Too Much Ts, Too Much Information!

Twitter: @MeetCyberBob

All the Ts — OT, IT, IoT… As technology professionals, it’s in our blood to simplify everything — and that’s why we love acronyms. Rumor has it there’s even a 4-level acronym — 4 levels of acronyms before you get to the full term… But I digress.

As we optimize processes, all the different tools we use do so much automation and provide so much visibility that we lose sight of possibilities that automation creates in risk assessment. Then when automation can be done, we don’t know where to start. Let me explain a simple process — you can skip the description if you already know the outcome:

1. You run a vulnerability scan and identify REQUIRED high impact actions needed to be taken. Ticket is opened to track action;
2. Data is sent to the appropriate team, waiting for feedback and acknowledgement, maybe even stop gap planning for risk assessment and mitigation until an appropriate solution is in place;
3. Retesting — the same vulnerability;
4. Retesting — the same result;
5. Retesting — device is no longer finding this vulnerability, but there is no comparison, as the device is no longer visible;
6. Retesting — device is no longer visible;
7. Ticket closed.

More importantly, so much time is spent comparing the CMDB data with the device owner. The process goes from Vulnerability Assessment Tool→ to Results review-→ To Align to CMDB→ Ticket interaction, then a follow-up to see what has changed — it could take 3-6 months before the correct data is correlated to identify if the device is a) still online and b) still at risk.

Broken process…

Even with visibility, the over-arching process of changes requires teams to ingest and adjust to improve that process to properly assess risk. The big thing is how to get a better cadence to allow changes to be automated in even the most critical systems.

This is where 2 components really show their value:

1. Compensating controls — Allowing the alternatives (including segmentation on network, agent, or security gateway) to add hoops that any malicious intent has to jump through in order to work. Remember to hold planning sessions with teams to show them the additions beforehand… let them choose from the options: Patch, Segment or Do nothing… but Share with the OPTIONS!
2. Business Risk reporting from IT vs. Compliance status — You need to be providing your Information Technology business customers with THEIR status against corporate standards. Let them know how actions impact the RISK model for the organization.

Don’t be afraid to overcommunicate and remember to always improve the feedback loop. This will assist all the technology… All the Ts of your business: IT, OT, and IoT.