For Sumedh Thakar, CISOs are risk managers. In his 23 years at Qualys, and five years as CEO, Thakar has seen his industry evolve, from IT and information security, to including a far broader range of risks, from geopolitics to business operations.

As a cybersecurity vendor, Qualys is best known for its vulnerability detection and management. It helps enterprises identify risks in their applications, devices and cloud infrastructure. And it gives security and IT teams the tools to manage, or ideally, eliminate them.

But Qualys also provides asset management, cloud security and compliance applications, as well as its Risk Operations Center (ROC).

Qualys positions this as a central hub for threat intelligence and risk management, in the face of increasingly complex and effective cyber attacks, including those driven by AI.

ROC and threat landscapes

The ROC goes beyond vulnerability detection, identifying CVEs, and triaging them based on CVSS scores. The ROC brings together risk information from across the business, including its cloud and on-premises applications, and adds threat intelligence and wider, external risks to the picture. The ROC, Thakar says, provides that critical business context to security operations.

“You might have certain actors that are targeting certain industries and not others,” Thakar explains. “That tailored threat intelligence of what you as a company are being targeted for is very important, and that does change when geopolitical situations change. 

“Depending on, geopolitically, where you're situated, you might be more prone to being attacked. At the end of the day, having a vulnerability is not a guarantee of an exploit. It is just the fact that you have a vulnerability. But if somebody is specifically targeting you very directly, the chance of that vulnerability becoming an exploit goes much higher, because now somebody is focused on you,” he warns. “Having that high quality threat intelligence continuously integrated into your overall Risk Operation Center becomes very important.”

Things have changed...

This, he says, also reflects a wider change in businesses’ views on cybersecurity risk, and the changing role of CISOs. Previously, security teams would detect and catalogue threats and vulnerabilities. But fixing them, by isolating devices or patching, was usually left to IT.

“What has changed is that what we and many other folks focused on initially was vulnerability detection or vulnerability scanning,” Thakar explains. “I feel like Qualys put the ‘M’ back in vulnerability management... a vulnerability that is not fixed is not managed, it’s just detected.”

Dashboards that simply show executives how many vulnerabilities they have do little to improve practical security.

It will not, Thakar says, show the impact of a CVE on a business, or help security and IT teams decide what needs to be patched immediately, and what can wait.

“The number of vulnerabilities and the timeline for exploits has been changing quite dramatically,” he says. “So it really becomes important to be able to figure out what action needs to be taken very quickly. If the attackers are exploiting vulnerabilities in matter of hours, you don't have the time to first build a dashboard, have a human analyse it, then create tickets for somebody to fix it. The speed of response becomes very important.”

Shock, WoW and AWE

This change in the speed of attack has prompted Qualys to review how vulnerabilities, and risks, are measured. Measures designed for patching and remediation cycles of 90, or even 30, days are no longer good enough.

Metrics such as the mean time to respond, or mean time to remediate, are too generic to give an accurate view the threats businesses face, Thakar argues. And they fail to reflect the speed at which malicious actors now exploit vulnerabilities.

Instead, Qualys proposes a “window of weaponisation”, or WoW, for exploits, and the “average window of exposure”, or AWE, to measure how long an enterprise is at risk.

“Even if you fix 90% of your stuff within a short period of time, the long tail of the 10%, which is not captured by when you talk about a mean, could be the thing that gets you in trouble,” he says. “Instead of those metrics, we are looking at the window of weaponisation. How long it takes an attacker, once a vulnerability comes out, to weaponise it, becomes more important.

“Similarly for the defenders, the AWE is important. How long are you exposed for those specific exploitable vulnerabilities, instead of a very generic MTTR for all of your vulnerabilities?” Organisations are at risk, if the window of weaponisation is shorter than the AWE.

“If your average window of exposure is less than your window of weaponisation, you are generally in a good operational cadence,” he says. “If it is the opposite, where your window of exploit weaponisation is smaller and your average window of exposure is much larger, then you have to mind the gap.”

Risk range

And changing the way IT and security leaders measure threats is vital, as the volume and speed of cyber attacks continues to grow, Thakar says.

The number of vulnerabilities can only increase as enterprises deploy more software. “I was a developer myself, so I know when you write code, there’s some bugs introduced.” But nor can security teams go after, and fix, every vulnerability. Last year, researchers found 62.5m vulnerabilities, but under one per cent were exploitable. CISOs have to prioritise.

“There is definitely more and more of a push from the boards and the CISOs themselves to be a business partner and be able to put what they are doing more in the context of the business,” Thakar says.

“There's nothing like zero risk in anything. Are we in an acceptable range? That is the key point for boards.”

Delivered in partnership with Qualys.

The link has been copied!