The late Stephen Covey is best known for his highly successful bestselling book, The 7 Habits of Highly Effective People. The habits in the book continue to have a profound impact on me, even 20 years after I read it. Habit 3 is, “Put First Things First,” which is all about prioritizing the most important and urgent tasks ahead of less important and less urgent tasks.
When you hear someone talk about tackling “big rocks,” they are likely referring to a powerful demonstration of this habit that illustrates if you don’t take care of the important things first, the unimportant, low-impact tasks in life fill up all of our time.
While the book is primarily oriented around individual effectiveness, many of these lessons, including habit #3, can apply to teams, such as the infosec team in your organization. With almost every team short on resources, there is a dire need to maximize the team’s return on effort. The best way to do that is to prioritize and focus on the “big rocks.”
Sounds simple, but there are two big problems standing in your way:
- It is exceedingly difficult to compare the size of one rock to the next.
- There are thousands of urgent, but not important, tasks screaming for your team’s attention.
Fortunately, if your priority is security for cloud applications, a Cloud Native Application Protection Platform (CNAPP) can help solve both of these challenges, enabling your organization to become more efficient at mitigating risk. These platforms accomplish this by delivering context-driven, risk-based prioritization.
The challenge with using CVSS scores to prioritize tasks
Many organizations rely on Common Vulnerability Scoring System (CVSS) scores to decide which vulnerabilities should be prioritized and tackled first. As the thinking goes, higher severity or “critical” vulnerabilities need to be addressed prior to lower severity vulnerabilities. There are two big problems with this approach.
First, CVSS scoring only applies to unpatched software vulnerabilities. There are many different types of weaknesses that make an organization’s public cloud estate vulnerable to exploit, so by leveraging CVSS, you’re immediately excluding other types of weaknesses such as permissions risks, misconfigurations, bad practices, inadvertent external exposure, and more.
Second, a CVSS score is a “severity” rating, not a “risk” rating. What’s the difference? The CVSS scores published by software vendors and in the NIST National Vulnerability Database (NVD) almost always comprise “Base” metrics only - these are metrics intrinsic to the vulnerability itself. Critically, “Temporal” metrics and “Environmental” metrics are left out of the most widely used and reported scores. Temporal metrics evolve over time and include attributes like whether the vulnerability is being exploited in the wild and whether a widely available patch exists. Environmental metrics are attributes that are specific to the environment in which the vulnerable software is running, such as whether there are compensating controls in place that render the vulnerability more difficult for attackers to exploit.
Prioritizing “big rocks” with CNAPP
Today’s CNAPP platforms, such as Zscaler’s Posture Control, can help your team identify and prioritize the “big rock” issues that will lead to your team becoming as efficient as possible in mitigating public cloud security risk.
To solve the first issue, that CVSS scoring only applies to unpatched software vulnerabilities, CNAPP employs a broad set of input signals to more comprehensively identify weaknesses. To be clear, a CNAPP platform does identify unpatched vulnerabilities in VMs and containers, often with easy-to-deploy agentless scanning technologies, but it doesn’t stop there. These platforms also pull in findings historically uncovered by Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM), Cloud Workload Protection Platforms (CWPP), Data Loss Prevention (DLP), container security, and more. Each finding is assigned an overall score that feeds into a common prioritization engine to identify the most important things that your organization should address first. In some cases, that might actually be a “critical” severity unpatched software vulnerability. In other cases, it might be something else like a security group misconfiguration or an excessive set of permissions.
To solve the second issue, that CVSS is a “severity” rating and not a “risk” rating, CNAPP employs what’s referred to as “context” to fill in the Temporal and Environmental gaps in typical scores. Context means that, rather than evaluating a weakness in isolation, a CNAPP employs technology like graph databases to determine the relationships between seemingly unrelated weaknesses to help better identify the likelihood of an incident. These platforms will also determine attributes, like sensitivity of data, that contribute to the impact of a potential event. Since risk = likelihood times impact, these measures combined help create risk-based prioritization.
CNAPP makes your infosec team more efficient
Compared to traditional approaches, a CNAPP provides your team with a wider view of public cloud weaknesses, and the ability to prioritize that wider view based on risk that is tuned to your environment specifically.
An infosec team that is able to maximize the return on resources invested by efficiently identifying and mitigating risk. Eager to learn how you can accomplish this goal in your organization? Reach out to our security experts.