In cybersecurity, it’s widely known that security gaps create risk, and it’s well established that software and hardware vulnerabilities present an ever-present chink in organizational armor. Furthermore, the rapid transition from legacy on-prem systems to the cloud creates additional fissures.
For years, the pace and volume of these vulnerabilities have accelerated, driven by everything from geopolitical tensions to remote working. Ironically, this blizzard of individual vulnerabilities has crystallized into a very singular technical question for security leaders: how to discover, prioritize, and remediate vulnerabilities more effectively to reduce risk?
The old ways of vulnerability management are no longer effective
As Marc Andreessen predicted, software is eating the world. Nowhere is this more evident than inside large organizations, where operations rely on a dizzying array of applications and services hosted on cloud, on-prem, hybrid, multi-cloud, and OT platforms.
While eating the world, software also chiseled many large holes in security. This is both at a granular level, for example, vulnerable code or hardware, all the way to the underlying infrastructure, where weakness in network policy or configuration presents additional risk.
Unfortunately, as the environment sprawled, it didn’t retain essential security controls. Traditional approaches to vulnerability management became siloed, trapping them in single lanes without full visibility and context. The result? Security leaders often feel their teams are merely ticking issues off a long but partial list of problems.
The gold standard of remediation is patching. Theoretically, a simple process, but it’s one that often drags on for months. Uncertain of their impact, known vulnerabilities sit exposed in a holding pattern waiting to be discovered and then waiting again to be addressed, with organizations hoping they don’t get exploited.
Without a thorough risk-based vulnerability management tool working for you, this problem will only grow as digital transformation continues to multiply and scatter technical assets across the estate. Already spread thin, security teams will be further overwhelmed and directionless — a finger stuck in the dam facing an endless treadmill of blind triage.
Attackers rely on outdated remediation processes
As always, an issue for security teams is an opportunity for attackers. Helped by an organization’s lack of a true understanding of their cyber exposure, threat actors gain access and move laterally by slipping unseen into organizational cracks.
This is compounded by a lower barrier to entry to becoming an attacker. With the rise of cybercrime-as-a-service and easier access to tactics, techniques, and procedures (TTP), breaching security has become more effortless than ever. Attackers don’t need to be well-resourced advanced persistent threat (APT) groups developing exotic zero days to succeed in compromising large organizations.
For this reason, even older, less high-profile CVEs have just as much relevance for security teams as celebrity vulnerabilities in today’s headlines. Greater numbers of lower-skilled attackers mean more adversaries taking advantage of low-hanging fruit. However, without a strategy for determining vulnerability impact, organizations have no idea of what is below the radar yet dangerous and what is benign.
Similarly, while a useful guide for gauging general severity and active exploitation, security leaders are loath to put too much faith in CVSS scores. Although the process is improving, scores are solely based on external factors, so they lack valuable organizational context critical to prioritization.
The importance of context, i.e., cyber risk quantification
This all highlights the importance of context in getting a true picture of risk. Moving beyond mere visibility to effective action requires understanding one thing: each vulnerability’s impact on your specific environment.
For this to be possible, controls such as Continuous Exposure Management must have complete visibility of all assets, systems, processes, and dependencies in the estate. Only with this can you truly understand the nuanced dance of technology in your environment and how, if attacked, operations and business value will be affected. One person’s innocuous asset could be another’s potential SEC fine.
By mapping vulnerability data on top of this, organizations can see where exposure truly lies – uncovering the paths adversaries may use to cause reputational and financial damage. Playing out a multitude of theoretical incidents, security leaders can better score risk so security operations are better prioritized and effective.
To answer the Security Leader’s question of whether such initiatives lead to better business outcomes, just ask Equifax. One missed vulnerability, and half a billion dollars in fines later will attest to the importance of using context to uncover and prioritize the gaps.
Learn how Skybox can help you better manage vulnerabilities:
