"Why am I wasting my time?" Anthony Pillitiere, CTO and co-founder, Horizon3.ai, said he once asked himself while working in IT operations while analyzing cybersecurity risk.
"We have limited resources," Pillitiere told the audience during his presentation at the Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company.
Pillitiere offered ways organizations can tweak their cybersecurity strategy to become more secure and efficient in calculating risk.
Many organizations, he said, have a flawed risk calculation methodology which is "likelihood times impact." He said that thinking is incorrect.
"The data that we are using to perform that calculation is off," he said. "We look at the CVSS [common vulnerability scoring system] score and that tells us likelihood, but does it really tell us likelihood in the context of our environment?"
Pillitiere expounded on that thought with an example.
"If I [as a threat actor] land on a printer and I can't get to anything [in the network] there's no value to me as an attacker," he explained. "Is that really valuable for you to fix?"
Attackers, he said, also have "margins" and want to attack as efficiently as possible.
"So that was printer A. If I go to printer B and it's connected to a domain controller and it has cached credentials on it and I can dump those credentials, now I can use those credentials somewhere else. Printer B – that changes the likelihood and impact [of a compromise] … What is possible after I get exploitation, what is the impact? What am I actually calculating when I'm calculating this?" he added.
Organizations tend to calculate risk in less granular ways, Pillitiere said, and not within the context of their environments.
"How do we be more efficient by calculating risk level?" He urged organizations to adopt an offense-to-inform defense strategy and an offense-to-inform defense philosophy.
That means not having a false sense of security. The worst thing than risk, is risk you were confident was known and you took steps to mitigate. You don't really know your risks unless you are actively taking an offense strategy, he explained.
"If you think about how many different permutations of [security] tools that you have … the average number I believe is like 25 … you don't have enough people to manage and understand the intricacies of all of your security tools. How do you understand if they are doing what they're supposed to be doing if you're not sending an attacker at them to trigger those alerts?"
Pillitiere said there is no longer any perimeter. Bad actors are coming from the outside and landing on the inside. Prioritizing what is critical to secure is paramount, as is being more efficient in fixing things that are actually going "to move the needle."
"Otherwise, you're wasting time [on] risk calculation," he said.
