Is Your Risk Personal?

Here’s a little bit about me: I am extremely organized and don’t forget much. However, when I was young, my parents claim I used to point out red brick buildings wherever we were (could have been another state) and exclaim, “That’s daddy’s building!” But aside from some visual impairment and a lack of geographic accuracy, I don’t forget a lot, especially the important stuff. But since starting at TAG Cyber more than a year ago, I’ve been busier than ever. For those who don’t know, Ed Amoroso, our founder, CEO, and lead analyst, is insane. The man never stops working! And I want to live up to his standards. Plus, we’re a young company—just five years in business and growing like weeds (or, like the Gartner alternative). And as any armchair psychologist will tell you, the busier people get, the more likely we are to forget things or make mistakes, regardless of intent or natural proclivities.

In addition to a hectic work life, there have been some increased personal demands on my time plus I finally adopted a dog. She’s a wonderful addition to my household, but I’ve had to adapt my days and find time where there always seems to be none. I’m getting everything done that needs to be done—and having some fun, too—but within the last month I left my backdoor unlocked twice, my garage door open once, and I locked myself out of my house once. This is unheard of for me. But, fortunately, despite the increased risk of leaving things unsecured three times, and a spate of reported garage break-ins in my neighborhood, nothing was lost, stolen, or destroyed (except a little bit of my pride).

Why should you, security reader, care?

Risk = vulnerability + threat


Risk = probability + impact

I know you know it. I know you try to use it, but the reality is, several “risk” tools on the market track “risks” that aren’t. Not to you, anyway. Going back to my story, to get to my backdoor, an intruder would have to walk down a very long driveway, between two houses that are quite close together and both have motion detecting lights which shine essentially on my backdoor. There’s also an alarm (and multiple window stickers stating as much) and now a dog whose bark is definitely much bigger than her bite. Thus, there was a vulnerability (an open backdoor), a threat (known burglars in the area), but my risk was reduced because of mitigating factors—contextualized factors.

Prioritization and contextualization

This is the approach RiskSense takes with their risk-based vulnerability management platform. In speaking with Srinivas Mukkamala, CEO and co-founder, he explained that the company has built their platform to prioritize vulnerabilities based on not just vulnerabilities themselves, but also whether the vulnerability has been weaponized, what the payload is/was, which geographies have been affected, which assets have been compromised in the wild, which internet-exposed assets the customer has deployed, the customers’ pen test results, customer vulnerability remediation status, and more.

“RiskSense is designed to look at the infiltration perspective as well as the business use case perspective,” said Mukkamala. “It’s not just about threat feeds and CVEs. We look at the network layer, the application layer, the customer’s default credentials, misconfigurations—more than 15 different attributes that influence the customer’s risk score, what we call the vulnerability risk rating, VRR.”

When Mukkamala and team are talking risk, they are thinking in three layers:

  • Data: the amount and type of data collected and analyzed
  • Data modeling: a proprietary algorithm that intelligently identifies the highest fidelity risks
  • Domain expertise: RiskSense’s team of research experts who evaluate the data

From this process, the platform is able to abstract company-specific and prioritized risk ratings, as well as well as recommendations for remediation, including the exact location of apps that need triage, historical details of the threat, and instructions on how to remediate the vulnerability before it’s exploited. This helps customers pinpoint their affected or potentially affected assets without spending inordinate amounts of time slicing and dicing vulnerability data from myriad and disparate sources.

Enhancing MSSPs’ operations

While RiskSense appears to be an excellent risk-based vulnerability management tool for companies of any size, we spoke in depth about the company’s penetration with MSSPs. The aspect that is most appealing to MSSPs is the ability to gain a single source of visibility across all clients and benchmark risk. During a demo of the platform, we were able to see the aggregate view—What are the critical vulnerabilities? What’s trending? How many vulnerabilities are remotely executable?—and then look at the specifics—Which clients need attention? Which customers are fixing identified vulnerabilities?

When an issue is found, MSSP operators can execute one of the included playbooks or recommend a course of action to the customer. “We go beyond visibility and alerting,” said Mukkamala. “We want our customers to be able to act on the vulnerabilities that most affect their organization, or in the case of an MSSP, our customers’ customers.” To help in this regard, RiskSense not only provides personalized recommendations, but their numerous technology integrations allow for automated workflow into deployed tools including various types of scanners, ticketing systems, asset management systems, and security operations tools.

What’s impacting your organization?

With security budgets and security staffing both tight, RiskSense can help organizations manage digital risk in a clear, concise, and actionable way. This is particularly true for smaller and mid-sized organizations relying on an MSSP to keep intruders away from their backdoors (or front one, in some cases). The key with risk is understanding how and when it applies to your organization, not if the biggest, baddest botnet is impacting other organizations.

Every company is going to have vulnerabilities that need remediation, and there are plenty of vulnerability management and risk rating tools to choose from. We at TAG like RiskSense’s 3 Ds—Data, data modeling, and domain expertise—and the detail they provide through their analyses. In particular, MSSPs will benefit from the “worldview” RiskSense provides when the tool is deployed across multiple customers. If the goal of vulnerability management is to mitigate risk, one is better equipped with a broad view bolstered with attention to detail, which RiskSense adroitly offers.