mitigation

In today’s dynamic IT environment, changes are constant: a new device has been provisioned, an application has reached end of life or support, a high-profile vulnerability was made public, a vendor released a patch fixing a critical vulnerability, employees are increasingly on the move, a new application is released, networks change, new technologies are created. The list is never ending.  In a constantly changing environment, continuous visibility to all IT assets is critical for security.

If an organization’s assets are vulnerable to specific attacks, or if a high-profile attack is published, it is necessary to analyze the impact immediately, not months later. Risk assessment is an ongoing, continuous, automated process. As we uncover risks and potential threats, risk mitigation must also be in place.

Continuous security can only be achieved with continuous visibility, continuous assessment and a continuous mitigation plan. Tools must be effective, easy to deploy and manage and not lead to cyber security chaos. If tools aren’t supportive, time to invest in tools that are supportive.

Continuous Visibility + Continuous Risk Assessment + Continuous Mitigation = Saner Way