In June 2023, the Skybox Vulnerability and threat trends report noted that by the end of 2022, the total number of vulnerabilities cataloged in the National Vulnerability Database (NVD) had hit 192,051 and that the count look set to top 200,000 unique Critical Vulnerabilities and Exposures (CVEs) within weeks. New vulnerabilities are soaring. The NVD added 25,096 new vulnerabilities in 2022. That’s the largest number of vulnerabilities ever published in a single year, and it’s a 25% jump from the 20,196 new vulnerabilities reported in 2021. Vulnerabilities aren’t just rising; they’re rising faster.
An increase in vulnerabilities is an inevitable consequence of increased digitization. The more organizations embrace digital transformation, the more technology they deploy, and the greater their attack surface becomes. Accelerating digital transformation and cloud migration (driven in part by the COVID-19 pandemic and shift to remote work), rushed development schedules, inadequate validation, and greater software complexity are all creating more opportunities for error and more security gaps for cyber attackers to try and exploit.
The traditional response from hard-pressed security teams is to run scheduled vulnerability scans to identify the vulnerabilities, a practice that frequently leaves them drowning in data. In the case of one large organization with 30,000 assets, the scans revealed one and a half million occurrences of vulnerabilities.
All data, no insight
In many large organizations, scans typically reveal large numbers of vulnerabilities. At best, the response is to focus on those with the highest CVE severity, leaving vast numbers of vulnerabilities un-investigated and ignoring the relative importance of a vulnerability on a specific asset to the business. The next time the scheduled scans run, the sequence is repeated.
It’s an understandable response. We no longer live in a “fix everything” era. There’s simply too much to fix. But with cyber security now a board-level concern, it’s not enough to rely on reactive scan and patch cycles that were first pioneered in the last century. Organizations need procedures and practices to move beyond the reactive, taking a more proactive approach to manage their exposure to cyber risk.
Continuously manage exposure
An over-reliance on vulnerability scanning creates other problems. While vulnerability scanners are effective at identifying software deficiencies, running them can be highly disruptive. The scans often consume valuable bandwidth and machine resources on the systems being scanned, resulting in disruption to critical processes. In some cases, this can even mean that key systems have to be taken offline for the duration of the scan.
As a result, it’s not uncommon to see scanning cycles confined to relatively infrequent intervals, partly to minimize disruption and because of the sheer volume of data that is generated. Of course, this doesn’t help when a new vulnerability is suddenly announced and there’s a gap before the scanners will be run again, the presence of the vulnerability will be detected, and the asset included in the next patching cycle.
With a continuous threat exposure management program, you augment periodic scanning cycles with intelligence derived from an understanding of the attackable assets in the estate and informed by threat feeds. Using this type of practice, it is possible to check far more frequently on the presence of new vulnerabilities, filling the gap between scheduled scans and doing so without unnecessarily disrupting the business.
Prioritize the exposures that matter
One of the key challenges for any security team is identifying which exposures present the greatest risk to the business. In response, most organizations examine the output from scans and focus their efforts on those vulnerabilities with the highest CVE severity rating. But given the volume of data generated by the scans, this can be something of a blunt instrument.
By contrast, one of the cornerstones of a continuous threat exposure management program is that activities should be prioritized with greater precision. Examining each exposure in terms of severity, asset importance, exploitability by an attacker in the wild, and exposure to attack helps the team focus on those exposures that must be dealt with urgently and those that can be deferred, perhaps until the next patching cycle.
Overall visibility of the attack surface and careful prioritization also makes it possible to look at a range of potential alternative mitigations, such as network segmentation, IPS signatures, or firewall rule changes, for situations where patching is not immediately possible.
By adopting a continuous threat exposure management program, organizations can move beyond scan and patch and take a more holistic view of their attack surface and the exposures they face, freeing up resources, and allowing security teams to concentrate on the threats that matter to the business.
Ready to put your CTEM program in motion? Get started with a special webinar: