Cybersecurity has reached a major crossroads – and the paradigm for success has shifted. For years, the lack of control over, and visibility into vulnerabilities within corporate environments was seen as one of the greatest security risks.
Today, with advancements in automation, security, and IT, teams now find themselves struggling to stay afloat in a sea full of vulnerability noise and benign alerts, encouraging them to prioritize and fix everything at once. Because of the cross-collaboration required, fixes have considerably lengthy timelines and often fail to yield high efficiency returns. Making matters worse, vulnerability management often does not encompass and address the full scope of modern threats such as misconfigurations, excessive permissions, and unsecured credentials.
And as companies try to deal with economic headwinds, staffing constraints, and increased persistence from cyber attackers, security teams are expected to achieve more substantial results with fewer resources. Thus, fixing every single vulnerability and exposure that arises is not only unattainable, it also has minimal impact on security posture. As our recent research shows, 75% of exposures along attack paths lead to dead ends and do not even put any critical assets at risk, meaning that teams are spending valuable time on addressing issues that have no real impact on security posture.
This has led many to revisit the conversation of efficiency and deciphering where they can allocate resources to maximize security gains. It’s where the concept of a “quick win” comes into play. Essentially, quick wins are security issues with high return on investment that teams can solve with relatively little effort. A good example of a quick win: identifying and neutralizing a particular choke point or junction – the places where multiple attack paths traverse through prior to reaching a critical asset. Addressing a relatively easy-to-remediate issue winds up having a major positive impact on security posture.
I like to think of the idea of choke points as mapping out a road trip to a particular destination. While there are multiple routes to take, there’s often one common junction, whether an intersection or roundabout, that many cars pass through on the way to the same destination. It’s the same within attack paths, or the routes attackers take to reach critical assets. There’s almost always a common convergence point which attackers need to pass through to reach an organization’s critical assets.
For example, I often encounter situations where individual users pose a great risk to systems. There was one situation where an organization had a user which created a serious risk to approximately 75% of its critical assets. The owner of this user was no longer employed at the organization. In this particular organization, former employees were kept in the system, to let them access an employee benefits program. When employees leave, IT of course removes the user access and group membership, but in this case, they failed to revoke the permissions of the user to change groups. The simple move of revoking this old user access dramatically improved their security posture and it’s the perfect example of a quick win.
While quick wins vary for every organization, depending on many factors, like company size and technology stack, mapping out the paths that attackers can take, or attack graph mapping, can help identify the important vulnerable junctions on the way to critical assets. Start by identifying all exposures and if and how an attacker could exploit them and then build a map of all possible attack paths that an attacker could take. Next, understand the weight, or the importance of each path. Determine this by looking at factors such as complexity: the number of hops it takes to reach an asset, and probability, the likelihood of an attacker using a given path to reach critical assets, among other factors.
By prioritizing resources to fix these quick-win issues, organizations can reduce overall risk and lower volumes of attack paths, and enhance collaboration between security and non-security teams like IT and DevOps teams. Instead of requiring them to fix vast volumes of exposures, using a quick win’s methodology ensures that they spend their time remediating and patching the risks that can eliminate dozens of potential threats and risks at once. And if we go back to the choke point example, by cutting off the possible attack paths that the attacker could take, other exposures become less critical.
Ad hoc remediations simply no longer work when risk evolves faster than teams can put out fires. Instead of trying to fix everything and often ending up fixing nothing, teams can focus efforts on identifying quick wins and fixing them. While it's not a bullet proof method, in times of economic uncertainty and talent shortages, it can significantly improve efficiency and vastly reduce risks.
Shay Siksik, vice president, customer experience, XM Cyber