Managing cybersecurity for an organization today requires a lot of skill and patience. It’s not a job for the faint of heart. A single vulnerability can result in the theft of everything the enterprise truly values. At the same time, the number of potential adversaries the company faces outnumbers its own team by orders of magnitude. And the hackers are not constrained by the forces that limit most security teams: Time, money, and fatigue.
Even worse, attackers have the advantage. Like the white side in a game of chess, the attackers move first – and too many defenders are willing to accept a reactive posture.
This often results with a vulnerability management (VM) team that’s overwhelmed and demoralized by the need to play catch-up with a ceaseless flood of vulnerabilities. It's simply impossible to patch everything that needs patching. And it’s a state of affairs that may persist indefinitely.
But we’re not here to harp on the problem – we want to propose a solution: Using security intelligence to enable risk-prioritized vulnerability management.
Prioritize through a risk and security intelligence lens
On the battlefield medics are often overrun and overstretched -- and unlike VM teams, they have to do their job under fire. Yet both parties have some similarities in terms of how they operate.
A combat medic or military surgeon may suddenly have more injured soldiers than he or she can treat. Medical people will triage: Allocating treatment in a way designed to maximize the number of survivors. Soldiers who are seriously injured -- but not critically wounded -- may have to wait for treatment, while those in worse shape are prioritized.
VM teams are continually bombarded by new alerts, many of the high or critical variety. Yet unlike in medicine – where critical means critical – not every severe vulnerability should get prioritized in the same way. Sometimes a severe vulnerability poses no real risk to the most important, sensitive systems and assets. If security teams follow a vulnerability management strategy rooted in CVSS scoring without any regard for critical risk context, they often end up having the team devote precious hours toward patching security gaps that pose almost no real risk. In medical terms, the team does the equivalent of sending a soldier with a hangnail to the front of the triage line.
That's obviously a situation that everyone wants to avoid. Fortunately, there’s a straightforward answer to the problem: Apply real-time threat intelligence and attack-centric risk context to ensure the team prioritizes protection of the company’s crown jewels.
How to ensure optimal prioritization
Start with a better understanding of threat intelligence. While the number of breaches and threats continues to surge each year, malicious actors are leveraging the same relatively small set of vulnerabilities. They are also moving faster. Gartner has found that the time span between the identification of a vulnerability and the appearance of an exploit has shrunk from 45 to just 15 days over the last decade. However, research also shows vulnerabilities that have not been exploited after three months likely won’t get attacked.
Understanding the broad strokes of the threat landscape can help teams begin prioritizing according to risk. It's critical to focus on exposures that are exploitable, and that pose the greatest risk to sensitive systems and assets. Assessing internal vulnerability scanning data with external intelligence -- and gaining a grasp of which vulnerabilities hackers are targeting and why -- can also offer much needed context.
VM teams need better software tools
Security teams need to consign the scan-and-patch approach to vulnerability management to the trash heap of information security history. Instead, we need tools that focus on the continuous identification, assessment, reporting and remediation of security gaps using critical risk context.
Organizations need to know more than the severity of a vulnerability. They need to know its relationship to critical assets and how that vulnerability can potentially get exploited. They need visibility into the most likely attack paths and tactics through which the attackers will target. They need to know the likely consequences of a successful exploit. They need a process for accomplishing this that’s automated and continuous – one that begins to even the deeply slanted playing field on which defenders and attackers are perched.
Such characteristics are found only in attack-centric exposure prioritization platforms that offer deep threat intelligence and precision-targeted prioritization of the vulnerabilities that pose the greatest risk to crown jewels.
Tools such as these let VM teams focus on the 1 percent of exposures that are exploitable. By doing this, they eliminate 99 percent of the risk to business-sensitive systems – and no longer have to worry about wasting inordinate resources on patching vulnerabilities that pose no real problem.
Risk-prioritized vulnerability management isn’t a luxury. Security team should make it an absolute imperative for all organizations. Without risk context, VM teams are fighting this battle with one hand tied behind their backs – and are often focused on the wrong foe. Deploy the right attack-centric exposure prioritization tools, and the security team will find itself in a far better position to defend in an intelligent and successful manner.
Gus Evangelakos, director, field engineering, XM Cyber