Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

How to Measure the Efficacy of Your Cybersecurity Program: 5 Questions to Ask

When it comes to measuring the efficacy of your security efforts, understanding how your program stacks up against peers can reveal where key improvements or investments are needed. 

Proving success in cybersecurity has always been a challenge: If you’re playing defense and nothing bad happens, was it because you’re smart or lucky? Gaining perspective on your organization’s effectiveness is a vital step in improving your cyber hygiene. 

While new exploits or zero-day attacks make headlines, the most common root causes of breaches are familiar and predictable. According to Tenable Research’s 2020 Threat Landscape Retrospective these include:

  • Old, unpatched vulnerabilities

  • Poor administrative and configuration processes

  • Insufficient asset tracking


Understanding your vulnerability management process is foundational to assessing cyber risk

Scanning your environment and addressing unacceptable risks in a prioritized manner are the twin pillars of any effective security program.  But organizations oftentimes don’t have a complete understanding of these processes. Two critical measurements you need to have at your fingertips are:

  • Assessment Maturity: This metric gives you Insight into your scanning processes to ensure your team is operating with a complete and accurate picture of your evolving attack surface

  • Remediation Maturity: This metric enables you to evaluate how timely and proactive your are in mitigating critical risks


Peer benchmarks reveal where key investments are needed

By themselves, these vulnerability management process metrics don’t tell you all that you need to know — you need a sense of perspective to understand how they stack up within the context of your peer group. No matter your industry, you don’t want to be at the bottom of the barrel. But, without peer benchmarking, it’s difficult to know how well you’re really doing.

When you think about your cyber hygiene fundamentals — assessment and remediation — you need to know: 

  1. How am I doing?

  2. How do I compare to my peers? 

  3. What specific actions do I need to take to improve? 


The answers to these questions will help you request budget and allocate resources by enabling you to  understand and communicate how you’re doing across internal business units and compared to external peers. Think of it like a professor grading you on a curve and telling you exactly what you need to do to get an “A” in the class.

Five questions to size up the maturity of your security program

1. How often do you scan the majority of your assets?


This is where your journey to maturity begins.  Answering this question with precision begins to take you down the road of understanding what resources you have internally, what’s reasonable to accomplish and what critical metrics you can obtain.


  • 
With scanning in place, you can ask additional questions such as: 
  • How much of your environment are you regularly scanning?

  • Approximately how much time passes between scans?

  • Do these behaviors vary across business units or geographies? 

  • Are those areas broken out by the criticality of the asset to your business, the type of asset, geolocation of the asset, or any other factors? 

  • What is the SLA requirement for each of those categories? 



The longer the scan cycle (time between scans), the longer vulnerabilities remain unidentified and unpatched.  You not only need to quantify risk, you also have to identify those risks quickly. To give you some perspective, the average organization scans their assets approximately every four days, according to Tenable Research.

2. What percentage of open vulnerabilities are you capturing?



Authentication is the first point of triage. You can’t quantify what you can’t see. With risk reduction as your goal, authenticating wherever and whenever you can is critical. At the end of the day, getting as deep and broad of an assessment on an asset as possible is a fundamental step in being able to know where risks are, what assets/business functions are impacted and what you’ll need to do to remediate and lower risk. Without knowing the scope, criticality, impact and work requirements, there’s simply no way to effectively manage risk and build toward a more mature program that can properly address and reduce risk going forward. Tenable Research shows that credentialed scans detect on average 45x more vulnerabilities per asset than non-credentialed scans; yet, nearly 60% of enterprise assets are scanned without local credentials, yielding false negatives. 



3. How quickly are you addressing high-risk vulnerabilities?


According to the Tenable 2021 Vulnerability Intelligence Report, 18,358 new vulnerabilities were identified in 2020. But only 5.2% had a publicly available exploit. You need to fix first what matters most. Reducing risk in the most efficient and effective manner requires understanding how quickly you're addressing vulnerabilities which you’ve identified to be high-risk on assets which are highly or critically important to your business functions. Understanding the nature of the threat posed by a vulnerability involves insight into the characteristics of the vulnerability that make it attractive to attackers along with threat intelligence for insight into the in-the-wild activity surrounding that particular vulnerability. You can’t afford to waste valuable resources on vulnerabilities that pose little or no threat.

4. What percentage of assets have endpoint protections in place?


Endpoint security is one necessary layer of defense among many.  You need to know if your systems have required security programs installed and you are aware of any unauthorized or potentially dangerous software installed on those assets. But this is not just an issue of malware; for example, this could involve such policy violations as having telnet open, when telnet is not allowed to be available on any corporate system. The risk of not asking this question is simply that you may not know if controls are in place everywhere you expect it to be. This is an all too common problem. Only 44% of infosec leaders say their organization has good visibility into the security of their most critical assets, according to a commissioned study conducted by Forrester Consulting on behalf of Tenable.


5. Are you reducing cyber risk across key business functions?


The Forrester study also revealed that just four in 10 security leaders can answer the question “How secure or at risk are we?” with a high level of confidence. It’s a simple question, but one that can be maddeningly difficult to answer without the right intelligence and metrics. 
At an executive level, understanding if risk is being reduced across business functions (teams, geolocations, asset types etc.) aligns with the goals of the overall business and demonstrates value and return on investment for the budget given to the security program. At a strategic level, answering this question helps the day-to-day leadership make better decisions about where the program is working best (and thus, how to replicate that to other areas) and where it’s not working so well. At the tactical level, those responsible for remediating and patching need to understand how their efforts are moving the needle in the right direction for their particular business function, as well as how their efforts are communicated up the chain all the way to the executive level. 

Without precise answers to these questions you may not know if you’re actually reducing risk or not. Further, you may miss areas of the organization which are struggling to reduce risk or are putting the rest of the organization at risk due to their inability to drive risk downward. 

Level up your security program to reduce your cyber exposure

By honestly answering these five questions, you can set your program up for success with a baseline of security intelligence, cyber risk and process integrity metrics from which to measure improvement over time. Then, by comparing your metrics across internal teams and against external peers, you can identify where key improvements are needed — e.g., your accounting department might have inadequate authenticated scan coverage; or, your overall program might not be fixing critical issues quickly enough compared to industry peers.


Wherever your program is in its maturity journey, Tenable can help by automatically tracking these key process metrics and highlighting gaps where additional investments can have the greatest impact on reducing risk. Once you have this full picture, you can begin to prioritize your efforts and play offense by actively addressing the lowest hanging fruit that attackers are most likely to exploit. 

Learn More 

관련 기사

도움이 되는 사이버 보안 뉴스

이메일을 입력하여 Tenable 전문가에게서 적시에 알림을 받고 보안 참고 자료를 놓치지 마십시오.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

100 자산

구독 옵션 선택:

지금 구매

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

100 자산

구독 옵션 선택:

지금 구매

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

100 자산

구독 옵션 선택:

지금 구매

Tenable Web App Scanning 사용해보기

Tenable One - 위험 노출 관리 플랫폼의 일부분으로 최근의 애플리케이션을 위해 설계한 최신 웹 애플리케이션 제공 전체 기능에 액세스하십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Tenable Web App Scanning 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Web App Scanning 구입

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

5 FQDN

$3,578

지금 구매

Tenable Lumin 사용해 보기

Tenable Lumin으로 위험 노출 관리를 시각화하여 파악하고 시간에 걸쳐 위험 감소를 추적하고 유사한 조직과 대비하여 벤치마킹하십시오.

Tenable Lumin 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Lumin 구매

영업 담당자에게 문의하여 어떻게 Tenable Lumin이 전체 조직에 대한 통찰을 얻고 사이버 위험을 관리하는 도움이 되는지 알아보십시오.

무료로 Tenable Nessus Professional 사용해보기

7일 동안 무료

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다.

신규 - Tenable Nessus Expert
지금 사용 가능

Nessus Expert는 외부 공격 표면 스캔닝과 같은 더 많은 기능 및 도메인을 추가하고 클라우드 인프라를 스캔하는 기능을 추가합니다. 여기를 클릭하여 Nessus Expert를 사용해보십시오.

아래 양식을 작성하여 Nessus Pro 평가판을 사용해보십시오.

Tenable Nessus Professional 구입

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다. Tenable Nessus Professional은 취약성 스캔 절차를 자동화하고 컴플라이언스 주기의 시간을 절감하고 IT 팀과 참여할 수 있도록 합니다.

여러 해 라이선스를 구매하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구매하여 절감하십시오.

지원 및 교육 추가

무료로 Tenable Nessus Expert 사용해보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

이미 Tenable Nessus Professional을 보유하고 계십니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Tenable Nessus Expert 구입

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

여러 해 라이선스를 구매하여 비용을 더 절감하십시오.

지원 및 교육 추가