Risk management is the process of identifying, assessing and controlling threats to an organization. It is also a way to increase the security maturity of an organization. Risk management allows you to think about security more strategically and answer the questions that come from your company board, such as:

  • How many times was the organization attacked?
  • Is there a threat to our company?
  • How well-protected are corporate secrets and data?

Security Tools for Your Risk Management Toolbox

The information to support the answers to these questions comes from data extracted from different security tools and sources. Justifying the necessary resources to deploy these tools within your organization includes the financial cost and requires appointing sufficient staff, foreseeing maintenance costs and setting the correct priorities. Most importantly, it requires you to choose the right security tools for the job.

Risk management doesn’t always need to be complex or expensive. The security tools described below, which are open source-based or otherwise freely available, can help you navigate the various steps of a risk management process.

Be Prepared

Preparation is an important key to dealing with security risks. This not only includes awareness and training for your staff, but also gaining an understanding of your environment and knowing what’s out there in your infrastructure. You can leverage free resources from agencies such as the European Union Agency for Network and Information Security (ENISA) and Europol, as well as materials from the national cybersecurity awareness initiatives in the U.S. and Europe.

Choosing the proper security training for your staff can be challenging and expensive, but you can get ahead just by attending community-driven training sessions and conferences.

Identify Your Assets

You cannot protect an asset if you don’t know it’s out there. A configuration management database (CMDB) can be used to keep track of your assets. Some open source solutions include:

Because a CMDB project can quickly grow into an unmanageable monster, it’s important to limit the scope when starting with a CMDB. Once you have a profound understanding of how it can affect your security posture, extend and enrich its data.

Many organizations still have different understandings of what a CMDB really is, which poses a risk to the success of implementation. Before you start a CMDB project, make sure everyone in your organization has a common understanding of what it is going to do and what use cases it will serve.

Taking a step back and looking at standard tooling can help you answer some of these questions. In most cases, a lot of the assets are network-connected, allowing you to use network discovery tools to figure out what’s out there. Tools such as Zabbix and Nagios allow you to discover the hosts connected to your network. A more lightweight option is to use the host discovery features of Nmap or arp-scan. Nmap uses a combination of Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP) requests to scan for hosts, but it can only see hosts that are not filtered by a firewall.

Establishing a list of network hosts is a start. Security professionals should take the following steps to figure out what is running on these hosts:

  • Use one central tool, such as OCS Inventory NG, an asset management and deployment solution.
  • Use built-in tooling such as systeminfo or standard packages such as the Windows Management Instrumentation Command-line (WMIC), psinfo and the other information gathering tools from Sysinternals.
  • Use PowerShell and compile your own scripts.
  • Use the reconnaissance capabilities available in penetration testing frameworks built on PowerShell. The first thing intruders do after establishing a foothold in your infrastructure is map your assets. Why not use their tooling to your advantage? Note that these frameworks might require you to get approval from your management. The Powersploit framework with the PowerView module is a good starting point.

Regardless of which solution you prefer, automation is the key to success. It’s crucial to use automation to keep your asset directory updated.

Monitor Your Environment

The tools used to identify your assets can also be used to monitor their resources — in fact, that’s what both Zabbix and Nagios are designed to do. For security professionals, however, monitoring means more than simply keeping an eye on available system resources. You need the logs to correlate information from individual events and sources. Correlation most often means that you have to bring the logs together into one system.

  • For Windows systems, you can use Windows Event Forwarding to forward logs to one central logger.
  • Assets capable of forwarding syslog messages can send their logs to one central logger such as Rsyslog. Rsyslog, in turn, can deliver the logs to the ELK stack. You can then use Elasticsearch to analyze your log data and correlate the events.

Track Vulnerabilities

We already used Nmap for identifying and inventorying our assets, but we can also use it to track vulnerabilities. Nmap comes with a scripting language and a ton of default scripts that allow you to check for vulnerabilities on network-exposed services. It also has different output options, including XML, that can make your life easier when it concerns automation. For example, you can use Nmap to list all the vulnerabilities on the local host with the command “nmap -Pn –script vuln localhost.”

A more integrated approach to vulnerability tracking is OpenVAS, a framework of services and tools that offer a comprehensive and powerful vulnerability scanning and management solution. The power of OpenVAS comes from the information in the vulnerability feed or network vulnerability tests (NVTs).

Stay Abreast of Threat Information

Next to being aware of the various vulnerabilities in your environment, you should also stay informed about the external threats that your organization faces. Although threat actors are most often out of your control, you should remain aware of what is going on in the threat landscape. Get involved in threat sharing groups and exchange information with your peers using a threat intelligence platform.

One of the best such solutions is the open source MISP threat intelligence platform. MISP is a community-driven project used by over 2,500 organizations with a focus on automation. It has been extended by the community and now includes support for:

  • PassiveTotal;
  • ThreatCrowd;
  • Threatminer;
  • Shodan;
  • VirusTotal;
  • Cuckoo;
  • VMRay; and
  • IBM X-Force.

Incident Response

Eventually, bad things will happen and you will have to deal with a security incident. This involves, among other things, collecting incident information and keeping track of what is going on.

TheHive Project is a scalable, open source security incident response platform designed to make life easier for security operations centers (SOCs) and security practitioners dealing with data breaches. TheHive allows you to analyze an observable derived from an investigation with external services such as:

  • VirusTotal;
  • DomainTools;
  • PassiveTotal;
  • Google Safe Browsing;
  • PhishTank;
  • MaxMind; and
  • Open Threat Exchange.

One big advantage of TheHive is that it also integrates with MISP. This means you can immediately verify information received from your threat intelligence feeds with indicators derived from a security incident investigation. Additionally, you can enrich the threat data by confirming a sighting of an indicator present in the platform and ruling out possible false positives or irrelevant data.

Where TheHive allows you do the analysis, Fast Incident Response (FIR) is an incident management platform that allows for easy creation, tracking and reporting of cybersecurity incidents. If you work on multiple security incidents at a time or have different people working on one incident, then an incident management platform such as FIR is a must.

Risk Governance

Keeping track of your security objectives concerning governance and risk management can also be accomplished with a number of open or community-based tools. Eramba is one such application that helps professionals analyze, manage and report security governance. Similarly, SimpleRisk makes risk management accessible to all security practitioners.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read