Welcome to part 3 of our ongoing series of blog posts exploring product security and the software supply chain. In our last blog post, we covered the second step—Assessment—that companies take on the road to connected device security.
Today, we move on to Step 3—Prioritization. If you’d like to jump ahead and see the rest of the six-step process, or even just look at everything, all at once, you can read our comprehensive white paper, The Ultimate Guide to Connected Device Security, here.
Prioritization: What to Do with a List of Problems
Why did just half of the organizations surveyed by The Ponemon Institute assess product security before they ship a product to their customers, even as 59% report losing sales due to product security concerns?
The answer may lie in determining which vulnerabilities and weaknesses to fight first once those organizations have completed the Discovery and Assessment steps as they pursue connected device security.
What You Prioritize Matters to Your Product Security Team
Running product security teams is hard--and struggling with which vulnerabilities and weaknesses to mitigate first or at all makes the job even harder.
This past spring on our podcast, IoT: The Internet of Threats, we met with Josh Corman, former Chief Strategist of the CISA COVID Task Force and Founder of I Am The Cavalry. On that episode, we covered how best to position product security teams so they can achieve peak performance as the world grows increasingly connected. We also discussed how effectively prioritizing threat reports can mean greater efficiency as teams look to control risk with increasingly scarce resources.
Prioritization: The Case is Strong. The Work is Hard
Whether you're securing critical infrastructure, connected medical devices, or connected vehicles, the stakes rise high to get it right. However, by the time most people arrive to Step 3 on the journey to connected device security, they're faced with a growing list of vulnerabilities, weaknesses, and other exposures.
Faced with a list of all the ways that your connected devices could be exploited, how do you proceed? How do you focus on what can be exploited? How do you identify where the largest exposures lie?
No one has the time and resources to research and risk-rank each vulnerability and weakness that's listed in the initial results of that scan into your code and all its binaries. So, how do you proceed into the Prioritization stage after you've completed Discovery and Assessment?
First, Develop a Baseline
To measure your progress in any project, start by creating a baseline--a snapshot that documents where you started from. As you improve the cybersecurity of your connected device ecosystem, you can measure and record those improvements against that baseline and chart a course forward for your future remediation efforts.
Look for a device security solution that delivers a score that can make this a lot easier. That score can give you a way to chart the progress you make in exchange for the investment of your time, money, and resources.
Scores can also help you show, quantitatively, which remediations will deliver the largest improvements to the risk score of your environment and help you show which vulnerabilities should be prioritized.
Building a Plan for Step 4: Remediation
When you begin to choose and prioritize the vulnerabilities and weaknesses you'll remediate in the next step, there are two general approaches that our clients find most helpful. They are:
The Grouping Method
When you choose the Grouping Method, you choose to upgrade the firmware or software that will address the greatest number of vulnerabilities.
The idea is: If you could fix large quantities of your vulnerabilities by focusing on a few components, you'll do the greatest good for your cybersecurity ecosystem by fixing that small number of components.
Put simply: If you have hundreds of components that have fifty vulnerabilities together and five components that have hundreds, where would you start?
When looking for a connected device security solution, look for a vendor that works with you to find the components whose remediations present the biggest improvement for the effort they require to remediate.
The Seek and Secure Method
In the Seek and Secure Method, security practitioners prioritize the vulnerabilities and weaknesses with the greatest likelihood of being exploited, or those that present the most severe threats. This method involves finding the vulnerabilities that present the greatest risk, potential impact, and exploitability and target the components that harbor these vulnerabilities.
When using the Seek and Secure Method, practitioners ask questions like:
-
Is the vulnerability exploitable?
-
Would the impact of an exploit of the vulnerability be material?
-
Is the component connected to a network?
-
Was the code compiled with a mitigation enabled?
Not Mutually Exclusive
You don't have to choose between the Grouping Method and the Seek and Secure Method. You can, and probably should, consider doing both. By targeting the most impactful, likely vulnerabilities and the components that harbor the largest numbers of vulnerabilities, you can develop a plan to improve your security posture of your connected devices and embedded systems and move to the Remediation stage with a plan that makes sense for your resources, people, and budget.
Learn more: Read the Ultimate Guide to Connected Device Security
To truly defend your connected product—and the services it will provide—you need a solution that helps you understand the risk presented by your vulnerabilities and weaknesses as well as the likelihood that they can be exploited within your IT/OT ecosystem. That’s why the prioritization stage of the connected device security journey is so important.
Are you ready to begin down your own road to product security?
Finite State’s Ultimate Guide to Connected Device Security explores product and software supply chain security and how to identify, assess, prioritize, and mitigate the vulnerabilities that lurk within your connected devices.
Download Finite State’s Ultimate Guide to Connected Device Security today!
Share this
Vulnerability or Backdoor? It Doesn’t Matter.
Assessment: Step 2 of Connected Device Security
