One of the challenges of providing cybersecurity to small and mid-size businesses is understanding and explaining the difference between vulnerability and risk. Managed security services providers (MSSPs) must have regular conversations with clients about specific vulnerabilities and how they are translated into business risks.
But how to you find the vulnerabilities, and how do you assess the risks? The answer to these questions are one of the keys to providing a solid defense for your clients against threat actors.
Chernin provided his insights on how to measure and prioritize cybersecurity vulnerabilities and risks during a session at the Right of Boom cybersecurity conference for MSSPs.
Onboarding Clients and Identifying Assets
When you first onboard a client, you perform network scanning to identify the client’s assets. Threat actors are also scanning, Chernin said, looking for your devices and your client’s devices so they can identify the vulnerabilities and get to the data.
“As an industry we did a good job of scanning networks when we bring on clients, and we’re getting really a lot better at vulnerability scanning,” he said. “But I’ll make an argument that we’re not measuring the data on the devices, the threats actors may actually be doing that better than we are because there’s a monetary gain for them to do all that work.”
What is CIA? Confidentiality, Integrity, Availability
MSSPs should use something called CIA to measure the data on a device. CIA is an acronym for confidentiality, integrity, and availability. Each of these components is measured per asset. MSSPs should also rate each by the business risk -- high, medium, and low -- if this data falls into the wrong hands.
For instance, in terms of “confidentiality,” financial services data and healthcare data would likely be rated a high risk because of the compliance and regulatory impact. Names and email addresses are a little lower on the list. A low risk means that you don’t care if the data gets out.
“Integrity” assesses the impact to the business if an unauthorized person changes the data. An example of an integrity high risk is if an unauthorized person changes user permissions.
“Availability” assesses the impact to the business if the data no longer exists. A high impact is if the business ceases to function. All these risk levels are defined by the MSSP, Chernin said.
MSSPs with automation platforms integrated with their RMM platforms can set some default CIA values for some devices to speed up the process, but not all of this work should be done with automation.
How MSSPs Need to Use CIA Information
The most important part of the CIA effort is the conversation the MSSP has with the client about setting up the CIA. Show the client the list of assets from the scan and do a one-time walk through of each asset together with the client. The defaults you’ve set on some of these will help speed up the conversation.
The Volume of Work Means Time to Prioritize
Why do this kind of assessment of risk in the first place? MSSPs may have 10,000 endpoints they manage and thousands of software vulnerabilities they are working to remediate. You are assigning CIAs in order to prioritize those remediations.
Chernin uses the analogy of physical security. If you are looking to secure a building, you might install bars on the windows. But that won’t help if the threat actors are picking door locks. If that’s the case, you want to focus your effort on door and lock vulnerabilities instead. Eventually, maybe, you want to address all the building’s vulnerabilities. But you need to use data and facts to prioritize which areas to tackle first to reduce your risk.
What is CVSS? Common Vulnerability Scoring System
The CVSS system is a method used to supply a qualitative measure of severity of a vulnerability, but it’s not a measure of risk. The CVSS vulnerability is the base score, Chernin said. MSSPs adjust that score based on environmental factors to provide a more accurate picture on the severity of the vulnerability.
MSSPs should apply CIA against the CVSS vulnerability to provide a risk assessment of the vulnerability for their client’s business. Performing this action provides the MSSP with a better prioritized list of vulnerabilities. (Here’s a calculator that lets you apply your environmental factors to the CVSS base vulnerability).
“In the enterprise nearly all the large financial services companies have vulnerability scanning solutions that integrate with their asset management products to pull CIA from the assets. If you have an automation platform and it has access to your RMM and scanning solution you could probably do it automatically that way as well,” Chernin said.
That brings us to the maturity scale.
Where is Your MSSP Business on the Maturity Scale
Here’s how Chernin defines the maturity scale:
- Level 1 is where you perform vulnerability scans, but then you prioritize your remediation based on how freaked out people are on Reddit.
- Level 2 is where you prioritize your remediation based on the CVSS base score included in the release.
- Level 3 is when you do CIA on your assets and prioritize based on environmental metrics.
- Level 4 is just like level 3, but for things that require a client discussion you have a very professionalized risk management discussion.
- Level 5 is something that’s not doable today, according to Chernin. “But we need to have a goal. We should be managing the risk to the business and not just the severity of the vulnerability.”
Vulnerability vs. Risk
“We measure the vulnerability of that capable lock, but we don’t measure whether or not the door is open,” Chernin said. “No one is scoring how securely their devices are configured.”
That’s become increasingly important in the software-as-a-service era. CVSS isn’t as helpful in the SaaS world.
“Nearly 100% of the incidents that occurred in SaaS environments are configuration incidents, and we don’t measure configuration,” Chernin said.
What Can We Do About Risk?
MSSPs have a few options about how to deal with risk.
- Transfer it: cybersecurity insurance
- Avoid it: i.e. uninstall vulnerable products, change our configuration so a product is no longer venerable.
“You need to have conversations with clients about the vulnerability and risk. These conversations should be emotionless,” Chernin said. He notes that he has seen MSSPs get upset when a client doesn’t want to follow a security recommendation, and it becomes a negative conversation.
“I’ve heard some MSPs are doing waivers. What you want to do is document it. Start by having risk conversation with client. Get the client into the mode that you are going to have these conversations often. You can talk about tornadoes, fires or turning off all MFA. All of them can be framed in the same risk management framework type of discussion,” Chernin said.
At the conclusion of his talk, Chernin offered the following four action items for MSSPs:
- Determine the CIA of your assets.
- Use your CIA to prioritize your defenses as assets.
- Use risk management to have client discussions.
- Document the outcome of those discussions in a risk register.