Today’s security teams are witnessing a rising number of vulnerabilities, and to make matters worse, the majority of them are going unpatched — leading to critical breaches that cost organizations millions.
Unpatched vulnerabilities account for 60% of all data breaches, and according to the NIST National Vulnerability Database, vulnerability counts have steadily increased year-over-year for the past five years — showing no signs of slowing down.
The main reason for this steady incline is that organizations do not understand the basics of their attack surface. Additionally, too much of the burden has been put on CISOs. This pressure, in combination with the ongoing talent shortage facing the cybersecurity industry, has driven CISOs to say: “I’ll manage the fires when they come up. I can’t do anything to prevent them now.” However, with proper guidance and resources, that statement is simply untrue.
With vulnerability prioritization, organizations can take back control of their environments and address the most important – and most urgent undetected and unpatched vulnerabilities. But how do security teams get started in addressing the ongoing roadblock and prioritize potential threats even in the midst of the talent gap? It begins with three basic concepts:
Understand the organization’s ground zero
When talking about vulnerability prioritization, security teams should focus on the most important entry points into their organization’s IT estate. Once those are identified, security leaders can work backward to better protect the organization as a whole. But, for an organization to do that effectively, it must understand its attack surface and asset map, including all assets and possible exposure points.
These ground-level basics may seem obvious, but 80% of organizations don’t have standard security hygiene. In today's ever-changing threat landscape, establishing a hygiene routine that teams can keep up with has become more important than ever. There's a talent shortage, and some organizations don't have the right tools, but by focusing on the basics, by the time security teams analyze and prioritize vulnerabilities and associated risks, they’ll have already solved over three-fourths of the security problems they face today.
Establish a vulnerability management system specific to the company
Once an organization understands its assets, how they are deployed, and who has access to them, security teams can better control them. Vulnerability management is very specific to each organization, it offers a framework for teams to assess risk. No two organizations and their assets are the same, so the team needs to configure and customize a vulnerability management system accordingly.
By establishing this methodology early on, organizations can gain better insights into their IT environment and get alerts in real-time about threats and security weaknesses — allowing for better prioritization of the threats that will most likely impact the business.
Conduct a vulnerability risk assessment
Effective vulnerability risk assessments come down to continuous testing and determining a metric for prioritization. Teams cannot fix every single vulnerability they discover. So, they must focus on which vulnerabilities pose the greatest risk if exploited based on where they exist, the business priorities, the odds of exploitation, and the threat landscape.
Metrics for a risk assessment can mean establishing security best practices and guardrails after penetration tests, including ensuring identified vulnerabilities are reviewed to determine their root cause to avoid similar issues from happening again. Document all remediations and ensure security awareness becomes a priority after testing, which can include implementing security guardrails to avoid known vulnerabilities within a system. With a proper metrics system and risk assessments, security teams will know when to escalate a potential vulnerability and increase the likelihood of timely remediation.
Vulnerability prioritization has become a must. If too many teams lack prioritization, the security industry will fall short. By understanding the entire attack surface, establishing a sound vulnerability management system, and evaluating risk prioritization sooner rather than later, security teams can prioritize remediation of the issues that matter most to the business.
Vinay Anand, chief product officer, NetSPI