Why Risk Doesn’t Need to Be a Four Letter Word

Risk used to be a word thrown around as if it could be defined generally and, once defined, consistently applied to all business and technology use cases. This didn’t work out so well for customers, CISO’s, or vendors. Risk was a “four-letter-word” and it fell out of common use. 

Happily, the technology that underpinned quantifying cybersecurity risk has come a long way. Now many vendors take advantage of machine learning algorithms to understand normal versus abnormal behavior. This has led to more reliable, actionable indicators than another thousand alerts and has set the stage for bringing quantified risk back into the limelight. More importantly, the underlying assumption of ONE definition for risk has also evolved—risk context, we increasingly say, is king. 

Tools like Netskope Cloud Risk Exchange (CRE) have given practitioners the means to leverage many signals to create a customizable set of rules around individual, combination, or normalized aggregate risk levels associated with users, devices, and applications. Even better, frameworks like Shared Signals and Events by OpenID and its associated Continuous Authentication Evaluation Protocol give vendors means for passing the context of their risk scores. Without that, each vendor only knows why a score changed through its own lens—but with multiple context sources, ISVs can start making decisions to change their own scores based on OTHER systems’ findings.

So now the identity provider detecting a bad guy attempt to brute force login to OneDrive can tell the endpoint security vendor that the user is suspect and why, the endpoint vendor can tell the cloud vendor that the problem appears to be associated with a high risk (compromised device), and the cloud vendor can tell both that the user and device started acting strangely during the last full moon and hasn’t changed since. Additionally observing the user has started using a number of other high-risk, privacy unfriendly applications in the interim. Rather than sorting through thousands of alerts or millions of signals, the vendors can leverage all the processing power each has brought to bear to share the findings and then the customer can take action as appropriate. Then every participating IT/security vendor can support creating or invoking dynamic rules to change user and/or device access or authentication requirements in response to the big picture of risk, as customized for each organization’s risk management practices. 

Nearly every Netskope technology partner has some way to change policy or move users in response to indicators, to correlate and trigger that change. 

Consider a group of insurance companies sharing risk information about an often impaired driver operating a poorly maintained car. They know that driver and car combination is dangerous, it is just a matter of time before there is a collision, so they raise their rates to reduce their risk. The downside of this model is that they don’t have visibility into whether the driver is impaired right now or if they’re currently in a car with faulty brakes.

So vendors are moving towards a continuous validation of risk in real time. As it is being implemented, this form of check-in “is the driver impaired RIGHT now?” or “is the device trusted RIGHT now?” is being performed before access is granted. Netskope’s adaptive risk engine can facilitate this—even going so far as to pause the session to validate risk before allowing the user to resume engaging in a potentially risky Internet activity. These controls dial risk to be commensurate with trust without waiting for a timer to catch-up to the danger. 

By using tools like Cloud Risk Exchange users are able to leverage both kinds of risk, lagging risk and real-time risk calculations, context, and policy responses, to make the modern workplace safer for all according to the business needs of each. All while exchanging risk insights with partners like Crowdstrike, Mimecast, SecurityScorecard, BitSight, Okta, and ServiceNow. Risk no longer can be used as a four letter word, but as a word that can have quantifiable insights and action thanks to CRE.

To learn more about CRE, its parent platform Cloud Exchange, and Netskope and its adaptive risk controls—or about any of our other “risk-aware” partners—come join us at booth #S842 at RSA 2023 in San Francisco on April 24-27, 2023.