Cyber exposure management in today's enterprise landscape [Q&A]
The cybersecurity landscape is more complex than ever and that means enterprises need to have a real-time picture of their exposure.
We spoke to Nadir Izrael, CTO and co-founder of Armis, to learn what this should look like and how security teams can evaluate and evolve their security programs to achieve more control over their asset landscape.
BN: What is cyber exposure management? How is the rapidly evolving cybersecurity landscape driving the need for real-time cyber risk awareness in enterprises today?
NI: Security teams today are tasked with managing increasingly diverse and connected asset environments across IT, OT, IoT, IoMT and cloud infrastructure while simultaneously keeping up with the rapidly evolving tactics of threat actors. Without a comprehensive cybersecurity plan in place and a deep knowledge of the environment, security teams may inadvertently overlook weak points in their protection efforts that leave assets vulnerable to exploitation.
Cyber exposure management seeks to shift organizations’ defensive cybersecurity programs to the 'left of boom,' before a breach occurs, and fully protect their attack surface in real time. It is essential to proactively identify and mitigate cyber asset risks, remediate security findings and vulnerabilities, and ultimately protect the entire attack surface. This way, security teams and organizational leaders alike can have peace of mind at any point in time that all critical assets are effectively being protected and managed to ensure their environment has not been breached.
BN: What are the fundamental components of a comprehensive cyber exposure management program, and how should they be integrated to cover on-premises infrastructure and cloud environments?
NI: Organizations need a comprehensive security strategy to address the entire lifecycle of cybersecurity threats. This can be achieved through a cyber exposure management program that enables organizations to see, protect and manage physical and virtual assets through three main components: asset discovery and management, early warning threat detection, and vulnerability discovery, prioritization and remediation.
Asset discovery and management starts with identifying all of the physical and virtual assets connected to your network from on-premises infrastructure to cloud environments. This can be achieved through dynamic asset inventories that identify and monitor each device with full context (i.e., how it communicates with other assets, what protocols it uses, how much data is typically transmitted, whether it is usually stationary, the software it uses and more). This information builds a behavioral profile for assets to determine whether they are doing what they should be doing on an ongoing basis and automatically alert when anomalous behavior occurs.
After obtaining visibility and control over the entire asset landscape, security teams should focus on early warning threat detection. By leveraging actionable threat intelligence, they can stay ahead of emerging threats to their attack surface by hardening their environment effectively before an attack is ever launched.
The final layer of cyber exposure management manifests in vulnerability discovery, prioritization and remediation. Once security teams understand the context of their asset landscape and detect threats, they can focus their attention on the most critical or vulnerable assets, enforcing remediation where it is needed most to secure any existing gaps in the attack surface.
BN: What initial steps or frameworks should security teams pursue to evaluate/enhance their security programs for better control and visibility over their assets?
NI: In our 'perimeter-less' world, it has become critical for organizations to constantly evaluate their security programs to align with expanding attack surfaces and increasingly sophisticated threat actor schemes. To effectively enhance cyber defenses, security teams need to continuously see, protect and manage all critical assets -- from the ground to the cloud.
After implementing the fundamentals of cyber exposure management as described above, teams can further evaluate the effectiveness of their programs by mapping them to requirements within common security frameworks, such as ISO 27001, SOC 2, CMMC and NIST 800-171. It is highly beneficial for security teams to determine which frameworks are most applicable to their organization and begin implementing any missing recommendations, especially as more government regulations and compliance requirements are enforced.
BN: Based on your experience working with 35 Fortune 100 companies, what are the most pressing cybersecurity challenges these organizations face? How are they adapting their strategies to address these issues?
NI: A significant challenge that organizations face is keeping up with threats as they evolve. Cyber adversaries are already crafty. They know how to escape detection and adapt their attacks as needed, but their rising use of artificial intelligence (AI) to drive attacks equips them with even greater efficiency and ability to scale. Organizations are recognizing they need to be able to respond to threats in real time and have a comprehensive, defensive cybersecurity program that also utilizes the power of AI to combat the attacks of these sophisticated malicious actors. As such, they are investing more in improving their security posture to shift to a more proactive, instead of reactive, stance.
Additionally, they are focused on gaining continuous, contextual monitoring of their environments, so they can address vulnerable areas right away to shore up gaps to their attack surface, as another overarching challenge is the incredible amount of security alerts that teams receive and need to make sense of. This flood of security findings makes it difficult to effectively prioritize and remediate vulnerabilities. Consequently, they are not prioritizing patch rates for critical CVEs. According to research from Armis Labs, irrespective of the weaponization status of a CVE, organizations consistently grapple with patch rates at 62 percent for non-weaponized vulnerabilities and 61 percent for weaponized vulnerabilities. It's critical that these teams adapt their strategies to instead take a holistic approach to prioritization and remediation, focusing on vulnerabilities that are most likely to be exploited and negatively impact the business.
BN: How are security teams leveraging AI to strengthen their cyber exposure management programs?
NI: The only way to fight AI-powered threat actors is with AI-powered defensive tools. Fortunately for defenders, employing AI can give them the upper hand because their teams and security tools possess in-depth knowledge of their environments, providing a significant data advantage versus attackers coming from the outside. With this data advantage, security teams can train AI models to identify potential threats more quickly and accurately.
Defenders are also leveraging AI to improve the efficiency of their cybersecurity programs by accelerating automation within their security operations centers (SOCs) as a whole. For example, SOC teams are using AI-powered systems to expedite manual operations like monitoring and consolidating security feeds or detecting suspicious activity. This allows them to free up human resources for more challenging tasks that require critical thinking and business context.
BN: What are the top priorities that CISOs should consider before the year closes to better equip their teams in identifying and mitigating emerging threats to the enterprise?
NI: CISOs must shift security 'left of boom' to detect and prevent threats before they have the opportunity to cause significant damage to the enterprise. This involves having a proactive, not reactive, mindset along with the right security tools in place that enable teams to defend and manage the entire attack surface in real time. Given the complex threat landscape we see today -- from increasing attacks on critical infrastructure, heightened geo-political tensions around the world and a rise of cyberwarfare -- this shift needs to happen immediately, not by a specific deadline.
Image credit: IgorVetushko/depositphotos.com