By Lisa Xu [Lisa Xu is CEO of the risk-based vulnerability management platform NopSec]
To better understand how organizations approach vulnerability management, oversee their attack surface, and control risk, NopSec surveyed 426 security professionals with questions designed to illuminate and quantify their day-to-day challenges, frustrations, and priorities. From the results of this survey, security and business leaders can gain valuable insights to help them build the best possible risk-based vulnerability management (VM) program.
Here are some of the key insights we uncovered in our “The State of Vulnerability Management” report that can help security gain even more insight into vulnerability management best practices.
Risk-based prioritization is vital.
The volume of vulnerabilities today is too great for organizations to take a “shotgun” approach and try to patch everything at once. Effective and robust security takes careful planning, and each situation is unique depending on the digital assets of the organization. Businesses need to apply threat intelligence to ascertain which vulnerabilities pose the greatest threat to their organization, even among known critical vulnerabilities.
Jen Easterly, CISA director, recently addressed the need for businesses to prioritize and remediate known vulnerabilities while speaking at a House Homeland Security Committee hearing. She said the mandate for federal agencies to remediate “fundamentally changes” how the federal government manages cybersecurity flaws, emphasizing that it is not only government organizations that need to get on board.
“We strongly recommend every network defender view the known vulnerabilities posted at CISA.gov and prioritize urgent remediation,” Easterly said. While Easterly urges businesses to prioritize remediation efforts, how that should be done is left to each company.
Because the same vulnerability can represent a greater or lesser risk even from one organization to another, the future of vulnerability management is risk-based. The simple reality is that not all exposures are created equal.
The only way cybersecurity defenders can ever hope to transition from a reactive approach to vulnerability management to a proactive one is to adopt a risk-based VM program.
The status quo is not cutting it.
Today, designing and executing a risk-based vulnerability management program is mission-critical. It may be your only hope to keep up with the exponential rise in threats and increased complexity of attack vectors.
Our survey clarified that enterprises don’t move as fast as the available technology. How security teams do things today will not be sufficient to defend against tomorrow’s challenges. Preparing for an uncertain future requires leadership with foresight today.
By their answers, many of the respondents signaled that they were drowning under a tsunami of vulnerabilities without a practical, structured way to manage them. Yet those respondents experiencing success are doing so because they have learned to prioritize vulnerabilities according to the risk they pose to their organization.
Attack surfaces are more complex than ever before.
Today, varying combinations of IT infrastructures—On-Prem, Cloud, and Hybrid—bring their unique brand vulnerabilities and threats. Only a risk-based approach can make sense of these diverse environments and provide a precise remediation path forward.
Growing and decentralized harder-to-account-for attack surfaces prove the validity of the adage, “You cannot protect what you don’t know about.” To understand and manage their attack surface, organizations need a tool that takes inventory of all the various kinds of assets in their environment and routinely seeks to discover new ones.
Teams are experiencing a flood of vulnerabilities with no signs of relief.
Verizon’s 2022 Data Breach Investigations Report (DBIR) found that the year-over-year jump in ransomware attacks is greater than the past five years combined. The report states that ransomware’s involvement in data breaches rose by 13% over the course of the past year.
Commenting on the role of vulnerability remediation has in reducing ransomware, the EC-Council’s CISO Mag states, “The recent spate of ransomware attacks could have been avoided. If the concerned organizations had remediated vulnerabilities that are associated with ransomware, they could have shrunk their attack surface.”
Many of the survey’s respondents are experiencing a vulnerability overload where CVEs alone don’t provide all of the necessary prioritization contexts to take meaningful remediation actions. For many companies, promptly addressing all known vulnerabilities is not an option. Only a risk-based prioritization scheme will enable them to maximize the effectiveness of the vulnerability management resources available to them.
Sophisticated attacks require sophisticated solutions.
Organizations must move from being reactive to being proactive. The way to do this is by taking an offensive approach to security. An offensive approach requires a completely different mindset from the security practitioners of yesteryear.
Vulnerability management is not performed effectively by a single piece of technology. Sophisticated protection that meets modern security challenges must include inputs from scanners, threat intelligence feeds, an EDR solution, ASM, and BAS technology, all aggregated together.
A successful risk-based VM program uses technologies that integrate well together. The more data you can feed into one centralized platform, the better. When you avoid working in separate systems, it simplifies the workflow of security teams, saving time and energy.
Conclusion
The security practitioner’s job doesn’t end with prioritizing vulnerabilities. A vulnerability is still a threat and increases the organization’s risk until it is remediated and mitigated. That’s why a risk-based VM solution can bridge the gap between security teams and ITOps.
Security best practices would dictate that your VM platform is integrated with your ITOps team’s information technology service management (ITSM) solution. Mutually accountable SLAs for both the security team and the ITOps team will ensure everyone knows what is expected and what success or failure looks like. This is the best way to address tomorrow’s cybersecurity challenges.
