E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
Splunk is proud to be recognized as a Leader in SIEM by Forrester, Gartner® and IDC. Download the complete set of analyst reports to find out why. Get the reports →
Learn more about Splunk's Security Products & Solutions:
In cybersecurity, the factors to consider are endless. Before we get ahead of ourselves, let’s make sure we fully understand three fundamental concepts of security: vulnerabilities, threats and risk.
In this article, we’ll look at these security concepts in depth and hear from industry experts for their up-to-the-minute takes.
These terms are frequently used together, but they do explain three separate components of cybersecurity. In short, we can see them as a spectrum:
Now let’s look in depth at each of these.
(For the latest and greatest in all things security, check out the Splunk Security Blog & these Cybersecurity and InfoSec Events & Conferences.)
Let’s start with vulnerabilities. A vulnerability is a weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
There are different types of vulnerabilities, we can sum them up generally as:
Some vulnerabilities are routine: you release something and quickly follow up with a patch for it. The issue with the weakness is when it is unknown or undiscovered to your team. If it’s left as-is, this weakness could be vulnerable to some attack or threat. For example, a vulnerability is leaving your door unlocked overnight. It alone isn’t a problem, but if a certain person comes along and enters that door, some bad, bad things might happen.
Here, the more vulnerabilities you have, the greater potential for threats and the higher your risk. That makes sense, of course, but the sheer scale is enormous: according to UK server and domain provider Fasthosts, organizations can have thousands — even millions! — of potential vulnerabilities. Recent examples of vulnerabilities include the Microsoft Exchange vulnerabilities and the Log4j vulnerabilities, both from 2021. The CVE is a dictionary of publically disclosed vulnerabilities and exposures, a primary source of knowledge in the security field.
(Learn about the vulnerability management practice.)
In cybersecurity, the most common definition of a threat is this:
Anything that could exploit a vulnerability, which could affect the confidentiality, integrity or availability of your systems, data, people and more. (Confidentiality, integrity and availability, sometimes known as the CIA triad, is another fundamental concept of cybersecurity.)
A more advanced definition of threat is when an adversary or attacker has the opportunity, capability and intent to bring a negative impact upon your operations, assets, workforce and/or customers. Examples of this can include malware, ransomware, phishing attacks and more — and the types of threats out there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data Science at GreyNoise Intelligence. And that’s where threat intelligence comes in. Rudis says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid patch management program or strong network segmentation policies that prevent access to critical systems. Chances are likely, however, that you do have vulnerabilities, so let’s consider the risk factor.
(Enable cyber threat intelligence (CTI) proactive cybersecurity.)
Risk is the probability of a negative (harmful) event occurring as well as the potential of scale of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis, due to both internal and external factors.
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the probable frequency and probably magnitude of loss. Sounds complicated, until we break it down: “For starters,” Rudis says, "there is no ethereal risk. Something is at risk, be it a system, device, business process, bank account, your firm’s reputation or human life.”
This is where cybersecurity teams can begin to measure that risk:
One way of describing risk was consequence X likelihood, but as security teams have advanced their processes and intelligence, we see that you have to also account for the safeguards you’ve already put in place.
This is another way of looking at risk, albeit a bit simplified:
Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability multiplied by the potential threat (frequency, existing safeguards, and potential value loss) can give you an estimate of the risk involved. In order for organizations to begin risk mitigation and risk management, you first need to understand your vulnerabilities and the threats to those vulnerabilities. This is no small task.
(Explore the 5 steps of risk management assessments.)
Your organization might be looking to protect all its data, likely through data encryption methods and other approaches. It’s incredibly expensive, so you must pare down which ones to protect the best.
You could think about the risk involved in this way: if the mechanism for protecting certain data fails in some way, you’ll have one or more vulnerabilities. And if there is a threat actor who finds and exploits this vulnerability, the threat is realized.
Here, your risk is how valuable it would be to lose that data to the threat actor.
Part of the problem with risk is this universal truth: you cannot eliminate or entirely protect against all threats, no matter how advanced your systems. This is where the practice of risk management comes in: a routine, ongoing practice where the right personnel are regularly reviewing risks in order to minimize the potential for certain threats to occur.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.