Bay Dynamics Risk Fabric puts vulnerabilities in context

The science of managing vulnerabilities has come full circle. Many years ago, IT workers were already starting to get alert fatigue when responding to constant attacks. Someone came up with a solution to the problem using vulnerability scanners. It was logical. Instead of chasing endless attacks exploiting the same holes in defenses, scanning a network to find and fix vulnerabilities was a better way to go. If all vulnerabilities could be eliminated, so would any attacks that relied on them.

The problem was that as networks grew, so did vulnerabilities. Every application, hardware device, virtual appliance, web connection, user, operating system or network component carries with it the possibility of vulnerabilities. Even a moderately-sized network can hide thousands or even millions of possible vulnerabilities. Today, technology is extremely skilled at finding most vulnerabilities that an attacker could exploit, but trying to fix everything could take IT teams years. And that’s not factoring in the new vulnerabilities that crop up every day. Alert fatigue is still very much a part of life when working a security information and event management (SIEM) console, only now vulnerabilities have been added to the list of alerts alongside of threats.

Enter vulnerability management tools. Their job is to take all those millions of vulnerabilities and prioritize them for IT teams, so that the most dangerous ones can be fixed first. This helps, but vulnerability scores are normally calculated out of context in terms of the rest of the network. For example, there might be a critical, easily exploited vulnerability sitting on a non-critical asset like a receptionist’s terminal somewhere in the organization. And there might be a medium-level threat that is very hard to exploit sitting on a critical server holding your customers’ credit card information. Many vulnerability management programs will direct IT teams to the critical threat on the non-critical asset, and place one that could potentially cripple your organization thousands of places down on the priority scale. It’s not the program’s fault. It just doesn’t know context.

That is one of the major problems in the vulnerability management space that the Bay Dynamics Risk Fabric program is designed to solve. The program is sold as software that is installed internally at most organizations on whatever hardware they want to allot to it. It can also run in the cloud or on a virtual machine, but its core is solidly software-based. It’s sold using a subscription model based on the number of employees at the organization to be protected.

Once installed, the program uses connector apps to attach it to any mainstream vulnerability scanner or SIEM. Whenever any of them run a scan, that data is grabbed by Risk Fabric and processed. That way there are no disruptions in network traffic flow, and no loss of computing time anywhere other than the server where the program is installed. A few of the connector apps allow for two-way communication, so vulnerability managers can trigger a scan, though most organizations will likely have Risk Fabric comply with whatever scheduled scans are already configured.

Risk Fabric does give a vulnerability score like other programs, so critical vulnerabilities are identified as such, but it’s only one metric used to calculate true risk. Among other questions the program asks is how risky the behaviors of users accessing the asset are. This can lower or raise the priority of the vulnerability. If the asset is used by one person to occasionally surf the web and type reports, then it’s less critical than a mail server that touches everyone in the company all the time, or a database accessed by the entire sales staff.

Another factor is correlations with cybersecurity programs. A medium-risk vulnerability on an asset whose endpoint protection is alerting to constant compromise, or one where traffic monitoring tools are indicating data exfiltration could get a higher priority than a critical vulnerability with no indication that anyone is trying to compromise it.

Finally, Risk Fabric assigns a dollar amount to the asset based on what would happen if an asset is compromised, has its data stolen, or is rendered unusable by a malicious user or program. Because no computer program yet possesses the cognitive ability to make those decisions, it must rely on users. Risk Fabric can do this if administrators send out, or fill out, a questionnaire about each asset.

John Breeden II/IDG

The questionnaire is designed to be easily sent to asset owners within the company, and asks four simple questions about the projected losses if data theft, compromise, or asset loss were to occur. There is also an overview question regarding the overall value of the app or asset. By default, survey answers are radio buttons where only one can be active, with users choosing high, medium or minimal impact scores which represent dollar amounts that are fully configurable.

John Breeden II/IDG

Bay Dynamics says that making the asset value question very simple, akin to picking out a small, medium or large t-shirt, keeps end users honest when filling out the questionnaire, something they were hesitant to do (for fear of having their jobs seen as less important) in a previous version with much more detailed questions. Administrators can also fill out that data themselves, something they may want to do for known critical assets. Risk Fabric can work without the monetary data, but is much more helpful once it’s collected, especially compared to other, non-contextual vulnerability management programs.

The main interface of Risk Fabric is very user friendly, with all the colorful charts and graphs one would expect to find in a program designed to help users comprehend complex data. CSOs can then further tweak the data if they want to skew the results towards assets they feel are the most critical. For example, they can use a slide bar to indicate that they are willing to accept the risk on assets where their loss or compromise would cost the company less than $25,000. This could cause more valuable assets with vulnerabilities to bubble up towards the top of the list, though would not totally exclude the others in extreme circumstances.

John Breeden II/IDG

In addition to just being presented with the data, you can also parse it just about any way imaginable. By combining various factors such as asset types, groups, users, vulnerability types and others, users can further define which assets need the most work using the best possible speed.

John Breeden II/IDG

Once it is determined which assets to fix first, vulnerabilities can be grouped into action plans and assigned to groups. When they are reported as fixed, Risk Fabric waits until the next scan and then confirms if the fixes have indeed been made, or if holes still exist.

John Breeden II/IDG

It would not be an inaccurate description to call Risk Fabric a next-generation vulnerability management tool. By adding real context to raw scan results, IT teams are given a much better picture of the true risks hiding within their networks, including the potential costs if those problems are not fixed quickly. Further tweaking can make Risk Fabric even more accurate, though it was extremely useful right from its installation.

More on vulnerability management

• Review: Crossbow offers live fire cybersecurity vulnerability testing
• How to build a top-notch vulnerability management program
• Vulnerability management: The basics
• Security and vulnerability assessment: 4 common mistakes
• What’s the difference between a vulnerability scan, penetration test and a risk analysis?
• Organizations get vulnerability maturity model