Splunk is proud to be recognized as a Leader in SIEM by Forrester, Gartner® and IDC. Download the latest Magic Quadrant to see why. Get the report →
Learn more about Splunk's Security Products & Solutions:
In cybersecurity, the factors to consider are endless. Before we get ahead of ourselves, let’s make sure we fully understand three fundamental concepts of security: vulnerabilities, threats and risk.
In this article, we’ll look at these security concepts in depth and hear from industry experts for their up-to-the-minute takes.
These terms are frequently used together, but they do explain three separate components of cybersecurity. In short, we can see them as a spectrum:
Now let’s look in depth at each of these.
(Related reading: Splunk Security Blog & Cybersecurity and InfoSec Events & Conferences.)
Let’s start with vulnerabilities. A vulnerability is a weakness, flaw, or other shortcoming in a system (infrastructure, database, or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
There are different types of vulnerabilities; we can sum them up generally as:
Some vulnerabilities are routine: you release something and quickly follow up with a patch for it. The issue with the weakness is when it is unknown or undiscovered to your team. If left as-is, this weakness could be vulnerable to attack or threat. For example, a vulnerability is leaving your door unlocked overnight. It alone isn’t a problem, but if a certain person comes along and enters that door, some bad, bad things might happen.
Thus, the more vulnerabilities you have, the greater the potential for threats and the higher your risk.
But that makes sense, of course, but the sheer scale is enormous: according to UK server and domain provider Fasthosts, organizations can have thousands — even millions! — of potential vulnerabilities.
According to the Cost of a Data Breach Report 2023 by IBM, the average cost of data breaches is at an all-time high of US$ 4.45 million, a 2.2% increase compared to 2022 and a 15% increase over 3 years. The thing is that these attacks can be costly and spill over. For example, Progress software is still dealing with the fallout and recovery from the 2023 MOVEIT Transfer vulnerability; which has so far affected over 94 million users, with over US$15 billion in total damages, and still counting.
Recent examples of vulnerabilities include:
Want to know more? The CVE is a dictionary of publically disclosed vulnerabilities and exposures, a primary source of knowledge in the security field.
(Related reading: vulnerability management practice.)
In cybersecurity, the most common definition of a threat is this: Anything that could exploit a vulnerability, which could affect the confidentiality, integrity or availability of your systems, data, people, and more.
(Confidentiality, integrity and availability, sometimes known as the CIA triad, is another fundamental concept of cybersecurity.)
A more advanced definition of threat is when an adversary or attacker has the opportunity, capability and intent to bring a negative impact upon your operations, assets, workforce and/or customers. Examples of this can include malware, ransomware, phishing attacks and more — and the types of threats out there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data Science at GreyNoise Intelligence. And that’s where accessing and using threat intelligence comes in. Rudis says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid patch management program or strong network segmentation policies that prevent access to critical systems. However, in the real world, chances are extremely likely that you do have vulnerabilities, so let’s consider the risk factor.
Risk is the probability of a negative (harmful) event occurring as well as the potential of scale of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis, due to both internal and external factors.
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the probable frequency and probably magnitude of loss. Sounds complicated, until we break it down: “For starters,” Rudis says, "there is no ethereal risk. Something [tangible] is at risk, be it a system, device, business process, bank account, your firm’s reputation or human life.”
This is where cybersecurity teams can begin to measure that risk:
One way of describing risk was consequence X likelihood, but as security teams have advanced their processes and intelligence, we see that you have to also account for the safeguards you’ve already put in place.
This is another way of looking at risk, albeit a bit simplified:
Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability multiplied by the potential threat (frequency, existing safeguards, and potential value loss) can give you an estimate of the risk involved. In order for organizations to begin risk mitigation and risk management, you first need to understand your vulnerabilities and the threats to those vulnerabilities. This is no small task.
(Related reading: cybersecurity risk management & risk management frameworks. )
Your organization might be looking to protect all its data, likely through data encryption methods and other approaches. But this approach is incredibly expensive, so you must pare down which ones to protect the best.
You could think about the risk involved in this way: if the mechanism for protecting certain data fails in some way, you’ll have one or more vulnerabilities. And if there is a threat actor who finds and exploits this vulnerability, the threat is realized.
Here, your risk is how valuable it would be to lose that data to the threat actor.
Part of the problem with risk is this universal truth: you cannot eliminate or entirely protect against all threats, no matter how advanced your systems are. This is where the practice of risk management comes in: a routine, ongoing practice where the right personnel are regularly reviewing risks in order to minimize the potential for certain threats to occur.
The first step to being proactive and having a risk management strategy is acknowledging that organisations can’t totally eliminate risk. Once you understand this, you can start defining your risk assessment which involves five significant steps:
Evaluate your organization’s IT environment and infrastructure for vulnerabilities that could affect your operations. This will also involve:
(Related reading: GRC governance, risk & compliance.)
Here, you focus on any potential impact this identified risk could cause on your organization, its operation, and its objectives. To determine the risk, one needs to focus more on the vulnerabilities' discoverability, exploitability, and reproducibility to understand how they could impact you fully.
Based on your results from the previous steps, you define the best measures or approaches your organization should take to mitigate risks. Depending on the impact of the risk, you could choose to:
In this step, you set controls to manage and mitigate possible risks so they are eliminated or significantly reduced. Some controls include firewall configuration, passwords, multi-factor authentication, and encryption. In fact, in 2023, organizations that had control measures saved about US$1.76 million compared to organizations that didn’t.
Frameworks like NIST CSF and FAIR Framework come in handy here as well.
Regularly document and review any breaches that occur so you can learn from them and improve your risk assessment and control.
Vulnerabilities and threats are too expensive for organizations to ignore; thus, they must be your priority. So, define an effective risk management assessment while remembering that risk can’t be totally eliminated and that it is an ongoing process that needs to be constantly reviewed.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.