Relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. According to the Verizon 2013 Data Breach Investigations Report, 69% of breaches were discovered by a third party and not through internal resources. To make matters worse, 66% of the breaches took months or even years to discover. IRM can shorten the window attackers have to exploit a software or network configuration flaw.
Adding the Notion of Risk in Security
The majority of existing security products lack the ability to assign risk-based prioritization. They produce a wealth of logs, but do not indicate which vulnerabilities need to be mitigated first. Without knowing what risk a specific vulnerability poses for the business, it is difficult, if not impossible, to prioritize mitigation efforts.
Risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business criticality of the impacted asset. What organizations need is a context-aware, risk-based view across the enterprise, combining threat intelligence, vulnerability knowledge, compliance and business impact.
IRM systems enable big data automation, which encompasses data gathering from networked machines, third-party feeds and the platform's assessment engine. They provide insight into an organization's state of compliance, security and ultimately risk posture to achieve continuous compliance and continuous monitoring.
IRM systems also allow organizations to assign policies, classifications and business criticality to assets, propagating the attributes (e.g., risk) to all related assets, and then enforcing the attributes in a dynamic data-driven environment. By correlating these three key factors in a single data model, organizations can determine the risk associated with particular assets and prioritize remediation actions based on the actual risk.
Providing Continuous Monitoring
Cyber threats are unpredictable and cannot be scheduled like a compliance audit. Instead of a point-in-time view of risk, continuous monitoring of both compliance and security posture is required to increase situational awareness. Unfortunately, the majority of organizations are still using a check-box mentality as part of a compliance-driven approach to security. This method achieves point-in-time compliance certification rather than improving security.
Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. IRM systems use big data automation and correlation to reduce costs by unifying security management, streamlining processes, creating situational awareness that exposes exploits and threats in a timely manner, and gathering historic data which can assist in predictive security.
Making Big Data Actionable
While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from this data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization. Once assets that require the highest priority for remediating threats are identified, organizations must ensure a smooth handoff from security operations to the IT department, which is responsible for mitigating issues. Any latency in this process can lead to critical delays in time-to-remediation, offering hackers an opportunity to exploit existing vulnerabilities.
Sign up for CIO Asia eNewsletters.