Mar 24 2017 02:01 PM - last edited on Nov 30 2021 09:01 AM by Allen
There's a good article in Dark Reading today by Michael A. Davis:
"We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you where your risk is. You probably follow the simple convention of focusing on low-hanging fruit first and then drill down as hard and as fast as you can on the critical and high items.
Sorry to say this, but you've been doing it wrong. You see, attackers are opportunistic and scrappy, yet we don't seem to work in those variables onto our sea of reds and yellows. I refer to this as the "single versus multivariable risk assessment problem." We have single rows with risk assigned and work them as if they are singular risks. Attackers, on the other hand, chain risks together. They leverage a low risk on a Web server and a low risk on a database server to get access to high-risk data. Two lows can equal a high? Yes, but your prioritization process doesn't think that way."
It has a similar themes to blog posts we published previously on disrupting the attacker's kill chain and how defenders think in lists, but attackers think in graphs.
Jun 23 2017 12:38 AM