Cybersecurity can be a tricky thing. Gaining information about an environment through internal and external testing can take a wide variety of forms and generate an overwhelming amount of data in the process. From Pen-Testing to Vulnerability Scanning, from Incident Response exercises to Breach and Attack Simulation; the details generated on every aspect of a cyber infrastructure can outpace the ability of the humans who have to make decisions to properly and completely ingest and analyze the flood of information. The issue at hand is one where content is plentiful, but context is difficult to divine out of the ocean of data - leading to delays in decision making and allowing gaps in defenses to remain in place for far too long.
Content Overload in Cybersecurity
Content overload is not unique to cybersecurity. Turn on any news channel or load up any news website and you are confronted with hundreds of pieces of information on just the first few pages you scroll through. Ads, stories, op-ed articles, call-out content, promoted content, highlighted articles, cookie opt-in, privacy notifications, chat pop-ups, and on and on and on. Just trying to determine what information you actually need becomes an immediate struggle as you wade through all the information being broadcasted at you on the screen or on the page. In business, content overload can take the form of competitive analysis. When searching for competitors you are bombarded with dozens of other organizations that may not be an exact match, but may be close enough that you need to be concerned with them. You can quickly find massive amounts of data on those companies and their employees scattered across publicly available and commercial data search sites. You gather information from contacts and research partners as well as other sources. Suddenly, there is a mountain of information that may or may not be directly relevant to the current opposition intelligence operation, and sorting through it all seems impossible.
The same holds true for cybersecurity. Information feeds from threat hunting organizations get combined with data from SIEM and other monitoring solutions, vulnerability scan output, pen-test reports, support tickets, employee behavioral details and dozens of other sources to create a massive pool of data - all of it in some way related to the overall security profile of your organization. Content isn't the problem, we all have more of that than we can ever sort through fast enough for it to be of direct use. What we're missing is context.
The 3 Points of Context in Cybersecurity
Context is about three key points: Prioritization, Urgency, and Achievability - all three are factors that are critical to making sure that the right issues get the right amount of attention in the right time-span. Let's take a look at all three:
Data comes in a lot of flavors in cybersecurity - but this data is not all equal. Some things must be dealt with because they are more critical than others. A current vulnerability is a danger to the organization, but only if it can be accessed by a threat actor. Otherwise, while it is an active vulnerability, it's not an exploitable vulnerability; and therefore can take a back-seat to other issues that are actively putting the company and its data resources in jeopardy. Priority has to be assigned to each issue, and in the absence of context such as if compensating controls are able to deflect attackers from reaching that vulnerability, or if the system in question is isolated by networking segmentation and not visible to the outside world. Though priority will assist greatly in deciding the order of operations when it comes to patching and correcting issues, it should be noted the priority is a measure of importance to the overall security of the organization; and can't be confused with the second factor: urgency.
Even once priority is established, there can still be dozens or possibly hundreds of issues that take higher priority than others - so which is addressed first? Urgency is the second factor that has to be brought into the context equation. Urgent matters may not be high priority - after all, the overall impact to the company may not necessarily be extreme. Instead, urgency deals with when something must be done, rather than how important it is to do that thing. For example, a vulnerability that can lead an attacker directly into a front-end system doesn't warrant the same priority as one that allows access to a back-end system. That being said, if the front-end vulnerability is not defended by compensating controls, it is more urgent to address it first. The back-end system is already defended by the front-end system and network segregation, meaning that it's more likely that the front-end vulnerability will be exploited - and that exploit activity detected - leading to an urgency to correct the front-end first.
The third factor to consider to gain context from content is determined by the ability to directly correct the issue with the tools, staff, and time that you have available to you and your team. Does this fix require an upgrade to an Operating System? That would be less achievable (at least in the immediate short-term) than a fix to a less urgent issue that only requires a quick patch and no reboot. Do you have the expertise in-house to correct the issue? If not, then even if it has higher priority than another issue on the list, it's unlikely to be corrected quickly. Achievability does not remove issues from the overall picture, but rather separates them into two groups: those that can be corrected with the resources at hand, and those that require additional resources before they can be addressed.
Move from Content to Context with Security Validation
Taken together, these three factors begin to put data into perspective. Knowing how urgent a remediation is, how important it is that this specific remediation is done overall, and if the remediation can be accomplished with the resources at hand allows you to move beyond the sea of content all the tools deployed in your environment provide to you. Content provides you with a massive set of things that need to be addressed. Context - preferably gained with the aid of industry standards and cybersecurity frameworks - allows you to create an effective plan of action to begin addressing issues. Security validation tools like Cymulate Breach and Attack Simulation aid in defining context by determining if security gaps exist in critical systems (Priority), are already being actively attacked in other organizations (Urgency), and what the best remediation pathways are (Achievability). Having context is critical to understanding what must be done first; and also what should come second, third, etc. Moving from content to context with Cymulate allows you to move from a list of issues; to a path to solutions.