Hidden in plain sight: There is no such thing as a low-risk vulnerability

Originally published in the Forbes Tech Council

Prioritize based on cyber exposure, not just CVSS scores.

Bad actors succeed whenever enterprises lack understanding of which vulnerabilities to prioritize for remediation and why. Traditional risk scoring systems — such as the Common Vulnerability Scoring System (CVSS) — rank threats as critical, high, medium or low in “severity” without considering real-world exposure levels. These systems push security teams to myopically focus on addressing only their “highest-severity” vulnerabilities.

Consequently, many vulnerabilities requiring remediation remain unpatched: forgotten and deprioritized due to severity-focused triaging. CVSS compels teams to address “critical-severity” vulnerabilities despite the lack of any known exploits, while “medium-severity” vulnerabilities with active exploits in the wild often remain untouched.

To put this in perspective, my company’s recent report identified a whopping 18,341 new vulnerabilities in 2020, 41% of which were supposedly “medium- and low-severity” vulnerabilities. That means enterprises using traditional risk scoring are likely to leave over 7,500 potential exposure points unaddressed for extended periods of time.

Armed with this knowledge, modern hackers now routinely exploit enterprises’ medium- and low-severity vulnerabilities as the first step in multi-stage attacks. Leveraging one seemingly tiny security hole as an entry point, threat actors then obtain full network access and seize high-value assets for ransom.

In this environment, enterprises must take a new approach. Prioritizing remediation based on actual exposure is more practical and effective than relying on abstract estimates of “severity.” The only way to determine actual exposure is to map a network from end to end and gain a comprehensive understanding of the most exploitable vulnerabilities.

You can’t prioritize what you can’t see.

Breach prevention starts with modeling hybrid networks — think Google Maps, but focused solely on your enterprise’s entire IT environment. Just as Google compiled the data necessary to map the entire world down to street level, points of interest and traffic patterns, it’s now possible to gather holistic data across an enterprise network, even if it spans on-premise systems and multiple clouds.

By aggregating formerly separate layers of network, cloud, IT/OT and security data, a network model gives IT teams full visibility and context, enabling each individual layer to work as part of a larger system and promote a comprehensive understanding of the attack surface. This multidimensional view is critical for teams to proactively close security gaps, as they will be able to see all assets, access points and vulnerabilities, then address issues either manually or through smart automation.

Here are a few steps to get started with modeling hybrid networks:

  1. Aggregate configuration and security control data across disparate environments such as endpoints, cloud and critical infrastructure.
  2. Create a complete and detailed picture of the attack surface.
  3. Walk the path of a potential breach to identify the best ways to seal off vulnerable assets.
  4. Gain control over the threats that are overwhelming the enterprise environments.

Maximize resources through automation.

The combination of the cybersecurity skills crisis, tight budgets and volume of vulnerabilities requires enterprises to find better ways to maximize their resources. A smart security platform will benefit both from the accuracy and scale of automation, whether it’s efficiently sifting through millions of data sets to determine current vulnerabilities or automating screening of new potential vulnerabilities as additional client devices connect to a network.

One bank we service has over 25 million customers, which forces its network to contend with 200 million vulnerabilities at any given moment dynamically. No security team on the planet would be able to address so many vulnerabilities manually.

Think of automation as a tool that empowers your security teams, enabling them to address more issues in a shorter period of time and as a means to free human resources to focus on tasks machines can’t yet perform.

Three steps to proactively manage your security posture and avoid breaches.

In summary, my best advice to any enterprise seeking to solve its security puzzle is to take these three measures:

  • Prioritize remediation based on modern cyber exposure analysis rather than traditional severity scoring.
  • Model your hybrid network to gain full visibility and context of your attack surface.
  • Use smart automation, where appropriate, to operate at scale.

At a time when multi-stage cyberattacks exploit real-world exposures rather than theoretical high-severity network issues, a security posture based on severity scoring is simply unwise. CISOs who shift to a holistic, proactive approach will have better visibility across their infrastructures, gain intelligence and insights around potential risk and compliance exposures and make more informed decisions on their future security strategy and programs.