I feel that too many people conflate “threat” and “vulnerability” but couldn’t quite put my finger on a clear definition. I think I now can.
I was listening to the estimable John Gruber’s Talk Show podcast, episode 243 with Rich Mogull, where he talked all about security. Rich explained the cybersecurity stack (my phrase, not his) as it relates to devices. I think it can be thought of more generally in the language we use.
There’s a vulnerability that gets exploited. Once exploited, the attacker use post-exploitation techniques like increasing privileges to admin or mine bitcoin or take over the camera/microphone to gain something of value. That stack of ‘attack phases’ looks like:
Vulnerability ⇒ Exploit ⇒ Post-exploitation
What’s a Threat?
I think people conflate managing threats with managing vulnerabilities.
Making sure that you have the latest OS patch, for example, is managing a vulnerability.
Understanding what to do with a user who is logging in without the latest patch, is taking into account the threat that user presents. So we might restate the above as:
Threat ⇒ Vulnerability ⇒ Exploit ⇒ Post-exploitation
This probably (hopefully?) makes sense but isn’t how security teams act when it comes to cybersecurity threat assessment.
A little math
Prior to hearing John and Rich talk about this, the best metaphor I had was probability (as in the math behind probability). I remember this clearly, though it was (very) long ago where I sat in class learning this stuff. And, I’ve shared this metaphor enough recently that I think I can do it simply.
Before you toss a coin, we all know that the probability of heads is 50%. Same for the probability of getting tails.
However, once you toss the coin, but before you look at the result there is no longer a probability associated with the result. It’s binary. It’s either heads or tails.
When you look at vulnerabilities on an endpoint (for example), most companies have “already flipped the coin” but think they’re assessing the probability of being exploited.
This might be a minor distinction, but it matters.
Threat Visibility Beyond Your Endpoints
The note I jotted down for myself as I was listening to John and Rich was:
Threats are the context in which the vulnerability lives.
I’m coming at this from the perspective of endpoint vulnerabilities and thinking of threats as being about human (user) behavior.
Almost 90% of cyber attacks are caused by human behavior yet when we consider endpoint security it’s one-size fits all. It’s vulnerability management, not threat analysis. You’re not taking into account the user or the threat they bring to your systems. Instead, you’re looking at the vulnerability to assess the threat.
A simple example (that I haven’t quite thought through)… if you leave your door unlocked. Does that increase your threat? Yes. But, if you were going to assign a priority to that threat wouldn’t you
want need to know more if you wanted it to be anything more than a guess? What if a security guard is standing outside? What if it’s a “safe” neighborhood? What if it’s not? What if there is a history of break-ins? What if there happens to be a crime spree in that neighborhood at that time? All of these things change the threat level of that unlocked door.
In the cybersecurity world, it all comes together at the user but the best practice today is to try to have good device security as a proxy for knowing anything more than credentials for a user.
How’s that working out? Not so well.
How do you get visibility beyond your endpoints? What does that even mean?
It means getting insight into the threat-level that each individual user presents. Parsing that a little, it means every user, not just those who you have control over. So if you’re Amazon, it’s great to have threat visibility into your 100,000 or so employees (and however many partners)… but what about your untold millions of customers?
So it means all users.
It also means understanding threat analytics of all of those users in real time.
What good is understanding a threat hours after you’re exposed? In truth, some 40% of companies breached need to be told by outsiders that they’ve been breached. So, yeah. Even security companies are missing something important.
What do we want?
When do we want it?
Let me summarize, because this feels like a longer post than it is.
We need threat visibility (and remediation) not just vulnerability visibility (and remediation). It’s hard because we need it for all users (not just those we control) and need it in real time. Of course, it has to be seamless and easy, both for users and administrators, addressing things like user awareness and alert fatigue.
It should be obvious, but I wouldn’t present the problem like this unless we could solve it. Learn more.