Today we unveiled a new version of our Bay Dynamics flagship cyber risk analytics platform, Risk Fabric®. We implemented the enhancements to help IT and security practitioners ease some of their greatest pains. The platform focuses on three key areas – prioritizing vulnerabilities based on the value of the systems and applications at risk, engaging line-of-business application owners who govern valuable assets in the cyber risk reduction process and automating the process of collecting security metrics to present to key stakeholders such as boards of directors and other C-level executives.
To learn more about Risk Fabric’s new capabilities, we interviewed Humphrey Christian, Vice President of Product Management at Bay Dynamics.
A: Thank you for chatting with me, Humphrey. What are the key differentiators between this newest version and older versions of Risk Fabric?
H: This latest version of Risk Fabric optimizes the vulnerability lifecycle management process. After companies conduct vulnerability scans across their infrastructure, they end up with a list of hundreds, sometimes thousands of vulnerabilities. The list can be overwhelming. Security teams do not know which vulnerabilities are the most critical because the scans do not reveal the value of the systems and applications at risk. They also do not know which line-of-business leaders manage those assets at risk and therefore must manually search for that application owner. In other words, vulnerability scans provide part one of the vulnerability management equation, but part two is missing. We enhanced Risk Fabric to fill in that gap. The platform provides security teams with a prioritized list of vulnerabilities based on the value of the assets at risk and automatically sends that information to the line-of-business application owners responsible for remediating them. It also automatically follows up with those owners to make sure the vulnerabilities have been remediated.
A: What about internal and external threats? Does the platform prioritize those as well?
H: Yes, the enhancements help security teams prioritize insider and outside threats as well. Incident responders are overwhelmed by the number of threat alerts they receive from detection tools in their environment. They do not know which ones are the most critical because the tools do not provide business context along with the alert. As a result, responders end up chasing alerts that tools labeled as “high severity” first, when in reality, they are low in severity. Oftentimes, the most critical alerts are overlooked because of this problem, which has led to some of the major breaches we have seen in the past few years. Risk Fabric prioritizes threats based on the value of the asset at risk and associated vulnerabilities that could enable a successful attack. In order to help incident responders prioritize their workload, alerts are first sent to the line-of-business application owner who governs the asset at risk. The application owner can then add the business context needed such as whether or not an unauthorized user who accessed a valuable application was given permission to do so. If the application owner says the user was not given permission, that alert is bumped up to incident responders as a high severity alert. Adding context to alerts before they go to Security Operations Centers minimizes false positives and noise so that responders only receive the most critical threats.
A: It seems like Risk Fabric is getting individuals who are not on the security team, such as line-of-business application owners, proactively involved in cyber risk reduction. We have heard about vendors providing security awareness training to employees and helping companies set strong password policies, but this kind of engagement seems more hands-on. Why did you make the communication factor a critical component of the platform?
H: Cyber risk reduction cannot solely fall on the CISO’s shoulders. Enterprises have hundreds of systems and applications living within siloed business units and protected by siloed security tools. It’s nearly impossible for a CISO to have full visibility into all of those valued assets including knowing who is interacting with them and how they are doing so. Only line-of-business leaders who sit closest to those assets can provide that information. That’s why they need to be actively involved in remediating vulnerabilities and adding contextual information to threats. We have found that line-of-business leaders want to be more involved in reducing risk, but do not receive the information they need to take action. Risk Fabric automatically gives them the necessary information about threats and vulnerabilities to valued assets under their governance so that they can take action accordingly and be held accountable for doing so.
A: What separates this latest version of Risk Fabric from other analytics products on the market?
H: Some vendors offer solutions that focus on insider threats such as user and entity behavior analytics. Others offer solutions that center around assets at risk, prioritizing vulnerabilities based on the value of the systems and applications at risk of a compromise. Risk Fabric is the only platform that offers both of those functionalities. It is also the only solution that automatically facilitates communication between CISOs, incident responders, line-of-business application owners and boards of directors so that everybody understands what they need to do to reduce cyber risk. Risk Fabric is the only platform that puts all of those three components together so that stakeholders companywide see a complete picture of their cyber risk posture and can take action to mitigate threats and vulnerabilities to their most valued assets.
A: It seems that data security requirements, guidance and frameworks are either being created or updated on a regular basis. How does this new version of Risk Fabric enable companies to maintain compliance and security?
H: Risk Fabric drives security first and foremost, so compliance with industry standards is an inherent result. For example, the Federal Financial Institutions Examination Council (FFIEC) assesses financial organizations across five domains – cyber risk management and oversight, threat intelligence and collaboration, cyber security controls, external dependency management and cyber incident management and resilience. Risk Fabric fulfills the requirements needed for all five. Risk Fabric supports continuance compliance with the Payment Card Industry Data Security Standard (PCI DSS) ensuring companies are always ready for their next audit. It also eliminates the manual spreadsheet scramble that takes place quarterly and annually to fulfill PCI DSS audits because it automates the data collection and remediation process.
A: What’s the one, high level takeaway you hope readers understand about Risk Fabric?
In order to reduce cyber risk, companies must take a risk-based approach to security. That means identifying where their most valuable assets live and focusing on remediating vulnerabilities and mitigating threats that could lead to a compromise of those specific assets. Risk Fabric enables that risk-based approach. The platform makes security everybody’s business by delivering prioritized threat and vulnerability information to the stakeholders who best understand the assets at risk and can take action to reduce risk. Risk Fabric empowers everyone within a company, even those who are not part of the security team, to proactively defend against the most sophisticated attackers.