The 2023 Vulnerability and Threat Trends report by Skybox Security highlights some of the fundamental root causes of increased cybersecurity attacks that consume most enterprise security teams’ containment efforts. Here are some of the eye-opening realities from the report:
- The number of new vulnerabilities continues to grow, with 25,096 discovered in 2022 – a 25% increase from 2021, with the cumulative number of vulnerabilities rising to nearly 200k; many of these will remain out there as an “exploitable threat vector” for many months and possibly even years because security teams are overwhelmed.
- Attack vectors are broadening, with new vulnerabilities discovered across many products, software, applications, and device types. With this growing breadth of vulnerabilities, attacks are now more commonly affecting network and infrastructure devices, supply chains, and OT environments; the diversity of attack vectors gives threat actors more opportunities than ever to wage sophisticated attack campaigns.
- Eighty percent of new vulnerabilities are classified as “medium” or “high” severity, with only 16% being considered “critical.” This may sound like good news, but it’s become increasingly common for threat actors to target non-critical vulnerabilities because they know many organizations focus primarily on ones that are categorized as critical. As explained by CISA, “some of the most widespread and devastating attacks have included multiple vulnerabilities rated ‘high,’ ‘medium,’ or even ‘low.’” Threat actors gain access through lower-rated vulnerabilities, then methodically look for the open window that allows them to get in or move around laterally and advance an ongoing campaign once they are already in.
- For the first time in years, ransomware attacks appear to be on the decline; however, new tactics, techniques, and procedures (TTPs) are being used by threat actors to gain access to enterprises. Advanced persistent threats (APTs), most commonly used by nation-state actors and organized cybercriminals, are on the rise, and we’re seeing an increase in the production of new backdoor malware. The evolution of attack methods means security teams must remain on top of the ever-changing threat landscape to stay ahead.
We all know that security teams face an uphill battle, and we no longer live in a “fix everything” era – there are too many threats and vulnerabilities for the traditional methods to keep up with. But it’s time to acknowledge the stark reality that the vulnerability management solutions most organizations have in place today are not good enough to navigate this complex threat landscape. If your goal is to reduce cyber exposure and tighten security efficacy as much as possible, then it’s time to ask for more from your vulnerability management solution.
Let’s examine three critical flaws within today’s vulnerability management tools and how you can take strides to implement a more effective vulnerability management remediation process.
Flaw #1: Vulnerability management solutions provide incomplete data sets and limited visibility
According to Gartner, less than 1% of companies have more than 95% visibility of all their assets. But this statistic shouldn’t come as a surprise. Most organizations rely heavily on vulnerability scanning, which only looks at assets that can be scanned; this often leads to a group of “unscannable assets” that could be at risk.
In addition, most vulnerability management solutions spit out a list of vulnerability remediations based on CVSS score and their internal methodology, racking up thousands of critical vulnerabilities for most organizations. If an organization has multiple vulnerability management solutions, the data sets rarely line up. This is a significant problem since the efficacy of vulnerability prioritization and remediation efforts depends entirely on the accuracy of the data sets you are working with.
Vulnerability management solutions must be actionable, accurate, continuous, and based on centralized, normalized, and complete data sets. Having multiple disconnected discovery methods or relying on data from periodic scans is not sufficient anymore. Today, it is more important to consider whether a vulnerability is exploited in the wild or on a critical system rather than solely whether an asset is found to have a “critical” CVSS score.
To better understand your environment, you need to find a vulnerability management solution that aggregates and correlates all network and asset data from various sources into one normalized source and then overlays it with vulnerability data to map out your attack surface. This includes passively collecting asset data from configuration, patch, and asset management systems, from endpoint security systems (EDRs, EPPs), from network security devices (firewalls, IPS/IDS, etc.), from network infrastructure devices (routers, switches, load balancers, etc.), from various cloud assets, OT systems, and from any other relevant parts of your hybrid network that may be considered “unscannable.” This provides you with a normalized “single source of truth” that ensures vulnerability analysis, and the consequent prioritization and remediation efforts tackle the highest risk assets to your business.
Flaw #2: Vulnerability management solutions fail to calculate cyber exposure in conjunction with vulnerability prioritization properly
Research shows that year over year, threat actors continue to take advantage of old, unpatched systems to gain access to organizations. The prioritization of vulnerabilities has become increasingly more complex in recent years, and many legacy vulnerability management solutions cannot provide a manageable process for this, which leaves security teams struggling to keep up.
While seeing the complete picture of your attack surface is a step in the right direction, it is also critical to understand asset and vulnerability context when prioritizing vulnerability remediations. Many organizations need help calculating their actual cyber exposure risk because they are only considering the CVE severity of a given vulnerability, as identified by the CVSS score. This common and overly simplistic approach may have worked in the past, but in today’s complex threat environment, several additional key factors should be considered when determining threat exposure:
- Business context, such as geography, technology, business function, applications, services, and owners
- Exploitability in the wild, as in whether a threat actor is actively using a specific vulnerability
- Accessibility of the asset, such as how easily an attacker can reach it from a threat origin, like the internet
In addition, many current vulnerability management solutions don’t consider the different vectors and paths that today’s sophisticated cyberattack campaigns may take in finding a way to exploit vulnerable assets across your environments; as noted earlier, more and more breaches are coming via lateral movement within your networks. A complete and accurate exposure analysis can only be achieved by leveraging a network model that understands your unique hybrid network and business context and all security controls that are in place, then provides a multi-dimensional analysis and simulation of all potential attack paths.
With a significant volume of vulnerabilities that require analysis, having an accurate representation of exposure is one of the most critical factors for assuring your prioritization efforts enable your teams to successfully zero in on addressing what matters most – vulnerabilities that pose real business risk regardless of their classified severity level.
Flaw #3: Vulnerability management solutions are overly reliant on patching to reduce risk
Many organizations still rely heavily on patching vulnerabilities. While it’s good to run a regular patching cycle – and have a process for urgent vulnerabilities – there is still a significant window of exposure, and cybercriminals are quick to take advantage. This is why it’s essential for a vulnerability management solution to have multiple options for addressing vulnerabilities and help you eliminate exposure risk quickly, effectively, and efficiently.
When patching an asset or groups of assets may not be possible, there are compensating controls that can help prevent threat actors from gaining access to your network. Alternative solutions can include reconfiguring security controls, applying IPS signatures, altering network topologies, and even determining where potential zero-trust strategies and/or isolation technologies must be applied.
Achieving arbitrary volumetric goals may satisfy patch remediation SLA requirements but may still leave your organization at significant risk of experiencing a major cyberattack. So, the only accurate measure of a successful vulnerability management program is whether you are eliminating exposure to these risks and, as a result, preventing potential business impacts from a breach.
In this explainer video you will learn how Skybox Security’s network model enables you to see and remediate vulnerabilities across disparate and highly complex hybrid environments.
Summary
Too many new vulnerabilities are popping up across today’s rapidly evolving networks for security and network teams to maintain the status quo with their vulnerability assessment, prioritization, and remediation efforts. Teams need a more comprehensive approach that starts by ensuring complete data sets are being analyzed and that exposure risk is assessed adequately with a network model that reduces business risk and optimizes the company’s overall security posture. If you want to learn more about how Skybox can create a vulnerability management program centered around remediating exposure risk, contact us.