Risk management is the process of identifying, assessing and controlling threats to an organization. It is also a way to increase the security maturity of an organization. Risk management allows you to think about security more strategically and answer the questions that come from your company board, such as:

  • How many times was the organization attacked?
  • Is there a threat to our company?
  • How well-protected are corporate secrets and data?

Security Tools for Your Risk Management Toolbox

The information to support the answers to these questions comes from data extracted from different security tools and sources. Justifying the necessary resources to deploy these tools within your organization includes the financial cost and requires appointing sufficient staff, foreseeing maintenance costs and setting the correct priorities. Most importantly, it requires you to choose the right security tools for the job.

Risk management doesn’t always need to be complex or expensive. The security tools described below, which are open source-based or otherwise freely available, can help you navigate the various steps of a risk management process.

Be Prepared

Preparation is an important key to dealing with security risks. This not only includes awareness and training for your staff, but also gaining an understanding of your environment and knowing what’s out there in your infrastructure. You can leverage free resources from agencies such as the European Union Agency for Network and Information Security (ENISA) and Europol, as well as materials from the national cybersecurity awareness initiatives in the U.S. and Europe.

Choosing the proper security training for your staff can be challenging and expensive, but you can get ahead just by attending community-driven training sessions and conferences.

Identify Your Assets

You cannot protect an asset if you don’t know it’s out there. A configuration management database (CMDB) can be used to keep track of your assets. Some open source solutions include:

Because a CMDB project can quickly grow into an unmanageable monster, it’s important to limit the scope when starting with a CMDB. Once you have a profound understanding of how it can affect your security posture, extend and enrich its data.

Many organizations still have different understandings of what a CMDB really is, which poses a risk to the success of implementation. Before you start a CMDB project, make sure everyone in your organization has a common understanding of what it is going to do and what use cases it will serve.

Taking a step back and looking at standard tooling can help you answer some of these questions. In most cases, a lot of the assets are network-connected, allowing you to use network discovery tools to figure out what’s out there. Tools such as Zabbix and Nagios allow you to discover the hosts connected to your network. A more lightweight option is to use the host discovery features of Nmap or arp-scan. Nmap uses a combination of Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP) requests to scan for hosts, but it can only see hosts that are not filtered by a firewall.

Establishing a list of network hosts is a start. Security professionals should take the following steps to figure out what is running on these hosts:

  • Use one central tool, such as OCS Inventory NG, an asset management and deployment solution.
  • Use built-in tooling such as systeminfo or standard packages such as the Windows Management Instrumentation Command-line (WMIC), psinfo and the other information gathering tools from Sysinternals.
  • Use PowerShell and compile your own scripts.
  • Use the reconnaissance capabilities available in penetration testing frameworks built on PowerShell. The first thing intruders do after establishing a foothold in your infrastructure is map your assets. Why not use their tooling to your advantage? Note that these frameworks might require you to get approval from your management. The Powersploit framework with the PowerView module is a good starting point.

Regardless of which solution you prefer, automation is the key to success. It’s crucial to use automation to keep your asset directory updated.

Monitor Your Environment

The tools used to identify your assets can also be used to monitor their resources — in fact, that’s what both Zabbix and Nagios are designed to do. For security professionals, however, monitoring means more than simply keeping an eye on available system resources. You need the logs to correlate information from individual events and sources. Correlation most often means that you have to bring the logs together into one system.

  • For Windows systems, you can use Windows Event Forwarding to forward logs to one central logger.
  • Assets capable of forwarding syslog messages can send their logs to one central logger such as Rsyslog. Rsyslog, in turn, can deliver the logs to the ELK stack. You can then use Elasticsearch to analyze your log data and correlate the events.

Track Vulnerabilities

We already used Nmap for identifying and inventorying our assets, but we can also use it to track vulnerabilities. Nmap comes with a scripting language and a ton of default scripts that allow you to check for vulnerabilities on network-exposed services. It also has different output options, including XML, that can make your life easier when it concerns automation. For example, you can use Nmap to list all the vulnerabilities on the local host with the command “nmap -Pn –script vuln localhost.”

A more integrated approach to vulnerability tracking is OpenVAS, a framework of services and tools that offer a comprehensive and powerful vulnerability scanning and management solution. The power of OpenVAS comes from the information in the vulnerability feed or network vulnerability tests (NVTs).

Stay Abreast of Threat Information

Next to being aware of the various vulnerabilities in your environment, you should also stay informed about the external threats that your organization faces. Although threat actors are most often out of your control, you should remain aware of what is going on in the threat landscape. Get involved in threat sharing groups and exchange information with your peers using a threat intelligence platform.

One of the best such solutions is the open source MISP threat intelligence platform. MISP is a community-driven project used by over 2,500 organizations with a focus on automation. It has been extended by the community and now includes support for:

  • PassiveTotal;
  • ThreatCrowd;
  • Threatminer;
  • Shodan;
  • VirusTotal;
  • Cuckoo;
  • VMRay; and
  • IBM X-Force.

Incident Response

Eventually, bad things will happen and you will have to deal with a security incident. This involves, among other things, collecting incident information and keeping track of what is going on.

TheHive Project is a scalable, open source security incident response platform designed to make life easier for security operations centers (SOCs) and security practitioners dealing with data breaches. TheHive allows you to analyze an observable derived from an investigation with external services such as:

  • VirusTotal;
  • DomainTools;
  • PassiveTotal;
  • Google Safe Browsing;
  • PhishTank;
  • MaxMind; and
  • Open Threat Exchange.

One big advantage of TheHive is that it also integrates with MISP. This means you can immediately verify information received from your threat intelligence feeds with indicators derived from a security incident investigation. Additionally, you can enrich the threat data by confirming a sighting of an indicator present in the platform and ruling out possible false positives or irrelevant data.

Where TheHive allows you do the analysis, Fast Incident Response (FIR) is an incident management platform that allows for easy creation, tracking and reporting of cybersecurity incidents. If you work on multiple security incidents at a time or have different people working on one incident, then an incident management platform such as FIR is a must.

Risk Governance

Keeping track of your security objectives concerning governance and risk management can also be accomplished with a number of open or community-based tools. Eramba is one such application that helps professionals analyze, manage and report security governance. Similarly, SimpleRisk makes risk management accessible to all security practitioners.

More from Risk Management

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today