NVM: Threat Exposure vs Risk Management

I was reading a research note by Gartner, ‘Maverick Research: Risk Management Produces Bad Cybersecurity’ ($), and it brought up some interesting observations about the usefulness of BackBox NVM when it comes to security best practices.

The thing that jumped out at me is the difference in language between Risk Management and Threat Exposure Management.

Gartner believes network teams should “abandon traditional risk management practices as part of cybersecurity management” and instead talk about threat exposure to guide security activities.

That’s music to my ears, because that’s exactly what we do, and do simply, with NVM.

Why risk management?

Risk and risk mitigation is about future probabilities, and investing to minimize the probability of a breach. Predicting the future is a fools game, with uncertain and unknowable outcomes. Risk modeling, they say, becomes security theater.

Risk assessment has become a tool for persuasion – for “security theater” – rather than a mechanism for discovering the truth.

Exposure Management is about understanding and mitigating a company’s defined vulnerabilities. We don’t deal in likelihoods. We deal in absolutes. Defined threats are certainties, not risk. We point out where vulnerabilities are relevant to the specific network devices we automate.

The security scoring that we do aside, BackBox are giving companies a list of their potential exposures based on their actual inventory (and by inventory we mean, vendor, device, and OS version) and the remediation tools to mitigate these known exposures. We are grounded in threats by focusing on known vulnerabilities rather than trying to predict forward-risk.

Focus on simplicity

Processes for risk management are over-engineered.

Another comment they had mentioned “over-engineered risk management mechanisms…” which got me thinking that NVM couldn’t be easier to use. Run the job that sends device inventory to NVM and go check the portal for your list of updates to make your network more secure.

There are places for more comprehensive security solutions, but NVM is focused on helping network device administrators prioritize their work with OS updates to maximize their impact on network security.

Focus on real-world threat impact

The high-speed automation of attacks means the probability of a threat impinging on an enterprise is essentially 100%. In other words, any threat that is known to exist is certain to occur.

Why not work to close the vulnerabilities your network is known to be exposed to (as we do with NVM)?

There are places for comprehensive security dashboards, we’re knocking down vulnerabilities by helping administrators stay on top of the most important updates they can make to keep their networks secure.

Focus on measuring improvements

When starting with NVM, a customer gets a list of exposures at the network level and the device level.

It becomes quite straightforward to measure mitigation results. For example, yesterday we had 10 critical vulnerabilities in our network, today we have 5. Yesterday 25% of our devices were compromised by a critical vulnerability, today just 15% of our devices contain critical vulnerabilities.

Risk management actions Gartner recommends

Two stood out to me:

1. Mitigate defined cybersecurity threats via programs that reduce an enterprise’s exposure to associated exploit and threat vectors. One such program might be to use NVM to measure the number of Critical Vulnerabilities, and reduce them.
2. Use threat intelligence and research to quickly identify threats that emerge from the cloud of uncertainty. We monitor inventory and security alerts daily, bringing them together to surface actionable threat/vulnerability information. We’re not dealing with probabilities.

Learn more

We’ve got plenty of material on BackBox Network Vulnerability Manager for you to learn more. Depending on the way you like to learn, either watching this webinar or reading this solution brief are great ways to start.