It’s becoming hard to manage vulnerabilities in a constantly evolving technological landscape. Vulnerabilities keep emerging and present different types of risks for organizations. In 2022, the number of Common Vulnerabilities and Exposures (CVEs) increased to 25,227. The most exploited vulnerabilities were (Atlassian), CVE-2022-30190 (Follina), CVE-2022-26134 CVE-2022-1040 (Sophos Firewall), CVE-2022-22954 (VMware), and CVE-2022-24521 (Windows).
Some of the conventional metrics such as CVSS score or a tally of vulnerabilities have proven to be inadequate in the effective management of vulnerabilities. These metrics lack business context, prioritization, and a good understanding of attackers’ opportunities. Indeed, vulnerabilities are only a small component of the attack surface that attackers can exploit.
Organizations have previously used manual methods to address identified security weaknesses. The legacy vulnerability management tools are designed to achieve compliance. However, an automated and comprehensive approach is required in a technological landscape that is changing rapidly. Modern tools experience challenges in aspects such as prioritization and limited resources in agile and dynamic cloud environments.
Modern vulnerability management brings together security tools such as threat intelligence, scanners, and remediation workflows for effective and efficient solutions.
Organizations are currently experiencing the following challenges:
- An expanding list of vulnerabilities
- Missing business context
- Inaccurate prioritization
- Misalignment of resources between IT and security teams
- A lack of coverage and a unified view of risk
Exposures have become broader and encompass more than mere vulnerabilities. The exposures are caused by different factors such as human error, lack of properly defined security controls, and unsecured architecture. Conventional security tools are designed to focus on specific types of exposures including vulnerabilities, identities, or misconfigurations, and how to address each in isolation.
Most security tools fail to consider how attackers are looking at systems and networks. Attackers will rarely look at a single exposure. Attackers leverage a toxic combination of misconfigurations, vulnerabilities, permissive identities, and other security gaps to enter systems and reach sensitive assets. These paths are referred to as attack paths and can remain undetected for weeks and months. As a result, attackers can cause significant and ongoing damage since they remain undetected inside networks.
The modern exposure management program must combine multiple exposures onto an attack graph to bring out the relationship and context of risks toward critical assets. With a better understanding, organizations can prioritize issues such as targeted remediation to reduce risks and make it as cost-efficient as possible.
Five key risk factors that security teams should consider include:
- Use of a threat-informed defensive strategy to quickly triage vulnerability remediations.
- Use of automation for patching.
- Remaining wary of externally facing systems that are prone to be exploited by initial access brokers.
- Regularly scanning web apps for vulnerabilities and configuration issues.
- Always understanding the shared responsibility concept of cloud storage and usage while following laid-down protocols to protect cloud workloads.
Security teams need to adopt a systematic approach to cutting through the noise and prioritizing fixing the most critical vulnerabilities. With the sheer number of vulnerabilities, it’s the only way to reduce risk and keep up with threat actors in rapidly evolving environments.
For remediation, it has been shown that attackers take slightly under 20 days to weaponize a vulnerability. On the other hand, defenders will take slightly more than 30 days to patch the vulnerability. On average, it leaves about 11 days exploitation period for attackers.
Building a modern exposure management program demands that organizations must recognize the evolution of threat actors and tactics used. It also calls for the establishment of an operational process that guarantees continuous security posture improvement and implementation of remediation planning, remediation review, risk mitigation, and mitigation verification.
Automation is the way to go since it allows organizations to eliminate manual and tedious tasks that hog time and effort that could otherwise be used to remediate vulnerabilities. Automation frees up defenders and other security staff to address the more pressing tasks.
Therefore, critical pillars in building a modern exposure management program include:
- Understanding exposure insights – allows for continuous identification and monitoring of potential risks to critical assets. The insights can be used to identify any gaps in security controls in compliance standards.
- Analyzing attack paths – helps in visualizing possible attack paths to critical assets.
- Prioritizing remediation efforts – the focus must be on critical issues and choke points that need immediate attention. The goal must be to reduce risk exposure in the most cost-efficient manner.
Through these critical pillars, organizations can move ahead to build a comprehensive and effective exposure management program that protects critical assets and minimizes overall exposure. Continuously analyzing and monitoring exposures help in building scalable and sustainable processes for the management of risk.
The activity of the initial access broker (IAB) is on the rise and calls for heightened attention. Two major routes are used either through the exploitation of perimeter devices of the target or leveraging valid credentials that are stolen or bought on the dark web. The IABs don’t utilize the acquired access which can be missed by defense teams. Their objective is to sell the obtained access for a flat rate or percentage of revenue collected.
In conclusion, organizations must move away from reactive security and adopt a more proactive strategy to reduce cyber exposure. It helps an organization to always stay prepared in anticipation of possible attacks and proactively reduce risk. The benefits of exposure management include comprehensive visibility, the anticipation of cyberattack consequences, prioritized actions, and institute effective communication with key stakeholders.
Author: Alessandro Civati
Email: author.ac@bitstone.net
Blockchain iD: https://lrx.is/S3Xh0lp9gd
