Adding Multi-Factor Scoring to Risk Management and Threat Detection
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Justin Foster of Forescout factors in adding multi-factor scoring into risk management and threat detection.
There are two sides to the enterprise cybersecurity equation: proactive risk management and real-time threat detection and response. And just like any math problem, there can be a lot of variables that affect the outcome. By leveraging multi-factor scoring, organizations can assign weights to each variable and determine its impact on the equation.
On one side, proactive risk management represents the constants of the equation, which can be controlled to minimize risks before they occur. On the other side, real-time threat detection and response contend with that which is unknown, much like the variables in an equation. Multi-factor scoring enables organizations to optimize this equation to achieve the best possible outcome.
In the market for network monitoring solutions? Check out our free Solutions Buyer’s Guide!
Multi-Factor Scoring in Cybersecurity
Addition by Subtraction: Proactive Risk Management
Proactive risk management is a process to prevent cyber-attacks by identifying, assessing, and prioritizing risks to an organization’s assets and infrastructure, and then taking steps to remediate or mitigate them.
Risk management includes several disciplines, including vulnerability management, patch management, and the discovery and remediation of misconfigurations in Active Directory and other systems. Proactive risk management is important because many of these risks represent low-hanging fruit that could be easily exploited during a cyber-attack. Much like washing your hands to prevent the spread of disease, basic cybersecurity hygiene goes a long way to reduce an organization’s exposure to cyber-attacks.
Multi-factor scoring is a useful tool that can be applied to risk management. This approach involves assigning scores to different factors or variables that contribute to an overall assessment of risk, such as the business function of the device or its configuration. By considering multiple factors, organizations can develop a more comprehensive understanding of the risks they face and prioritize their risk management efforts accordingly.
For example, an organization might use multi-factor scoring to assess the risk posed by a particular vulnerability in their system. They might assign scores to different factors such as the severity of the vulnerability, the likelihood of an attack, and the potential impact of an attack. Based on the scores assigned to each factor, they could then calculate an overall risk rating for that vulnerability and prioritize their efforts to mitigate that vulnerability accordingly.
Risk management can also play an important role during threat detection. By monitoring systems for changes and anomalies, organizations can identify potential indicators of compromise and take action to investigate and respond to those threats. In the context of risk management, this might include prioritizing incident response efforts based on the level of risk.
Statistics 101: Mean Time to Detection and Response
Real-time threat detection and response is an essential aspect of any effective cybersecurity strategy. Mean time to detection and mean time to respond (e.g., the average time it takes to detect a threat and respond to it) are two of the most common metrics to measure. The more quickly an organization can detect and respond to threats, the less likely they are to suffer the negative outcomes of a cyber-attack.
Threat detection and response solutions typically combine multiple technologies and approaches with the ultimate goal of providing visibility into potential threats, the ability to analyze the data to identify patterns and anomalies, and the ability to respond to threats (e.g., enforce policies) in a timely and effective manner.
Good threat detection and response is not entirely contingent on good machine learning. It comes down to a combination of machine learning, signatures, threat intelligence and behavioral and statistical methods. However, it’s important to first understand how threat detection and response solutions fundamentally leverage machine learning to help identify potential threats and reduce false positives. These algorithms analyze large volumes of data to identify patterns and anomalies that could be indicative of a potential threat, and then use that data to train models that can improve the accuracy of future threat detection efforts.
However, to be most effective, machine learning models require clean and contextualized data about events, including information about the source of the event, the type of event, and any relevant metadata that might help to identify the event as a potential threat. This data can be difficult to collect and process, particularly in large and complex IT environments.
Multi-factor scoring can be applied to threat detection and response solutions to help organizations prioritize their response efforts based on the behavior of potential threats, such as IP address location or device exposure. Multi-factor scoring can also be applied to the relevancy and reliability of data to improve the accuracy of machine learning models.
For example, an organization might use multi-factor scoring to assess the risk posed by a particular event or anomaly detected by their threat detection and response solution. They might assign scores to different factors such as the severity of the event, the likelihood that the event is a potential threat, the potential impact of the event on the organization, and the difficulty of mitigating the event. Based on the scores assigned to each factor, they could then calculate an overall risk rating for that event and prioritize their response efforts accordingly.
Adding It All Up: Prevent, Detect, Respond
Combining the two sides of the equation – proactive risk management and real-time threat detection and response – is key to achieving a strong cybersecurity posture. This approach could be summarized by the ‘prevent, detect, respond’ model. On one side of the equation, we have the constant risk of vulnerabilities and misconfigurations, which can be addressed through proactive risk management. On the other side, we have variable threats against an organization, which can be addressed through real-time threat detection and response.
By effectively managing risk and detecting and responding to threats, organizations can prevent cyber-attacks before they occur, or at the very least, minimize the impact of a successful attack. This is what the ‘prevent, detect, respond’ model is all about. It involves implementing measures to prevent cyber-attacks, monitoring the network for suspicious activity to detect threats in real-time, and having a plan in place to respond effectively to any incidents that occur.
Just as in math, where each variable plays a crucial role in the outcome of an equation, each component of the ‘prevent, detect, respond’ model is critical to achieving a strong cybersecurity posture. By combining both sides of the equation, organizations can achieve a balanced and effective approach to cybersecurity.
Justin Foster
As Chief Technology Officer (CTO) at Forescout, Justin Foster leads the product vision, research, data science, and thought leadership teams at Forescout. He brings over 20 years of experience in information security, encompassing server security, cloud security, network security, security analytics, and encryption. Previously, he had been the CTO and Co-founder of Cysiv, a SOC as a Service provider. Justin has held technical, product management, and go-to-market roles at Trend Micro and Third Brigade. Justin held Certified Information Systems Security Professional (CISSP) for 15 years, has an Advanced Executive Certificate in General Management from the Smith School of Business at Queen’s University, a Marketing Strategy Certificate from Cornell, and is listed as the inventor on multiple patents.
