Connect with us

Hi, what are you looking for?


Endpoint Security

Automated Security Control Assessment: When Self-Awareness Matters

Automated Security Control Assessment enhances security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence.

Exploitation of software vulnerabilities by cyber adversaries has dominated headlines the last couple of months (e.g., Ivanti EPMM flaw,, BeyondTrust, PaperCut NG/MF, Microsoft Power Platform), creating the perception that these are the primary causes of many of today’s data breaches. However, according to the 2023 Verizon Data Breach Investigations Report, the exploitation of vulnerabilities as a threat action “has kept stable in incidents and is actually less prominent in breaches, dropping from 7% to 5%.” Nonetheless, the exploitation of software vulnerabilities remains one of the three primary methods in which attackers gain unauthorized access to an organization, with stolen credentials and phishing leading the way. This raises the question of what organizations should do to minimize their exposure.

Most security practitioners are aware that an effective vulnerability management program is the cornerstone of any organization’s cybersecurity initiative because they know that software vulnerabilities, if left unidentified and unaddressed, can bring their business down. However, advancements in technology across an organization (e.g., digitalization, cloud adoption), growing employee numbers and their associated work locations, as well as the overall complexity of the IT environment, often inhibit timely detection and remediation of software vulnerabilities.

As an example, according to the 2023 Resilience Index (PDF) more than 80% of devices use the Microsoft® Windows® OS, with the large majority on Windows 10. This might appear homogenous and easy to manage; however, the reality is that IT practitioners are struggling to keep their employees’ endpoints up to date with fourteen different versions and more than 800 builds and patches present. Adding to the complexity IT and security teams must deal with is the number of installed applications on devices. According to the same report, there are sixty-seven applications installed on the average enterprise device, with 10% of those devices having more than one hundred applications installed.

The sheer number of applications installed on enterprise devices – as well as the variety of operating system versions and builds – make it difficult for IT and security teams to maintain those apps or patch them. This situation negatively impacts their ability to minimize exposure to known vulnerabilities. In turn, it’s not surprising that it takes an average of 149 days for small companies, 151 days for medium and large enterprises, and 158 days for exceptionally large organizations to patch their endpoints’ operating systems.

As a result, it’s not surprising that according to government agencies in Australia, New Zealand, the United Kingdom, Canada, and the United States (the so-called Five Eyes agencies), threat actors predominantly targeted Internet-facing systems in 2022 that were not patched against older, known vulnerabilities, including flaws for which exploit kits already exist publicly.

Barriers to Successful Vulnerability Management

When it comes to the effectiveness of traditional vulnerability risk management programs, the challenges are often rooted in the following areas:

Advertisement. Scroll to continue reading.
  • Lack of Visibility: You cannot fix what you cannot see. IT and security practitioners are dealing with a vast number of assets (e.g., endpoints, servers, IoT devices) across all computing environments, and each asset can be breached in a variety of ways. The problem is that most vulnerability scanners do not work continuously. If you are not monitoring and analyzing your attack surface continuously and in real-time, you are setting yourself up for blind spots and delayed reaction time.
  • Lack of Automation: There are many manual steps – from vulnerability scanning and detection to verification, impact analysis, and remediation – all of which can consume up to 40 percent of the IT team’s resources. In turn, vulnerability management tools are often used as means to document compliance with industry standards and government regulations.
  • Lack of Context: Too many companies still rely on vulnerability scores, but these aren’t correlated to the threats that already exist or are a complete reflection of the full range of vulnerabilities in the wild. Bad password hygiene – using weak or default passwords, reusing passwords, and not storing passwords correctly – is also a vulnerability. And so are misconfigurations, encryption issues, and risky online behavior of employees.
  • Lack of Insights into Efficacy: Unfortunately, many security solutions – including vulnerability management tools – lack the capability to monitor their own integrity or health, often turning an organization’s investment into shelf-ware. While it may be true that the health of a security application can be impacted by faulty implementations, poor integrations, and lackluster maintenance, more often common decay, software collision, unintentional deletion, or malicious actions influence the integrity and efficacy of security applications.

To really improve security processes, continuous collection and analysis of relevant data to evaluate the efficacy of controls is necessary. As mentioned above, without knowing whether the health of a security application has been jeopardized, an organization’s ability to react to malicious actions, collisions, vulnerabilities, or software damage, is impossible. In turn, we are seeing the introduction of enhanced regulations (e.g., PCI DSS, NIST SP 800-137) that prescribe continuous diagnostics of security controls and leading analyst firm Gartner acknowledged the importance of Automated Security Control Assessment (ASCA) as an emerging category in its Hype Cycle for Endpoint Security, 2023.

According to Gartner, “ASCA processes and technologies focus on the analysis and remediation of misconfigurations in security controls.” These new tools help “reduce an organization’s attack surface caused by security configuration drift, poor defaults, excessive tuning to reduce false positive rates, and high administration staff turnover.”

Organizations need to transition from mere detection to faster remediation of IT security vulnerabilities before they are exploited. To achieve this, IT practitioners must establish a continuous process for addressing security vulnerabilities. A crucial element for a successful vulnerability management program, as well as the effectiveness of any other deployed security application, is the concept of Automated Security Control Assessment. It aids in enhancing the security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence. This approach will boost staff efficiency and strengthen cyber resilience in the face of organizational complexity.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...