Every time I see the phrase “reduce your risk by X%,” I break out in hives. I agree that it is critical to think about risk (which to me is really about economic loss), but everyone has a different definition of risk. And to say anyone can reduce risk by a certain percentage triggers my bullcrap filter.
Secunia recently did a study of their vulnerability database, which posits that if customers would patch only the 37 most popular Windows apps or their 12 most risky programs, they could reduce risk by 80%. There is that pesky word ‘risk’ again, because these numbers are questionable at best. They define risk as a sum of the number of vulnerabilities weighted by the criticality of the vulnerability. Huh? What about exploitability? Or the ability to exfiltrate data as required per the Data Breach triangle? How can you not factor in any other controls in place to mitigate and/or work around those ‘risks’? In fact, patching some of those apps is irrelevant because they pose no real risk to corporate assets.
We are still fans of patching. In fact, it’s one of the anchor tenets of the Endpoint Security Fundamentals and a critical aspect of data center ops. I agree that most customers cannot patch everything within their typical maintenance windows, so some prioritization is necessary. But I’m not about to claim that patching will reduce anyone’s risk by an arbitrary percentage (or one calculated from an arbitrary formula). Any risk calculation needs to factor in the value of the data residing on the vulnerable device, not just the criticality of the vulnerability.
For instance, what if a device has 50 critical vulnerabilities, but holds no corporate data? Is that a huge risk? I guess an attacker getting remote shell to the device could use it to stage further into the network, so that’s not good, but by itself that device doesn’t represent a real risk to the organization. Is it a bigger risk than a non-critical vulnerability on the server operating the business’ main transactional system?
What would you patch first? Your patching process must include prioritization. If you are wondering how that works, Rich has done a ton of work on decomposing the granular processes of patching for our Patch Quant research – check it out. But we have beaten this horse enough. Let’s deal with the bigger issue: marketers’ efforts to quantify risk reduction.
I’ve been there. The sales force needs some kind of catalyst to get customers to buy something. You figure if you do a little math, however wacky the assumptions, that will be good enough for customers to make a case to buy your stuff. You are wrong. It’s foolish to make blanket statements about risk reduction. Each organization’s perception of risk and its willingness to spend money to address or defer it is unique.
But that won’t stop folks from trying. Despite my understanding, I still get annoyed by the attempts of security marketers to make bold statements with little real-world basis; and by the trade press biting hook, line, and sinker on pretty much anything described in percentages. But maybe that’s just me.