While it’s always the latest zero-day vulnerability or the latest attack technique that grabs the media’s attention, as well as the attention of many technology professionals — these are not the archetypal attack vectors criminals tend to use to infiltrate systems. It’s actually the day-to-day grind against existing and well-known vulnerabilities that typically gets enterprises breached.
While that may strike many as grim news, it may be as good as the news gets for enterprise security professionals: as long as organizations focus on keeping their existing systems up to date, they could go quite far in mitigating the risk of attacks and force criminal hackers to work with newer and more sophisticated (read riskier) exploits.
That’s not to say that defending systems ever becomes easier. It doesn’t. It does force adversaries to adapt and increase the effort they must put into their attacks if they are to succeed. As Dave Merkel, CEO and co-founder at Expel put it: threats evolve as technology evolves. “As defenders become more adept, their attackers become faster,” says Merkel.
That’s why the security operations and vulnerability management challenge is constantly growing, because as enterprises deploy new technologies their attack surface changes and expands. And it’s not just new cloud services and application and application deployments, but also the development and infrastructure environment within the enterprise. “It’s a forever thing. It’s a continued evolution,” explains Merkel.
Success requires a shift in mindset
As Merkel explains, security operations teams haven’t always kept up when it came to protecting their expanding attack surface.
Typically, he explains, enterprises would run vulnerability scans, gather vulnerabilities present in the environment, and then commence to patch. “As we look to the future, you really have to think about operationalizing [this process better,]” he says. As he explains, this traditional approach to vulnerability management isn’t fast enough. And enterprises have to move at the speed in which their adversaries move. “Time matters and your [patch] cycle time is material as to whether or not your controls and mitigations will actually have an effect.”
Merkel contends that enterprises must up their operational games to succeed because enterprises don’t have months, weeks, or days to patch their high-risk vulnerabilities. “You have minutes,” says Merkel.
Merkel contends that this can best be done by better-integrating data from traditional enterprise cybersecurity toolsets, such as endpoint tools, cloud platforms, infrastructure, software-as-a-service applications, security information and event management systems, and more. Such vulnerability and contextual risk information will help enterprises to prioritize their vulnerabilities and better operationalize their vulnerability management processes.
Ultimately, explains Merkel, this marriage of operational knowledge with the vulnerability management infrastructure is going to provide organizations with a more crips picture of their risk. “A picture that is more actionable, and that can provably reduce risk,” Merkel says.
By George V. Hulme