Unmasking cybersecurity's hidden threats
The cybersecurity landscape is experiencing an unprecedented surge in vulnerabilities. In 2022 alone, a staggering 25,096 new vulnerabilities were added to the National Vulnerability Database (NVD). This number represents the highest count of vulnerabilities ever recorded within a single year and reflects a 25 percent increase compared to the 20,196 new vulnerabilities reported in 2021.
This escalating trend indicates that cybersecurity threats are not only on the rise but are also accelerating at an alarming pace. The reasons behind this surge in vulnerabilities are multifaceted, stemming from factors such as the increasing complexity of software and technology systems, the rapid pace of digital transformation, and the growing sophistication of cyber attackers.
Navigating the Surge
An increase in vulnerabilities is an inevitable consequence of increased digitization. The more organizations embrace digital transformation, the more technology they deploy and the greater their attack surface becomes. One of the key challenges for today’s security teams is identifying which exposures present the most significant risk to their business.
In response, most organizations rely on examining the output from vulnerability scanners and focus their efforts on vulnerabilities with the highest Common Vulnerabilities and Exposures (CVE) severity rating. However, this approach can be somewhat rudimentary due to the sheer volume of data generated by these scans. Often, hard-pressed security teams resort to scheduled vulnerability scans, which provide overwhelming amounts of data. While scanners find millions of vulnerabilities, they don’t have enough business, network, or asset context to help prioritize based on risk. Instead, they are trapped in the old conundrum of "if everything is critical, nothing is critical." This highlights the pressing need for more sophisticated and streamlined methods to manage vulnerabilities in the face of ever-expanding digital environments.
Finding Structure Amid Cyber Chaos
Many organizations' attack surfaces have rapidly expanded, and threat actors are always looking for new networks and servers to infiltrate. To combat this threat effectively, conducting vulnerability assessments biannually or monthly creates risks that delay the identification of exposures and threats. This cadence can provide reports with millions of entries and a lack of context and prioritization.
By instituting a continuous exposure management program, organizations can leverage a proven approach combined with a range of tools and capabilities to conduct continuous threat discovery, assessment and prioritization, and remediation. This program is designed to identify various exposures, encompassing vulnerabilities, security policy gaps, and control deficiencies, rather than solely focusing on CVEs. Achieving effective exposure management requires performing daily analysis and prioritization, enabling security analysts to focus on filtering out irrelevant information and highlight the most critical exposures that require immediate attention.
The Modern Cybersecurity Blueprint
To build a successful cybersecurity program, security leaders should follow these steps:
1. Map the Attack Surface
This process involves defining and scoping the assets that the program will cover. This includes compiling a list of all endpoints, servers, potential network devices, cloud infrastructure and operational technology (OT) assets. Applications and user identities may also be included. Accurately identifying and ranking the assets during this phase can be time-consuming. However, determining asset importance is a valuable parameter when prioritizing vulnerabilities.
2. Contextualize the Data
Contextualizing the data requires a comprehensive examination of exposures beyond basic vulnerability scans. Examining missing controls, incorrect setups, and checking infrastructure against industry benchmarks that determine best practices are all part of this process. A sizable number of exposures and vulnerabilities are often found at this phase. It is typical to identify ten exposures on average for each asset.
3. Assess and Prioritize the Risk
During this critical phase, the objective is to reduce the number of occurrences detected from millions to double digits that warrant attention. Prioritization is crucial in distilling the overwhelming number of exposures, focusing primarily on those with a higher potential to cause harm. This prioritization should be tailored to the organization's specific business needs rather than relying on generic scoring systems that could potentially result in incorrect prioritization and negative business consequences. The process involves considering factors like published risk severity, Common Vulnerability Scoring System (CVSS) scores indicating potential damage and ease of exploitation, and whether vulnerabilities are being actively exploited.
Additionally, an exploit probability score, assessment of asset importance, and network access analysis help narrow down severe and exploitable exposures affecting critical assets. Validation checks ensure whether specific vulnerabilities can be exploited for malicious purposes on particular assets. Leveraging attack path analysis is especially useful in determining genuine asset exposure to vulnerabilities and identifying mitigating measures like access lists, firewall rules, or intrusion detection signatures that reduce urgency.
4. Mobilize to Combat the Threat
Gartner emphasizes that prioritization and mobilization are frequently overlooked activities. The shortcomings in prioritization and remediation often stem from organizational structures, where security teams may generate reports and simply pass them to the IT team for resolution, creating challenges in both the technical and organizational aspects of mobilization. This phase involves mitigation, remediation, and, most importantly, automation. Leveraging automation optimizes workflows and facilitates end-to-end collaboration between security and IT teams. Effective remediation requires seamless integration into IT service management. Organizations should seek to adopt solutions that leverage automation to help streamline and optimize cyclical processes.
Looking Ahead
By successfully implementing a continuous exposure management program, organizations can transcend the traditional scan and patch strategy and adopt a more comprehensive understanding of their attack surface and associated vulnerabilities. This change allows security teams to concentrate on combating threats that represent severe risks to the company and frees up precious resources.
Photo Credit: lolloj/Shutterstock
Adi Dubin is Vice President Product Management, Skybox Security. Adi is a cyber security product management executive with a passion for creating and executing product plans to match business value with customer needs. He is an expert in threat and vulnerability management, security operations, and SOC-compliance. Before joining Skybox Security, Adi served in the Israel National Security Agency 8200 unit, and managed the cybersecurity products at Nogacom, Argus Cyber Security, and AT&T.