[BreachExchange] How Machine Learning Can Improve Risk Management

Thu May 16 20:26:20 EDT 2019

https://www.infosecurity-magazine.com/infosec/how-machine-learning-can-improve-1/

If an organization has any IT infrastructure at all, it faces far more
vulnerabilities than its security team can address. That’s a basic fact of
enterprise cybersecurity.

But there is reason for hope: only a tiny fraction of vulnerabilities pose
a risk to the organization, and some are riskier than others. In an
environment where professionals cannot remediate everything, it’s
incredibly important that cybersecurity executives identify the riskiest
vulnerabilities.

Machine learning is ideally suited to tackle this challenge. There’s quite
a large amount of data that is created by vulnerability scanners, asset
management systems, SIEMs, intrusion detection systems, and other tools.
Machine learning can analyze this data to develop models for how these
factors interact with one another. Ground truth data can be used to
identify which of these features have the greatest influence on the model.
By operating beyond the capacity of prior manual methods, it can be applied
to prioritize the riskiest vulnerabilities, and even predict which newly
found vulnerabilities are likely to be weaponized or exploited.

Further, a multi-stage approach to training and fine-tuning models means
obviously non-predictive variables can be eliminated quickly and easily.
This means companies are no longer evaluating vulnerabilities in a vacuum,
and security teams have the ability to take into account the context of the
vulnerability as well as its asset and environment. The capability has
spurred remarkable changes in how organizations address vulnerabilities,
how they allot resources for vulnerability management, and how they report
risk to their organization.

The situation without machine learning

Traditionally, enterprise vulnerability management programs sit somewhere
on a spectrum of intuition to alchemy. At best, they set out to patch every
vulnerability above a certain threshold. Some organizations, for example,
will try to patch everything with a CVSS score of seven or above. At their
worst, IT professionals compile huge spreadsheets of vulnerabilities that
their scanners have uncovered, and then squabble over which ones to patch
based on their own opinions and industry folklore. The CEO saw one
vulnerability with a logo on the news, so that gets patched. The CFO is
drawing up budgets, so that department’s security gaps are addressed.

Even with poor methods for assessing risk, capacity isn’t nearly enough. A
typical organization, no matter how big or how small, can patch just one in
ten vulnerabilities. That limited capacity, however, does not mean that
companies cannot make meaningful strides in reducing risk if they take a
data-driven approach to remediation.

In short, they need to examine the paths that hackers have taken previously.

Exploiting past patterns to improve security

Hackers follow well-worn paths, even if those paths are incredibly
complicated. They tend to use existing exploits to probe organizations’
networks, and they tend to look for vulnerabilities in systems that are
rarely patched.

All of this generates a lot of data. We know, for example, that of the ten
largest software vendors, three are responsible for 70 percent of
vulnerabilities. Yet only five percent of known vulnerabilities have
published exploit code associated with them.

The data consumed by cybersecurity teams provides a roadmap for which
vulnerabilities can be prioritized for remediation. That same data can give
organizations a measure of overall security risk. If you know which
vulnerabilities are most likely to be exploited and have the biggest impact
if exploited, you likely have a good idea of the risk posed by every
vulnerability scanners’ findings. From there, an organization can measure,
in a meaningful way, the impact of its vulnerability management programs,
and can also decide whether resources are allocated properly.

Security teams face an impossible task when asked to manually interpret and
prioritize every vulnerability in their infrastructure and applications.
The sheer scale and number of these security holes is too large. Computing
power, automation, and machine learning are the best means for keeping up
with this challenge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190516/208920aa/attachment.html>