Despite increased investments in security operations, most organizations are still only able to address a small percentage of the millions of issues present in their environment. This has primarily been attributed to device diversity, cloud adoption, remote work, and the increasingly complex software supply chain, which have significantly expanded today’s attack surface.
To tackle this problem, security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to their organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down existing data siloes.
The digital ecosystem creates data from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management lifecycle to explore the strengths, weaknesses, and opportunities for each resource.
The lack of insight into attack behavior, however, impacts the overall effectiveness of consolidated inventories of all assets and their associated risk posture. This is because teams may only be looking at the “traditional” attack surface that is present in a typical multicloud, decentralized, and well-segmented modern network. Progress is being made in this category, but it’s still built off point-in-time, state-based insights.
On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary’s perspective through analyzing network, user, and machine behavior. Security information and event management (SIEM) systems provide considerable quality data. Unfortunately, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.
Threat detection and response platforms typically only monitor “known” assets for changes, whereas the greatest threat lies with the changes made to unknown assets. Although these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations.
Third-party guidance to gauge the potential impact and exploitability of vulnerabilities can be obtained through methods such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities. However, relying solely on third-party guidance does not consider the organization’s unique requirements.
Internal business tracking systems are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping. However, custom databases require a heavy manual lift to implement and keep current, making it impossible to accurately survey security posture changes.
While each source listed above serves its own purpose and provides a unique layer of valuable insight, none of them serves as a single source of truth for navigating today’s sophisticated threat landscape. They would be extremely powerful when combined and correlated correctly to reveal a comprehensive vantage point that enables teams to make better-informed decisions.
Security leaders need to align their cyber asset intelligence to their primary use cases. That could be either mapping vulnerability prioritization processes using third-party intelligence, business context, and asset criticality, or targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.
In summary, addressing cybersecurity is not a one-size-fits-all approach. Despite the availability of numerous cybersecurity tools and systems, organizations need to ensure that the measures they implement are practical and aid in prioritizing the most critical risks. This can be achieved by consolidating digital information and breaking down existing data siloes to generate a comprehensive vantage point for better-informed decisions.