This week we released our annual Vulnerability and Threat Trends Report and want to share some insights. The report, which uncovers increased vulnerabilities and evolving threats, underscores the need for organizations to adopt an exposure management program to accurately identify and prioritize the most pressing business risks to get ahead of the adversary.
192,051 cumulative vulnerabilities in 2022
First off, let’s talk about vulnerabilities. In 2022, the National Vulnerability Database (NVD) added a whopping 25,096 new vulnerabilities. That’s a record-breaking number of vulnerabilities published in a single year! And it’s not just the quantity of vulnerabilities that’s concerning – it’s also the quality.
2022 was a record-setting year for vulnerabilities, showing that attacks are increasing in speed and impact as threat actors target the most sensitive assets and seek to inflict as much damage as possible. The numbers are astounding, and there are far too many vulnerabilities for cybersecurity teams to keep up with. It’s more critical than ever that need organizations to pivot away from reactive approaches to continuous exposure management.”
In fact, the Skybox Research Lab found that 80% of vulnerabilities reported in 2022 were either medium or high severity. Only 16% were deemed critical, but that’s hardly reassuring as severity does not equal risk. Many threat actors specifically target less severe weaknesses, exploiting these vulnerabilities to gain access to a system and move laterally to escalate attacks.
Threat actors are becoming more sophisticated and organized, backed by large crime rings and nation-states. They’re using advanced tools and tactics like backdoor malware and advanced persistent threat (APT) attacks to target sensitive assets and inflict more damage.
So, what can we do about it? Well, traditional reactive approaches to cybersecurity just aren’t cutting it anymore. Waiting until vulnerabilities are reported and then scrambling to scan and patch every instance is outmoded by the day. There are far too many vulnerabilities out there, it takes too long to find them all, and many are unpatchable anyway.
Risk is multi-dimentional
Advanced scoring solutions weigh four key factors to measure the risk of vulnerabilities.
That’s where advanced risk assessment solutions come in. By weighing factors like severity, exploitability, exposure, asset importance, and business impact (i.e., cyber risk quantification), these solutions can help security teams prioritize vulnerabilities based on what really matters. This can help winnow down the list of actionable vulnerabilities by orders of magnitude – from hundreds of thousands down to just a few hundred or even dozens! By doing so, organizations can allocate their limited resources where they will have the biggest impact on reducing risk.
In the face of economic pressures and ongoing cybersecurity talent shortages, continuous exposure management is a pragmatic and cost-effective approach to cybersecurity,” added Abramson. “By adopting this proactive approach, teams with limited resources can avoid overloading and concentrate on the risks that matter to their business.”
To grapple with growing cybersecurity complexity, security teams need a new approach that offers dramatic improvements in performance, efficiency and risk reduction known as continuous exposure management. To make the most of this modern, risk-based paradigm, organizations should implement solutions that:
- Take a holistic approach
- Maintain 360-degree visibility of the attack surface
- Discover and detect the full range of exposures
- Assess risk and prioritize
- Choose the appropriate remediation and automate responses
The facts are sobering, cyber threats are becoming more prevalent and sophisticated every day. But by taking a proactive approach to exposure management and prioritizing vulnerabilities based on what really matters, organizations can better protect themselves from these threats.