Prioritize Security Alerts with 5 Simple Metrics

June 9, 20204 min readVulnerability Management

The infosec workforce is riddled with stress. You need to be right every time, but the bad guys only need to be right once. Security alerts for the “things that are going wrong” spew out of vulnerability scanners by the thousands. Meanwhile, the humans responsible for improving security posture are becoming overwhelmed.

Recent surveys have revealed the extent to which infosec professionals face challenging conditions at work. Infosec professionals:

Their leaders don’t have it any better. CISOs typically last just 18-24 months in their role. These findings leave little question as to why such a large talent gap has arisen in cybersecurity.

Cybersecurity is no longer a human-scale problem

The exploding enterprise attack surface has made analyzing and improving security posture an extremely challenging task for humans. For large organizations, there are several billion time varying signals that need to be analyzed in order to accurately predict breach risk. Using legacy tools to do this is like using a calculator to forecast the weather.

If getting an accurate read on the state of the attack surface wasn’t difficult enough, infosec professionals also need to keep up with hundreds, if not thousands, of vulnerability alerts. Trying to patch everything is not a viable option, unless you still want to be working on this month’s  vulnerability scan 3 years from now.

How to Prioritize Patching

In order to keep the enterprise safe and incrementally improve security posture, cybersecurity professionals must prioritize their patching efforts. The notion is intuitive: fix the security issues  that will mitigate the most risk first. However, knowing which vulnerabilities are creating the most risk is a much more nuanced challenge.

5 Key Metrics to Prioritize Security Alerts

Here are five key metrics to prioritize security alerts:

  1. Business criticality
  2. Vulnerabilities
  3. Threats
  4. Exposure/Usage
  5. Risk negating effect of mitigating controls

Risk = Likelihood x Business Impact

Balbix automates this prioritization with a five-pronged calculation of risk based on these metrics. Vulnerabilities, threats, exposure/usage, and the risk negating effect of mitigating controls are used to score likelihood. Business criticality is used to score impact. The product of likelihood and impact is risk.

Knowing the risk level for every group of assets makes prioritizing patching easy. It also enables tangible progress toward breach risk reduction. Balbix’s dashboard provides a prioritized list of risk insights that update in real-time as new threats emerge. Every asset, both managed and unmanaged, is discovered with Balbix and computed for breach likelihood and enterprise