When it comes to IT security, CIOs, CDOs, and CISOs are on the back foot.
Three factors make it worse: Endpoints leaving the data center and corporation perimeters; hackers figuring out economic models around ransomware; and the emergence of new sophisticated techniques including zero-day attacks.
Regulators, companies, and consumers are turning on the pressure. Being hacked, suffering an outage or losing customer data now damages both reputation and revenues directly. In some cases, it can hobble a firm's ability to do business permanently.
"The conversation about risk was at the level of IT folks. That has changed. It is now occurring at the C-level and Board level because there is a correlation between breach and valuation of the company. Also, partner vulnerability is becoming important as it impacts your own security posture," Mandeshpal Singh, Senior Product Manager, Partner and Product Strategy, Verizon Asia Pacific said.
The IT security landscape is not short of solutions. The market has thousands of point solutions and vendors promising holistic approaches. However, many CIOs and CISOs are unable to gauge their effectiveness and suitability.
Vulnerability assessments and penetration tests offer a better approach to identifying the gaps and buying the right solutions. But these take time and are costly. Singh noted that in some cases the final reports might not be valid because of the deployment of new apps and interconnectivity with new suppliers.
Verizon Risk Report (VRR) aims to make vulnerability assessment more urgent and relevant. Available for a monthly subscription, firms can immediately find out their security readiness based on their industry and location, identify existing gaps, and ensure that their security policies are well enforced.
To be launched in Spring 2018, VRR has three levels of risk assessment. Level 1, which Verizon called "outside-in view," uses BitSight security rating service, combined with deep web and dark web information from Recorded Future, for external assessments to give you an external risk score. Data from the Verizon Data Breach Investigation Report (DBIR) further enhance and contextualize the score.
The “inside-out view” Level 2 will install Cylance and Tanium software agents at key infrastructure points. It includes all Level 1 features and adds internal analysis. The resulting holistic risk score is specific to the industry. It will initially require a certain period for the agents to "learn" the internal environment and create a baseline.
Level 2 also allows customers to gain access to threat intelligence information specific to the industry that is otherwise costly to obtain individually. Singh also added that Verizon would add new data sources as part of their roadmap to expand the scope and depth of the threat intelligence.
Level 3 is where Verizon’s security experts come in. Featuring all the features of Level 1 and 2, it aims to offer a “culture and process view.” It includes qualitative assessments that study enforcement of security policies and specific user behaviors.
Essentially, VRR will help firms to monitor their risk posture better. It will notify changes to the risk score when rolling out new IT initiatives or when linking with third party data sources and suppliers.
“Cyber insurance is another use case. [This is] because clients want to find a way to show cyber insurance firms a report to develop the premium, while insurers are starting to ask for third-party risk posture validation,” Singh said.
VRR offers a good starting point to take the cyber fight to the hackers. It is not looking to replace penetration testing and other more exhaustive assessments. But it does allow firms to find out how exposed they are to new threats quickly and take the right steps forward.
“We are just changing the whole IT security conversation,” Singh said.