From details to big picture: Five approaches to improve security
Improving your organization’s cyber security posture is essential to maintain brand trust. The challenge for the C-suite is to look at both the big picture and the finite details, translating your overall strategy for managing risk into actionable processes and priorities that will, over time, lower your risk exposure.
Qualys’ Threat Research Unit (TRU) looked at trillions of anonymized data points gathered from across our customer base to analyze where the biggest risk areas were for businesses. Based on this data, we can see specific areas where you can help your team increase their performance effectiveness, as well as how these changes add up to a significant improvement in security results overall. Building on these details will improve how you manage risk, reduce your attack surface and maintain trust with your customers.
As a security leader, what does this mean? To get ahead of threat actors, here are five tactics that you can deploy to make your teams more effective.
1. To reduce overall risk, prioritize the right issues for remediation
While the number of vulnerabilities grows year over year, only a subset of these vulnerabilities represents significant risk to an organization. To illustrate this, let’s look at data from 2022. According to the CVE list, 25,228 new vulnerabilities were identified during the year, but only 159 saw weaponized exploit code created. Only 0.36 percent -- 93 vulnerabilities -- were actually exploited by malware. While you should not necessarily forget about the other 25,000 vulnerabilities if they are applicable to your organization, you should first focus remediation efforts on the issues that are most critical.
In 2022, it took attackers 19.5 days to weaponize security vulnerabilities and take advantage of these issues. On average, it took security teams 30.6 days to patch those vulnerabilities, which means that attackers have a 11.1 day head start to exploit those vulnerabilities. With bad actors having access to all of the latest technologies like AI, automation and potentially quantum computing, those 11.1 days are an easy window of opportunity to exploit.
Prioritizing the issues that represent the most critical threats to your organization and creating remediation plans will significantly reduce your overall risk.
2. Automate your patching process wherever possible
Automating patching limits the timeframe and ability for adversaries to exploit vulnerabilities. In our data, patches that could be deployed automatically were implemented 45 percent more often and 36 percent faster compared to manual updates. This led to a mean time to remediation (MTTR) for automated patches of 25.5 days, while manual patching had an MTTR of 39.8 days.
Automation makes the most significant difference around widely deployed systems like Microsoft Windows and Google Chrome. The data shows us that these assets were patched twice as fast and frequently as other software assets. The mean time to remediate (MTTR) issues in Windows and Chrome globally is 17.4 days.
Automation cuts out the noise and repeatable tasks that bog down security and IT teams, allowing focus to shift to addressing critical issues.
3. Focus your attention on externally facing systems that are most at risk
To gain access to an organization’s environment, the majority of threat actors need to find an entry point in devices that are Internet-facing. Attackers constantly look at three main routes to gain foothold: exposed services that have not been patched; access control issues like default passwords that have not been updated or log-ins that are linked to stolen/leaked credentials; and phishing attempts against staff with privileged access.
Reducing your attack surface as much as possible is the best way to mitigate these threats -- e.g., create a 'hacker’s eye view' of your systems and continuously monitor your external attack surface for any changes. When you see a new or unknown asset come up, or a new critical issue is discovered, you can immediately take steps to protect your operations.
4. Monitor your web applications for attacks
Web apps often process or store sensitive information that threat actors find valuable. Even non-critical systems can serve as a launch pad for an attack. For example, in our anonymized data set of more than 200,000 external-facing web applications we identified nearly 65,000 instances of malware being inserted with custom source code to infect client browsers with the goal of skimming payment card information, stealing credentials, mining cryptocurrency, sending users to blacklisted sites, and other nefarious actions.
Scanning web applications for vulnerabilities and configuration issues is crucial to prevent attackers from exploiting them. At the same time, look at how you can encourage greater collaboration between your developers and your security team. Rather than treating security issues like ‘hot potatoes’ thrown between teams, encourage your staff to plan ahead on implementing fixes and for how to improve software development over time.
5. Configuration issues introduce the same level of risk as vulnerabilities.
Vulnerabilities are not the only risk to look out for. A fully patched system can still be attacked if it is not configured correctly. This is particularly problematic for cloud services, where you have to be aware of the shared responsibility model which outlines the responsibilities of both parties in securing cloud services.
You don’t have to approach this from scratch -- there are established best practices for security that you can use across your whole IT life-cycle, from getting started through to honing your approach over time. The Center for Internet Security Benchmarks provide an effective starting point to address misconfigurations across multiple systems, so use these to check that best practices are being followed. With data on any failing conditions, you can prioritize any changes that are necessary or implement compensating controls and mitigations.
Prioritizing the right issues over time and continuously monitoring threat intelligence helps your team focus on those vulnerabilities that cause the most risk at any given point of time.
Image Credit: Wayne Williams
Paul Baird is a highly experienced and accomplished IT and cybersecurity professional with over 25 years of industry experience. Currently, he is serving as the Chief Technical Security Officer (CTSO) for Qualys. Throughout his career, Baird has demonstrated a deep understanding of cybersecurity and has been instrumental in building several Security Operations Centres (SOCs). His achievements in the field were recognised in 2021 when he was awarded Fellowship of Chartered Institute of Information Security Professionals (CIISec) for his outstanding work in supporting cybersecurity.