Learning from XZ Utils: For the Modern Enterprise, Unknown Risks are Here to Stay

April 29, 2024
Tim Wade
Deputy Chief Technology Officer
Learning from XZ Utils: For the Modern Enterprise, Unknown Risks are Here to Stay

The bingo cards of many technology and risk leaders didn’t start the year with a square open for another supply chain compromise – let alone one with a potential impact greater than SolarWinds. Yet here we are, with the dust of the XZUtils backdoor far enough in the rearview mirror that we’re past any potential firefighting. But the ramifications are still close enough in mind that it offers us a good opportunity for reflection. 

Specifically, that means a reflection on one of the major contributing factors to so many of our sleepless nights – our collective fear of the unknown. In enterprise security risk management (ESRM), it’s the unknown risks that will sink you.  

Why? Because unknown risks largely go unmanaged, and therefore aren’t addressed effectively. At best, and in small quantities, they’re inefficiently transferred through insurance. At worst, in the hands of today’s motivated and destructive threat actors, they become the fodder for damaging headlines and nightly news.

What can we learn for enterprise risk security management?

When a motivated Microsoft engineer named Andres Freund was troubleshooting what may have initially seemed like a benign performance issue, he ended up going down a security rabbit hole deep enough to uncover a mess. He ultimately thwarted a malicious actor with the sort of long-term strategic planning of a nation state, saving a lot of people a lot of trouble.

This is noteworthy first because no formal preventative or compliance efforts would have mitigated this risk, and second because the victory occurred outside a formal security program or hierarchy. This exemplifies two cultural factors that should be promoted by every leader serious about managing unknown risks: Curiosity and collaboration.

Why are these cultural values so effective at managing unknown risks? The answer to that question is best illustrated by analogy.

Managing the icebergs and uncharted reefs of unknown risks

The reality is that unknown risks typically take one of two forms. In the first, they mimic identified risks but mostly lurk under the waterline of routine discovery measures, like icebergs. In the second, uncharted reefs, they’re entirely underwater and unique to some aspect of the business — but not entirely foreign to the collective and distributed domain knowledge, expertise, and experience of the workforce.

Of the two, icebergs are the most straightforward to conceptualize because many of us recognize patterns in our enterprise of well-understood, but elusive, risks — the ones we know are present but undiscovered. While most of these risks are below the surface, we have the benefit of discoverable, telltale signs — if you know where (and how and when) to look. Culturally addressing these risks requires rethinking standard decision-making processes. You have to recognize the limits of traditional checklists, vulnerability discovery and penetration testing. While these globally established and accepted risk management principles are valuable for offering a dependable risk floor, they should never be mistaken for covering the ceiling.

A culture that prioritizes curiosity isn’t satisfied with exploring a well-defined problem at an annual cadence. Instead, the team continuously evaluates risk management decisions, challenges assumptions, and chooses to color outside the lines at times. In practical terms, these cultures focus on continuous improvement for more holistic risk management. They combine tooling and human intuition to test and validate across the full chain of protective, detective, response, and recovery activities. By encouraging collaboration, you incentivize people to discover the icebergs of risk by inquiring, investigating and hunting beyond otherwise mundane constraints.  

Meanwhile, uncharted reefs represent a class of risk that reside entirely below the waterline. While these problems don’t conform to checklists, frameworks, or so-called best-practices, they’re often understood at a collective, instinctual level throughout the workforce. And why should this be surprising when the nature of this risk is itself a byproduct of aggregate factors of the business? As an example, the combinations of your supply chain, business model, internal technology stacks, and prevalence of factors like shadow IT are all capable of impacting business risks in complex and interconnected ways.

Anticipating the full implication of these complex factors from the top down is often unfeasible, particularly for enterprise organizations where rampant silos, political fiefdoms, and organizational isolation are common. Again, curiosity and collaboration as cultural values work to your benefit by incentivizing the crossing of these cultural boundaries, giving your workforce a real shot at identifying and prioritizing risks through their collective domain expertise, knowledge, and experience. This is how successful organizations assemble, identify, and mitigate risks long before any damage is done.  

In practice, this approach recognizes that while centralized risk management is necessary, it’s not sufficient for every use case. After all, the risk itself is organizationally distributed. While formal efforts like Security Champions programs or awareness and training are valuable, they don’t trump the importance of open lines of communication and access. Fostering meaningful relationships is critical to uncovering and managing these risks.

To strengthen your defenses, focus on culture

Yes, managing unknown risks is about more than just cultural efforts — people, process, and technology all play a role. But without cultural enablement, even the best people will still have a long road ahead of them. That’s why creating an ambitious culture is so critical. It’s not only your foundation for agility in the face of modern threats, but also empowers you to tap into the full potential of your people. And having laid that foundation, you’ll be in a position to maximize enablement and tooling.

Culture is critical — your organization's security practice depends on it. Set everyone up for success by prioritizing it.

Not sure where to start? Thousands of SOC analysts and architects use The Vectra AI Platform to detect, prioritize, investigate and respond to unknown threats across multiple attack surfaces. Take a self-guided tour to see how it works.