Looking at Gartner’s top trend in Cybersecurity 2022 report, it is not surprising that the attack surface expansion is ranked as their highest priority. The ever-expanding digital footprint of modern organizations continually exposes software vulnerabilities and presents threat actors with an expanding attack surface. The larger the target, the harder it is to miss.
Meanwhile, many organizations continue to rely on traditional vulnerability management solutions, risk assessments, and a lengthy list of patches and security control changes that they must apply manually. The fact that this isn’t working is evidenced by statistics such as that nearly 70% of organizations remain vulnerable to WannaCry, and over 80% of organizations believe they are vulnerable to breaches due to misconfigurations.
This post explores how today’s threat landscape has evolved, putting unbearable pressure on security teams struggling with current vulnerability management practices. We then explore some best practices for vulnerability management and discuss how AI paired with human ingenuity can help modernize vulnerability management.
Why a New Approach to Vulnerability Management Is Needed
The amount of reported and exploitable vulnerabilities continues to increase. In Q1 2022, 8,000 new vulnerabilities were confirmed. Looking across all reported vulnerabilities in CVE Details, 11% have a critical score. Furthermore, Edgescan’s 2022 Vulnerability Statistics Report confirmed that one-in-ten vulnerabilities in internet-facing applications are considered a high or critical risk.
With many organizations today leveraging cloud services, there has also been a lot of focus by both the research community and threat actors on identifying cloud vulnerabilities. When examining all the reported vulnerabilities, it is clear that Microsoft products account for many of the reported vulnerabilities rated as critical. Many of these cloud vulnerabilities depend on the Cloud Service Provider (CSP) for resolution.
Looking across software and cloud vulnerabilities, it is clear that as an industry, we have a large attack surface, and therefore, in such a cybersecurity climate, it is not surprising that the threat landscape continues to evolve rapidly. According to IBM, the average breach lifecycle takes 287 days. Today, most malware is polymorphic, meaning its identifiable features constantly change to evade traditional defense mechanisms. Cybercriminals increasingly leverage “living off the land” (LotL) techniques that allow them to use the operating system’s or user’s binaries for malicious activities.
Furthermore, with many modern applications and cloud services not configured with security in mind, threat actors increasingly target service misconfigurations to break into an environment. In such a rapidly evolving threat landscape, many existing security tools and processes can no longer scale and provide sufficient coverage for an organization.
In light of the increase of discovered vulnerabilities, the evolving sophistication of the threat landscape, and the exponential growth of the digital estate, we require a new approach to how organizations manage vulnerability assessment and mitigation.
What’s Wrong With Vulnerability Management Today?
Historically, many organizations relied on traditional Threat and Vulnerability Management (TVM) solutions and professional services to perform in-time scans of an environment to identify possible vulnerabilities and misconfigurations, and then the security team would need to act on the often lengthy list of required mitigations manually. At least, this is the theory on how organizations should be handling vulnerabilities.
In practice, however, many of the identified required mitigations like pending operating system or application patches or adjustment of security controls would not be applied due to a lack of resources or complexity of the required change, and therefore a couple of months later, when the security team did another assessment, they would find similar remediation recommendations.
It is alarming that today many security consultants confirm that after six to twelve months, they could almost put up the same risk report when they visit the same organization for another risk assessment because the organization did not implement the required changes. This is not only shocking from a security perspective but also from a financial and risk perspective. Essentially, many organizations regularly pay for risk assessments, but their overall risk level isn’t improving.
With all that in mind, organizations are often barely able to focus on patching critical vulnerabilities in their operating systems and don’t have the resources to focus on anything beyond that, leaving a significant attack surface open for cybercriminals in their identity, application, and cloud infrastructure.
Looking at today’s challenges and limitations with vulnerability management programs, as defenders, we require a new approach to managing risks from vulnerabilities across our digital estate. An approach that allows human operators to focus and prioritize while Artificial Intelligence provides real-time asset discovery, vulnerability detection, risk assessment, and automatic remediation of cyber risks.
Vulnerability Management Best Practices
1. Conduct Real-Time Surface Discovery
Unmanaged assets like endpoints, mobile devices, IoT devices, and Software-as-a-Service (SaaS) applications are a significant risk to organizations. Research by DoControl identified that up to 40% of SaaS data access is unmanaged. As such, for an organization to identify its entire attack surface, it is paramount to start with being able to locate all its assets, to begin with. Simply speaking, you can’t protect what you don’t know exists. To aid this effort, modern vulnerability management solutions combine asset discovery capabilities by leveraging managed assets as beacons to discover unmanaged assets in an environment.
2. Use Continuous Vulnerability Assessment
With the sheer volume of vulnerabilities, the traditional approach of bringing in a 3rd-party consultant for a periodic risk assessment has become obsolete. Today, technology can be leveraged to perform continuous and real-time vulnerability detection and analysis. Modern vulnerability management solutions do that by leveraging cloud processing power and Artificial Intelligence (AI) to simulate often what traditional periodic and manual risk assessments would do in real-time. These solutions start with continuously scanning all assets based on vendor and industry best practices like CIS benchmarks. Essentially, the solution is validating the current state against configuration baselines and best practices.
3. Understand Your Risk and Exposure
Not all vulnerabilities are equally important. Let’s start by understanding the different types of vulnerabilities:
- Unpatched Software: Unpatched software, regardless of whether we talk about the operating system or user applications, is often the first thing that comes to mind when looking into vulnerability management. Cybercriminals can use these unpatched vulnerabilities to break into an environment or steal sensitive data.
- Weak Authorization: Cybercriminals leverage weak authorization protocols and weak password policies to brute force into an environment. That is why things like adopting modern authentication methods, Conditional Access, and Multi-Factor-Authentication (MFA) are critical.
- Misconfiguration: Regardless of whether we talk about the operating system, user applications, or cloud services, all can be exposed due to misconfigurations. The 2022 Cloud Security Report from Check Point confirms that 27% of organizations experienced a security incident in their public cloud infrastructure, while 23% of those were caused due to cloud misconfigurations.
- Zero-Day Vulnerabilities: A zero-day vulnerability is a vulnerability in a system that has been recently discovered, but the vendor is yet to provide mitigation for it. When new Zero-day vulnerabilities are discovered, we often see an increase in large-scale campaigns by threat actors. Examples are global campaigns like WannaCry, NotPetya, Kaseya, or SolarWinds.
Now that we understand what vulnerabilities are, let’s look into the difference between vulnerabilities versus exploits:
- Vulnerability: A vulnerability is an unexpected design flaw that, in theory, could be exploited.
- Exploit: An exploit is a series of activities someone performs that exploits a vulnerability to perform unwanted and unauthorized actions.
In the context of risk and exposure management, it is therefore essential to understand an organization’s vulnerability and how it can be exploited. This will help determine the priority on how fast an organization should respond to a newly discovered vulnerability in their environment. This is precisely why traditional vulnerability management solutions fail, as they often miss the link between the vulnerability and the exploit.
That is why modern vulnerability management solutions are converging into Extended Detection Response (XDR) platforms, as it allows the vendor to provide an organization with real-time risk and exposure assessments by correlating identified vulnerabilities with telemetry coming from their Identity Threat Detection Response (ITDR) and Endpoint Detection Response (EDR) capabilities.
4. Leverage Security Posture Management
Naturally, after identifying the risk and exposure to vulnerabilities, the next step is determining how an organization can reduce the exposed risk. In this case, organizations are essentially looking to understand how they can remediate the issue.
To achieve this, we need to correlate the confirmed issue and the current configuration state of the impacted asset. This will allow the organization to find the best path forward.
That is why modern vulnerability management solutions leverage security posture management capabilities. They will enable them to compare the current state versus best practices and provide the organization with descriptive remediation recommendations.
5. Adopt Automatic Work Prioritization
While the previous step is focused on automatically identifying the remediation requirements, the step of automatic work prioritization helps provide the bigger picture.
In the end, there will always be vulnerabilities, and there will always be things we need to do to reduce the attack surface; therefore, we need to prioritize the work by clearly understanding the exposed risk.
Technology can help to identify vulnerabilities, provide remediation recommendations, and to some extent, automatically prioritize work based on possible impact; however, security teams know their environment best and play a vital role in prioritizing required work based on their deep knowledge of their environment.
6. Use Pilot Groups To Test Remediation
One of the biggest challenges in vulnerability management is often remediation. The reason is that many recommended activities are supposed to target the entire digital estate directly, even though some of the remediation steps could fundamentally change their enterprise architecture. As such, organizations are often concerned about making these changes due to the fear of breaking existing functioning business processes and systems, possibly increasing help desk support volume. Therefore, it is recommended that for most vulnerabilities, the remediation activity is targeted first to defined pilot groups before rolling it out across the fleet.
7. Implement Automatic Remediation
Once the IT and security team is confident with the implemented remediation in a pilot group, it is time to roll out the remediation across the digital estate gradually. At this point, the risk of breaking functioning business processes and systems should be minimal.
Artificial Intelligence Paired With Human Ingenuity
We know from experience that there still exists a divide between AI and humans regarding decision-making. We should never expect AI to be intuitive, ethical, or strategic. These are areas where we inevitably still need humans in the loop. These are areas where human intellectual capital excels. We also must realize that we should never expect a human operator to be as efficient or effective at tasks such as hunting through large datasets looking for anomalies, summarizing billions of events to determine baseline trends, or testing what-if hypotheses. These are the realm where AI has a clear advantage.
AI brings the ability to gather and analyze large quantities of complex data. They can sift through oceans of information in a fraction of the time it would take a group of humans. That means the data is still timely when it is being analyzed, whereas if humans were doing it, an attack might be discovered weeks after it entered the organization. AI turns data from backward-looking into being the impetus for strategic decision-making and actionability.
Humans bring two special skills to the table. First, they can take the information machines put forward and apply intellect. They understand the context of multiple pieces of data threaded together and are much better at deciphering the subtle clues that unearth an attack.
Decision-making needs to coordinate between humans and AI, with the workload split adequately along these lines. Either side should be empowered to make decisions that affect users, devices, and applications in the real world while balancing the risks and rewards associated with each.
There will always be vulnerabilities, the threat landscape will continue to evolve, and the attack surface will continue to increase. As defenders, we are at a pivotal moment where we need to look into modernizing our approach to vulnerability management. The time of periodic, manual, and siloed risk assessments is no longer efficient nor scalable.
Just as we shifted from traditional signature-based security solutions to behavioral-based detection and response methodologies, so we need to modernize our approach to vulnerability management.