Introduction

In the digital landscape, cybersecurity is paramount. The risk-based approach, which has garnered significant attention, promises a strategic defense by evaluating threats based on potential impact and likelihood. But, like all strategies, it has its blind spots. This article delves deep into the methodology, its widespread adoption, and the lurking pitfalls that organizations must be wary of.

Understanding the allure of the risk-based approach

The risk-based approach to cybersecurity has gained traction primarily because of its promise to streamline defense mechanisms. In an environment where threats are numerous and resources are often limited, the idea of prioritizing threats based on their potential impact and likelihood of occurrence seems logical. This approach allows organizations to focus their efforts and resources on the most pressing threats, ensuring that the most critical vulnerabilities are addressed first.

The balance between strategic defense and potential oversights

While the risk-based approach offers a structured method to address cybersecurity threats, it's not without its challenges. The very nature of this approach, which involves prioritizing some threats over others, means that certain vulnerabilities might be overlooked or underestimated. This can lead to potential oversights, where less prioritized threats become avenues for cyberattacks.

The Risk-Based Approach Explained

Strategic defense in the face of myriad threats

The digital realm is rife with threats, ranging from sophisticated hacking attempts to internal breaches. In such a scenario, a one-size-fits-all approach to defense is neither feasible nor effective. The risk-based approach offers a solution to this conundrum. By assessing and prioritizing threats based on their potential damage and likelihood, organizations can create a tiered defense strategy. This ensures that the most damaging threats are addressed with the highest priority, offering a more efficient defense mechanism.

The challenge of predicting the unpredictable

One of the inherent challenges of the risk-based approach is the need to predict future threats. Cybersecurity is a dynamic field, with new threats emerging regularly. Predicting which threats will materialize and the potential damage they can cause is a complex task. While the risk-based approach offers a structured methodology to assess threats, the unpredictable nature of cyber threats means that there's always a degree of uncertainty involved.

Why Organizations Are Gravitating Towards It

The promise of targeted, efficient defense

The primary allure of the risk-based approach is its promise of a targeted defense strategy. Instead of spreading resources thin across multiple threats, organizations can focus on the most critical vulnerabilities. This ensures that the most significant threats are addressed first, leading to a more efficient and effective defense mechanism. By targeting the most pressing vulnerabilities, organizations can also achieve better results with fewer resources.

The allure of cost optimization in cybersecurity

Cybersecurity is often seen as a cost center for organizations. With limited budgets and increasing threats, organizations are always looking for ways to optimize their cybersecurity spending. The risk-based approach offers a solution to this challenge. By prioritizing threats and focusing resources on the most critical vulnerabilities, organizations can achieve better results without increasing their spending. This approach offers the potential for significant cost savings, making it an attractive option for budget-conscious organizations.

The Underbelly of the Risk-Based Approach

The challenges of staying ahead in a dynamic threat landscape

The digital world is in a constant state of flux. New technologies emerge, old ones become obsolete, and with these changes come new vulnerabilities and threats. The risk-based approach, while strategic, is fundamentally a predictive model. It relies on the ability to foresee potential threats and vulnerabilities. However, the rapid evolution of the digital landscape makes it challenging to stay ahead. Today's low-risk vulnerability could become tomorrow's high-risk threat due to unforeseen technological advancements or changes in threat actor tactics. This dynamic nature of the digital realm poses a significant challenge for the risk-based approach, as it requires continuous reassessment and recalibration of threat priorities.

Let's boil the ocean!

The potential cost of reactive defense strategies

The risk-based approach, by its very nature, prioritizes certain threats over others. While this allows for a more focused defense strategy, it also runs the risk of being reactive rather than proactive. If a previously low-priority threat suddenly materializes and causes damage, the organization is forced into a reactive stance, trying to mitigate the damage after the fact. This reactive approach can be costly, both in terms of financial impact and reputational damage. It underscores the importance of a balanced cybersecurity strategy that combines the predictive nature of the risk-based approach with proactive defense mechanisms.

Scenarios Highlighting the Pitfalls

The overlooked threats: When risk assessments miss the mark: Imagine a multinational corporation that has invested heavily in defending against external cyber threats, based on its risk assessment. Their external defenses are robust, designed to thwart sophisticated hacking attempts. However, an internal system, previously deemed low-risk, becomes an unexpected vulnerability. An insider, perhaps a disgruntled employee or a contractor with malicious intent, exploits this system, leading to a significant data breach. This scenario highlights the potential dangers of overlooking or underestimating threats in a risk-based approach.

The cost of underestimating seemingly minor threats

In another instance, consider a tech startup that has developed a groundbreaking product. Their primary focus is on safeguarding their intellectual property and product blueprints. They've assessed the risk and prioritized defenses accordingly. However, they underestimate the risk posed by Distributed Denial of Service (DDoS) attacks. A coordinated DDoS attack targets their servers, disrupting their services during a critical product launch. The financial losses are significant, and their reputation takes a hit. This scenario underscores the importance of a holistic view of threats, even those that might seem minor or unlikely.

Case Study

I'll illustrate an example which happened sometime ago to an organization. An organization had employed a CISO and a security team to protect their organization. All due processes were followed and they had an effective patch management process.

Just like any other organization, they were riddled at the number of patches to be deployed and had adopted a "risk based" approach towards patching. High severity vulnerabilities are patched soonest possible (meaning after testing and validation). Medium and low severity are batched to maintenance window which is free (which usually happens once a year). Due to increased number of zero days and high critical vulnerabilities, understandably the medium and low severity vulnerabilities were left unpatched.

Severity is determined based on exposure of the system and vendor based criticality. If the system is directly exposed to the internet, naturally it is high criticality and high vendor critical vulnerability was dealt immediately.

An incident struck the unfortunate organization and a crippling ransomware attack had spread throughout the organization. I was called in to investigate and provide the management with the complete picture of the issue.

What was discovered was that the threat actor (TA) had managed to slip into the organization through a file attachment via email. Having now a local access, the TA now has local access through the victim machine. Using a known exploit against a well known directory services, the TA gained organization level administrative access. To wreck complete havoc, the TA deployed ransomware through the computer policy management system, which syncs the policy to all the organization machines.

Come monday, everyone logged in and was hit by the ransomware and chaos ensued.

In the post mortem management meeting, it was highlighted that the directory services had a medium vulnerability by the vendor. It was re-rated as low since the system is internal and not publicly reachable. The patch was 6 months old and was not deployed to due prioritization on risk-based.

Conclusion

The risk-based approach to cybersecurity offers a strategic framework for defending against digital threats. It promises efficiency, cost savings, and a targeted defense strategy. However, it's not without its challenges. The dynamic nature of the digital realm, the unpredictability of threats, and the potential for oversight make it essential for organizations to adopt a balanced approach. While the risk-based methodology can be a powerful tool in the cybersecurity arsenal, it should be complemented with continuous reassessment, proactive defenses, and a holistic view of the threat landscape.