The past few years have witnessed a significant increase in digitisation across businesses and industries, driven largely by the changes wrought by the pandemic. Companies today are far more digitally interconnected than they were prior to 2020, as evidenced by the massive increase in remote working, as just one example.
While this has helped businesses gain new efficiencies and increase productivity, it has also opened these organisations up to new avenues of attack, as remote employees open up new potential vectors for cyber-criminals to exploit.
With hundreds of thousands of software vulnerabilities to manage in this digitally transforming world, it is simply impossible to protect a business from them all. In the past, remediation priority was often tied to Common Vulnerability Scoring System (CVSS) scores, which don’t consider what’s most important for your specific organisation, attack feasibility, active threats, and other aspects of security programs.
Now, research firm Forrester also suggests that relying solely on CVSS scores to prioritise remediations, is flawed because it is not only misaligned with the organisation’s strategic objectives, it also puts too much emphasis on potential, not actual, threats and inflates vulnerability severity.
The Forrester remediation prioritisation triad includes three primary elements you should consider when assessing vulnerability risk: threat likelihood, asset importance, and strength and effectiveness of compensating controls. Assessing each element improves the accuracy of assessing vulnerability risks and provides greater assurance that remediations are properly prioritised and not determined solely on CVSS scores.
Implementing Continuous Threat Exposure Management (CTEM)
Gartner recognised the need for a better approach, with the company’s Top 10 Security Projects for 2020-2021 report suggesting a risk-based vulnerability management approach. The best method of implementing such an approach is Continuous Threat Exposure Management (CTEM), as first coined by Gartner to describe a method that involves consistently exposing a company’s technologies – from networks and systems through to assets – to simulated attacks.
By continuously exposing the business assets to such attacks, CTEM is able to help IT managers identify vulnerabilities and weaknesses, enabling them to improve the enterprise’s overall security posture through the identification of security challenges, as well as the ability to act to address these – before the genuine criminals discover these weaknesses.
CTEM is even more critical when one understands that the sheer number of potential attack vectors and exploits means most organisations will likely only be in a position to remediate around 15% of their active vulnerability count.
Therefore, what is needed is a solution that allows security teams to obtain a view of all their current approaches, and help them to identify where the top 15% of these vulnerabilities lie. With this information in hand, businesses can prioritise these specific threats. And of course, when utilising a CTEM approach, this data is updated on a continuous and evolving basis.
Naturally, context is important. After all, while all businesses have vulnerabilities, their individual level of risk also depends on non-technological factors, like their specific industry vertical and even their geographical location. It is the understanding of such factors, within context, that is where the real threat intelligence lies.
With the right CTEM tool, IT managers are able to view a combination of external threat context, asset criticality, internal compensatory control and patch intelligence. Access to this data will enable them to proactively reduce their attack surface before it gets exploited.
A leading CTEM offering should be able to: show severe risks that might affect the organisation’s most critical assets and which require immediate patching; identify moderate threats to critical assets; indicate high risks to non-critical assets; and moderate risks to non-critical assets.
Ultimately, when looking to implement any kind of Vulnerability Prioritisation Technology (VPT) or Risk-Based Vulnerability Management (RBVM) solution, you should evaluate those vendor platforms that take telemetry data from other existing solutions such as vulnerability scanning data from Nessus, Qualys or Rapid 7.
After all, the missing component is the real-world threat intelligence around what active threat actor groups are doing now, or in the near future, and whether they are targeting your industry, or your geographic location, or both.
By offering a lens through which all these telemetry feeds can be correlated with your own patch intelligence – such as what has been patched and what hasn’t – it can provide your business with a risk-based view that bears no relation to the CVSS score, but rather considers the real world in which you operate.
A solution like this should be able to simulate the breach attack and test the efficacy of your compensatory controls. In addition, this complete vulnerability management lifecycle approach will have the value of reducing your mean time to exposure [MTTE], an effective KPI for pre-emptive cybersecurity management.
In today’s digitally transforming world, ‘invulnerable’ is not a word any organisation can use to describe its security posture. While it used to be true that no single vendor provided it all, this is no longer the case. A good example of a vendor’s platform that delivers on the Forrester remediation prioritisation triad is Hive Pro’s Threat Exposure Management (TEM) solution, the value thereof can be quickly and effectively validated by submitting a dump of your organisation’s vulnerability scan data as a proof of concept. You will be surprised at the vulnerability intelligence you receive back – it is eye-opening!
Faced with such a rapidly evolving threat landscape, it’s virtually impossible to address every risk. The best any IT manager can aim for is ‘well prepared’ – and utilising CTEM is currently the most effective means of achieving this status.
About author: Patrick Evans is CEO of SLVA CyberSecurity.