Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Picture this, you are an analyst working in a large security operations center (SOC) responding to an overwhelming amount of alerts each day. A large portion of the alerts are false positives, but you have to be sure so each one requires your attention. After a while, complacency sets in, and impactful alerts are missed. This is known as alert fatigue. If not addressed, alert fatigue can lead to mental exhaustion and decreased motivation. Burnout affects performance and productivity which can impact the entire organization.
SOC analysts are not the only ones that experience alert fatigue. System administrators or those responsible for vulnerability and patch management can experience it as well. Keeping up with vulnerabilities can feel like an uphill battle. It also seems like there is always a zero-day vulnerability that is announced before every major holiday which also does not help prevent burnout.
There are several steps an organization usually takes before rolling a patch into production. Patches can break existing tools or business-critical functionalities. Vulnerabilities need to be assessed and prioritized. This blog will review how leveraging the OODA Loop decision-making framework for vulnerability management can be beneficial and potentially prevent vulnerability fatigue.
Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence solution provides immediate alerting of newly discovered vulnerabilities with rich context that allows users to prioritize patching. This blog is a monthly vulnerability intelligence roundup. If you haven’t already, check out our roundup from May, The Good, the Bad, and the Risky.
US Air Force Colonel John Boyd created the decision-making framework known as the OODA Loop after serving as a pilot during the Korean War. Boyd was inspired to create the mental model after experiencing several dogfights, or aerial battles, during the war. The framework is broken down into four steps: Observe, Orient, Decide, and Act (OODA). You observe what is happening, then orient yourself based on your observations and personal experiences, before making a decision and acting. The original framework which was used for training pilots in air-to-air combat had regular feedback embedded within each step. (See Figure 1)
Eventually, a simpler version of the framework leaked into the corporate world and became one of the most popular decision-making processes in the world. (See Figure 2) The less detailed version can be applied by a wide range of professions across several industries including healthcare, law enforcement, and technology.
The first step in the vulnerability management process is similar to the first step in OODA Loop, which is observing, or identifying, relevant vulnerabilities. Vulnerabilities can be disclosed in security bulletins, vendor email notifications, news articles, or general chatter in the tech community. There is typically a lot of noise when a high-risk vulnerability is announced, such as the recent zero day dubbed “Follina”.
Follina is a remote code execution (RCE) vulnerability, tracked as CVE-2021-30190, that impacts Microsoft Support Diagnostic Tool (MSDT). Unless you have been living under a rock, you have probably seen Follina all over headlines since it was being actively exploited before the patch was ultimately released by Microsoft on 14 Jun 2022.
When high-risk vulnerabilities are announced, it can quickly become chaotic when you try to collect information from multiple sources to get a holistic view of what the vulnerability impacts and if it’s relevant to your organization. Vulnerability intelligence exists to provide actionable insights for vulnerability management. Learn more about the differences between vulnerability intelligence and vulnerability management in our blog Vulnerability Intelligence: A Best Practice Guide.
Digital Shadows (now ReliaQuest)’ SearchLight platform has a vulnerability library that is a “one-stop shop” for all the information you need to know about any given CVE. (See Figure 3) There are several helpful filters that help you in your journey traversing the library such as product family, risk level, and exploit availability.
The second step in the OODA Loop is orient, which is essentially the analysis stage. Within this step, you will analyze the information observed within the first step to help you make an informed decision in the next step. During the analysis stage, it is a good idea to draw on your existing knowledge gained from previous experience.
In terms of vulnerability management, once a vulnerability is identified a risk assessment should be performed to determine the potential impact on the organization. This will help make the business decision to apply a patch. If a patch is not yet released for a vulnerability, a similar risk assessment can be performed for workarounds. A workaround is typically a manual configuration provided to mitigate the vulnerability temporarily until an official patch is released.
Here are some key questions that should be considered during the orient stage to be able to make an informed business decision:
Not all vulnerabilities are exploitable. There are also vulnerabilities that, if exploited, an attacker couldn’t do much given the overall attack surface. So it’s important to determine the potential blast radius of exploitation. Once an exploit is available in the threat landscape, it is typically not long before attackers take advantage and perform opportunistic attacks. Using the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform, you will be able to identify when exploits become available and which threat actors or groups have been attributed to exploitation attempts. (See Figure 4)
Asset management plays a part in determining how many devices are impacted. It is impossible to protect what you can’t see. There is nothing worse than thinking you have mitigated an issue only to find out an attacker exploited an unknown asset to gain initial access. Identifying the total number of devices impacted will help calculate how long the patching process will take.
Ideally, patches should be tested in a development environment to identify if any core business applications or functionalities break or malfunction. Breakage can disrupt business operations and lead to significant financial loss. Depending on the industry, downtime can impact customer relationships and the reputation of the organization.
The time has come to make an informed business decision now that you have observed a vulnerability and reflected on the key findings during your risk assessment. Have a meeting to discuss the risk factors and potential outcomes to reveal the overall business impact. Additional analysis may be required if information gaps are identified. The Vulnerability Intelligence solution in the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform summarizes all of the risk factors associated with each CVE to help organizations make a threat-informed business decision on whether to apply a patch and when. (See Figure 5)
Patch management teams can now take action. This can include applying a patch in production or accepting the risk associated with withholding the patch. Even if a patch is tested, it is still realistically possible there will still be breakage when pushed to production. This is due to several reasons, such as the development environment is not identical to the production environment. If breakage does occur, you can start a new OODA Loop.
The OODA Loop can be a valuable tool for several aspects of business operations. Stay calm and assess your surroundings. Leaping into action before analyzing a situation in depth can lead to costly errors and poor outcomes.
One of the potential causes of vulnerability fatigue is decision fatigue. Having to make complex decisions over and over can be exhausting. At the end of the day, determining whether or not to apply a patch is a business decision that should not land on a single individual’s shoulders. The mental workload should be shared with a team or at least with management. Collaboration provides insight from different perspectives and can potentially reduce burnout.
The OODA Loop framework allows decision-makers to take a step back and get a holistic view of complex problems. Even if you are faced with a high-risk vulnerability, such as Follina, there is always time to assess the situation and make an informed decision.
Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence capability can help organizations make timely, threat-informed decisions during the vulnerability management process. You can test drive SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) and see the rich context available for each CVE, including risk factors, threat actor and malware associations, exploits, news, and much more.
The traditional, sometimes chaotic approach to vulnerability patching is not sustainable anymore. Look here to read our Vulnerability Intelligence report on common challenges and mitigation strategies.