What struck you most when reading the report?
Rob Rosiello (RR): One thing that jumped out at me is how closely the statistics and trends identified by Skybox Research Lab align with what we hear directly from security professionals. I talk to CISOs and other security leaders at enterprises, governments, and major organizations around the world. They see the same things on the ground that our security analysts describe in the report: the crush of new vulnerabilities, the onslaught of new exploits and malware, the increasing sophistication of threat actors. All of these forces are reshaping and enlarging the threat landscape. Concurrently, security teams are coping with greater demands on their time, coupled with resource constraints and staffing shortages. Forward-looking organizations are rethinking their security approach and endeavoring to make the shift from a reactive to a proactive security posture.
The report highlights operational technology (OT) as a particular area of concern, with an 88% YoY increase in OT vulnerabilities. Is that something you’re hearing?
RR: Absolutely. OT security is a huge issue for our customers and cybersecurity professionals across both private and public sectors. Last week there was a warning issued by the US government about potential attacks against industrial facilities with a particular focus on liquified natural gas facilities, using Pipedream malware. This is a very targeted, sophisticated attack approach that would be disruptive on many levels – monetary, human safety, environmental impact – if executed. This is the reality that security professionals face today. OT systems greatly outnumber traditional IT assets, and that’s helping to drive a rapid expansion of the attack surface. Our threat intelligence team at Skybox Research Lab found that the number of new vulnerabilities in OT devices is through the roof, and that comes on top of a vast number of previously published and known vulnerabilities.
To make things worse, the security protections in many OT devices are rudimentary or outdated. And now those devices are increasingly exposed to cyberattacks due to IT/OT network convergence. That’s creating a massive amount of risk, and teams struggle to get their arms around the problem. Many organizations have trouble just keeping track of all their OT assets using traditional methods and tools, much less identifying key vulnerabilities and exposures and applying effective remediations. Further, operational technology is mission-critical in manufacturing, energy, and other businesses – and the inevitable push and pull between business execution and actual risk assessment is difficult at best. Silos and fragmentation are further complicating that effort. What’s really needed is an approach that provides complete visibility and context across the attack surface, including IT and OT as well as cloud and multi-cloud environments.
You mentioned that functional silos are an obstacle to effective vulnerability management. Can you explain further?
RR: Organizational fragmentation is a big part of the problem: between IT and OT, between network and security teams, between all of these and the cloud and apps teams. These functions often have a “natural tension” between them and aren’t talking and coordinating with each other in a holistic security posture. They often see each other as obstacles, as opposed to partners in one concerted effort. That undermines cooperation and opens up gaps, disconnects, and blind spots in the security posture. Those rifts are areas for exploit – threat actors are aware of the fault lines and take advantage of them to attack the weak spots. For example, one of our major financial customers told me about a 30-year-old application that was still in operation in some corner of their organization. Not only was the app still “alive,” but access to it was open via external networks. The apps team swore they’d decommissioned it, but there it was, still exposed and highly vulnerable. What’s needed is a solution that visualizes and models the entire attack surface – organizational silos notwithstanding – and employs attack simulation and exposure analysis to identify all the threat vectors and risks.
It’s not just the threat vectors that have become more numerous and dangerous; so have the threat actors. In what ways do you see them evolving?
RR: Threat actors have seriously upped their game, and that comes through loud and clear in the report. They’re more numerous, serious, sophisticated, and organized. The early days of recreational hacking just for the fun of it have given way to an era of professional cybercriminals. Whether the motivation is monetary (as with ransomware and other forms of extortion), or competitive (industrial espionage, IP theft), or geopolitical (attacking domestic or foreign adversaries), today’s threat actors have clear objectives. The bad guys include a growing number of nation-state actors and organized syndicates who are backed by a large and growing marketplace of providers and tools. Those tools include a widening array of malware and malware-as-a-service targeted at popular forms of cybercrime like cryptojacking and ransomware. As detailed in the report, the number of cryptojacking and ransomware programs increased 75% and 42% YoY, respectively.
What can security teams do to counter these increased threats?
RR: Advanced risk scoring, precise prioritization, exposure analysis, and guided remediation are absolutely essential. The sheer number of vulnerabilities, threats, and threat vectors is overwhelming for already-strapped security teams. Awareness without context becomes noise in the ether, and is just one reason why many vulnerabilities live on for inordinate amounts of time. Scanning and patching all vulnerabilities isn’t possible or cost-effective. Security teams need a way to quickly identify and focus on the biggest risks, and traditional tools don’t provide a way to do that. As one customer told me, with conventional vulnerability management solutions, “everything’s a 5” – in other words, everything’s a top priority, which is the same as saying nothing is.
Here’s a concrete example: Imagine you’re a large oil company that runs everything from drilling rigs to refineries to gas stations. Conventional security solutions might indicate that you have tens of thousands of vulnerabilities in inventory and point-of-sale systems at your many gas stations, and relatively few vulnerabilities in your much smaller number of drilling rigs and refineries. And yet, though fewer in number, those latter vulnerabilities pose a much bigger risk – because they’re more exposed to attack and because of the impacts they could have if exploited (which include fuel supply disruptions, environmental harm, and threats to human safety in addition to significant loss of revenues for the company). Traditional solutions wouldn’t tell you that – they’d just bombard you with vulnerability reports without guiding you where and how to focus your remediation efforts. They might even mislead you by emphasizing only the severity of the vulnerabilities as defined by CVSS. That’s why more accurate risk scoring methodologies factor in asset importance, business impacts, and exposure.. The same goes for automated remediation solutions that help you quickly identify and apply practical measures to reduce risks.
While the trends identified in the report are worrisome, if not downright alarming, is there any encouraging news for security leaders?
RR: Yes. The report makes it clear that there is a path forward. The trends may look daunting, but fortunately there’s an answer – a way to turn vulnerability management into a holistic, pragmatic, efficient, reliable, and (most of all) proactive process. You can get a comprehensive view of your attack surface across all environments. You can identify the risks that matter most. You can apply automation to ensure timely remediation. You can get ahead of the threats and threat actors and move from “detect-and-respond” to “prioritize-and-prevent.” And you can do all this cost-effectively, within the framework of real-world budget and staffing constraints. Skybox can work with you on this journey and meet you where you are in your maturity model to achieve that transformation, while fully leveraging your existing resources and capabilities.