Bay Dynamics Risk Fabric puts vulnerabilities in context

It would not be an inaccurate description to call Risk Fabric a next-generation vulnerability management tool. By adding real context to raw scan results, IT teams are given a much better picture of the true risks hiding within their networks.

The science of managing vulnerabilities has come full circle. Many years ago, IT workers were already starting to get alert fatigue when responding to constant attacks. Someone came up with a solution to the problem using vulnerability scanners. It was logical. Instead of chasing endless attacks exploiting the same holes in defenses, scanning a network to find and fix vulnerabilities was a better way to go. If all vulnerabilities could be eliminated, so would any attacks that relied on them.

The problem was that as networks grew, so did vulnerabilities. Every application, hardware device, virtual appliance, web connection, user, operating system or network component carries with it the possibility of vulnerabilities. Even a moderately-sized network can hide thousands or even millions of possible vulnerabilities. Today, technology is extremely skilled at finding most vulnerabilities that an attacker could exploit, but trying to fix everything could take IT teams years. And that’s not factoring in the new vulnerabilities that crop up every day. Alert fatigue is still very much a part of life when working a security information and event management (SIEM) console, only now vulnerabilities have been added to the list of alerts alongside of threats.

Enter vulnerability management tools. Their job is to take all those millions of vulnerabilities and prioritize them for IT teams, so that the most dangerous ones can be fixed first. This helps, but vulnerability scores are normally calculated out of context in terms of the rest of the network. For example, there might be a critical, easily exploited vulnerability sitting on a non-critical asset like a receptionist’s terminal somewhere in the organization. And there might be a medium-level threat that is very hard to exploit sitting on a critical server holding your customers’ credit card information. Many vulnerability management programs will direct IT teams to the critical threat on the non-critical asset, and place one that could potentially cripple your organization thousands of places down on the priority scale. It’s not the program’s fault. It just doesn’t know context.

That is one of the major problems in the vulnerability management space that the Bay Dynamics Risk Fabric program is designed to solve. The program is sold as software that is installed internally at most organizations on whatever hardware they want to allot to it. It can also run in the cloud or on a virtual machine, but its core is solidly software-based. It’s sold using a subscription model based on the number of employees at the organization to be protected.

Once installed, the program uses connector apps to attach it to any mainstream vulnerability scanner or SIEM. Whenever any of them run a scan, that data is grabbed by Risk Fabric and processed. That way there are no disruptions in network traffic flow, and no loss of computing time anywhere other than the server where the program is installed. A few of the connector apps allow for two-way communication, so vulnerability managers can trigger a scan, though most organizations will likely have Risk Fabric comply with whatever scheduled scans are already configured.

Risk Fabric does give a vulnerability score like other programs, so critical vulnerabilities are identified as such, but it’s only one metric used to calculate true risk. Among other questions the program asks is how risky the behaviors of users accessing the asset are. This can lower or raise the priority of the vulnerability. If the asset is used by one person to occasionally surf the web and type reports, then it’s less critical than a mail server that touches everyone in the company all the time, or a database accessed by the entire sales staff.

Another factor is correlations with cybersecurity programs. A medium-risk vulnerability on an asset whose endpoint protection is alerting to constant compromise, or one where traffic monitoring tools are indicating data exfiltration could get a higher priority than a critical vulnerability with no indication that anyone is trying to compromise it.

Finally, Risk Fabric assigns a dollar amount to the asset based on what would happen if an asset is compromised, has its data stolen, or is rendered unusable by a malicious user or program. Because no computer program yet possesses the cognitive ability to make those decisions, it must rely on users. Risk Fabric can do this if administrators send out, or fill out, a questionnaire about each asset.