Vulnerability Triage Best Practices
by Gary Phipps
Each time a new vulnerability or threat emerges, dozens of our members reach out to my team and I and ask for help analyzing their portfolios using Predictive Intelligence and Portfolio Insights Technologies. At the same time, I see dozens and sometimes hundreds of third parties in their portfolios with completed assessments that have either not been ordered or worse yet, not yet authorized and released by our third-party member.
The Impact of Unknown Risk in a Crisis
The result is that when a member doesn’t have access to a completed assessment in the midst of an emerging threat, the member must assume the worst which will likely require outreach for more information. This is the type of inefficiency we set out to end by building the Exchange in the first place.
Sometimes however, the customer just hasn’t gotten around to ordering the assessment yet and in that case, all members should order all available assessments in their portfolios. You’re going to need this data when the next Log4j or SolarWinds comes around. Cyber triage is a fact-finding mission. You do not want to be ‘ordering assessments’ during this time. You want to be in Phase 2 of this process which is analyzing which vulnerable vendors have access to your critical assets.
So what should your next steps be?
Customer Members: Go into your CyberGRX Portfolio and order the assessments that are available so that my Risk Solutions team can help you faster when the next vulnerability hits the interwebs. If you can flood your portfolio with good data while you're NOT fighting a fire, the benefits include:
- Cutting your triage time in half and zero in on the few vendors you need to offer assistance to
- Being able to tell your CEO how you’re handling the situation and where you’re exposed before they asks
- Validating the hard work our third-party members put into the self-assessment process
- Benefiting from an accounting of the good control hygiene of those assessments in your portfolio
Third-Party Members: If you can proactively share your assessment with your customers, you will not only be able to point out that you’re not worth checking on the next time a zero-day hits the paper because your security hygiene is primo (or at least upper middle), but you'll also have an opportunity to galvanize the bond of partnership with your customer. After all, proactively sharing your CyberGRX assessment with your customers is like giving them a 2-week break ‘on you’.
Simply log in to your Company Profile and on the Summary Page you'll find the list of your customers on the Exchange. (The list of companies below that are also CyberGRX Customer Members.) When you share your assessment, you save your customer a lot of running around during a crisis. And as we all know, time is a valuable commodity when fighting cyber threats.
Not yet a member of our Exchange? CyberGRX's Cyber Risk Intelligence allows you to have complete visibility into your third-party risk posture. Through application of advanced machine learning to rich data sources that include real-time threat intelligence, predictive third-party assessment results and real-life cyber attack scenarios, Cyber Risk Intelligence shines a light on third-party blindspots to help you prioritize your risks and make smarter decisions.
Contact us today for a no obligation, customized demo