2023 Vulnerability and threat trends report underscores the urgent need for continuous exposure management

This week we released our annual Vulnerability and Threat Trends Report and want to share some insights. The report, which uncovers increased vulnerabilities and evolving threats, underscores the need for organizations to adopt an exposure management program to accurately identify and prioritize the most pressing business risks to get ahead of the adversary.

192,051 cumulative vulnerabilities in 2022

First off, let’s talk about vulnerabilities. In 2022, the National Vulnerability Database (NVD) added a whopping 25,096 new vulnerabilities. That’s a record-breaking number of vulnerabilities published in a single year! And it’s not just the quantity of vulnerabilities that’s concerning – it’s also the quality.

In fact, the Skybox Research Lab found that 80% of vulnerabilities reported in 2022 were either medium or high severity. Only 16% were deemed critical, but that’s hardly reassuring as severity does not equal risk. Many threat actors specifically target less severe weaknesses, exploiting these vulnerabilities to gain access to a system and move laterally to escalate attacks.

Threat actors are becoming more sophisticated and organized, backed by large crime rings and nation-states. They’re using advanced tools and tactics like backdoor malware and advanced persistent threat (APT) attacks to target sensitive assets and inflict more damage.

So, what can we do about it? Well, traditional reactive approaches to cybersecurity just aren’t cutting it anymore. Waiting until vulnerabilities are reported and then scrambling to scan and patch every instance is outmoded by the day. There are far too many vulnerabilities out there, it takes too long to find them all, and many are unpatchable anyway.

Risk is multi-dimentional

That’s where advanced risk assessment solutions come in. By weighing factors like severity, exploitability, exposure, asset importance, and business impact (i.e., cyber risk quantification), these solutions can help security teams prioritize vulnerabilities based on what really matters. This can help winnow down the list of actionable vulnerabilities by orders of magnitude – from hundreds of thousands down to just a few hundred or even dozens! By doing so, organizations can allocate their limited resources where they will have the biggest impact on reducing risk.

To grapple with growing cybersecurity complexity, security teams need a new approach that offers dramatic improvements in performance, efficiency and risk reduction known as continuous exposure management. To make the most of this modern, risk-based paradigm, organizations should implement solutions that:

1. Take a holistic approach
2. Maintain 360-degree visibility of the attack surface
3. Discover and detect the full range of exposures
4. Assess risk and prioritize
5. Choose the appropriate remediation and automate responses

The facts are sobering, cyber threats are becoming more prevalent and sophisticated every day. But by taking a proactive approach to exposure management and prioritizing vulnerabilities based on what really matters, organizations can better protect themselves from these threats.