Exploitation of software vulnerabilities by cyber adversaries has dominated headlines the last couple of months (e.g., Ivanti EPMM flaw, Points.com, BeyondTrust, PaperCut NG/MF, Microsoft Power Platform), creating the perception that these are the primary causes of many of today’s data breaches. However, according to the 2023 Verizon Data Breach Investigations Report, the exploitation of vulnerabilities as a threat action “has kept stable in incidents and is actually less prominent in breaches, dropping from 7% to 5%.” Nonetheless, the exploitation of software vulnerabilities remains one of the three primary methods in which attackers gain unauthorized access to an organization, with stolen credentials and phishing leading the way. This raises the question of what organizations should do to minimize their exposure.
Most security practitioners are aware that an effective vulnerability management program is the cornerstone of any organization’s cybersecurity initiative because they know that software vulnerabilities, if left unidentified and unaddressed, can bring their business down. However, advancements in technology across an organization (e.g., digitalization, cloud adoption), growing employee numbers and their associated work locations, as well as the overall complexity of the IT environment, often inhibit timely detection and remediation of software vulnerabilities.
As an example, according to the 2023 Resilience Index (PDF) more than 80% of devices use the Microsoft® Windows® OS, with the large majority on Windows 10. This might appear homogenous and easy to manage; however, the reality is that IT practitioners are struggling to keep their employees’ endpoints up to date with fourteen different versions and more than 800 builds and patches present. Adding to the complexity IT and security teams must deal with is the number of installed applications on devices. According to the same report, there are sixty-seven applications installed on the average enterprise device, with 10% of those devices having more than one hundred applications installed.
The sheer number of applications installed on enterprise devices – as well as the variety of operating system versions and builds – make it difficult for IT and security teams to maintain those apps or patch them. This situation negatively impacts their ability to minimize exposure to known vulnerabilities. In turn, it’s not surprising that it takes an average of 149 days for small companies, 151 days for medium and large enterprises, and 158 days for exceptionally large organizations to patch their endpoints’ operating systems.
As a result, it’s not surprising that according to government agencies in Australia, New Zealand, the United Kingdom, Canada, and the United States (the so-called Five Eyes agencies), threat actors predominantly targeted Internet-facing systems in 2022 that were not patched against older, known vulnerabilities, including flaws for which exploit kits already exist publicly.
Barriers to Successful Vulnerability Management
When it comes to the effectiveness of traditional vulnerability risk management programs, the challenges are often rooted in the following areas:
- Lack of Visibility: You cannot fix what you cannot see. IT and security practitioners are dealing with a vast number of assets (e.g., endpoints, servers, IoT devices) across all computing environments, and each asset can be breached in a variety of ways. The problem is that most vulnerability scanners do not work continuously. If you are not monitoring and analyzing your attack surface continuously and in real-time, you are setting yourself up for blind spots and delayed reaction time.
- Lack of Automation: There are many manual steps – from vulnerability scanning and detection to verification, impact analysis, and remediation – all of which can consume up to 40 percent of the IT team’s resources. In turn, vulnerability management tools are often used as means to document compliance with industry standards and government regulations.
- Lack of Context: Too many companies still rely on vulnerability scores, but these aren’t correlated to the threats that already exist or are a complete reflection of the full range of vulnerabilities in the wild. Bad password hygiene – using weak or default passwords, reusing passwords, and not storing passwords correctly – is also a vulnerability. And so are misconfigurations, encryption issues, and risky online behavior of employees.
- Lack of Insights into Efficacy: Unfortunately, many security solutions – including vulnerability management tools – lack the capability to monitor their own integrity or health, often turning an organization’s investment into shelf-ware. While it may be true that the health of a security application can be impacted by faulty implementations, poor integrations, and lackluster maintenance, more often common decay, software collision, unintentional deletion, or malicious actions influence the integrity and efficacy of security applications.
To really improve security processes, continuous collection and analysis of relevant data to evaluate the efficacy of controls is necessary. As mentioned above, without knowing whether the health of a security application has been jeopardized, an organization’s ability to react to malicious actions, collisions, vulnerabilities, or software damage, is impossible. In turn, we are seeing the introduction of enhanced regulations (e.g., PCI DSS, NIST SP 800-137) that prescribe continuous diagnostics of security controls and leading analyst firm Gartner acknowledged the importance of Automated Security Control Assessment (ASCA) as an emerging category in its Hype Cycle for Endpoint Security, 2023.
According to Gartner, “ASCA processes and technologies focus on the analysis and remediation of misconfigurations in security controls.” These new tools help “reduce an organization’s attack surface caused by security configuration drift, poor defaults, excessive tuning to reduce false positive rates, and high administration staff turnover.”
Organizations need to transition from mere detection to faster remediation of IT security vulnerabilities before they are exploited. To achieve this, IT practitioners must establish a continuous process for addressing security vulnerabilities. A crucial element for a successful vulnerability management program, as well as the effectiveness of any other deployed security application, is the concept of Automated Security Control Assessment. It aids in enhancing the security posture by verifying proper, consistent configurations of security controls, rather than merely confirming their existence. This approach will boost staff efficiency and strengthen cyber resilience in the face of organizational complexity.
