In this third blog of The Vulnerability & Exposure Management Survival Series, we step beyond detection and into the realm of improving threat assessment and prioritization.
- Strategies for Improving Governance & Compliance
- Strategies for Improving Detection
- Strategies for Improving Assessment & Prioritization (YOU ARE HERE)
- Strategies for Improving Communication
- Strategies for Improving Mitigation & Remediation
The importance of strong assessment and prioritization in relation to a Vulnerability Management or Continuous Threat Exposure Management program cannot be overstated. Assessment refers to the evaluation of identified vulnerabilities and exposures to understand their potential impact, likelihood of exploitability, and the risk they pose to the organization's assets. Prioritization occurs based on assessment and determines the order in which you work to address vulnerabilities and exposures.
Attack Surface Management is Not a Function or a Process; It’s an Input
This one may not be too popular with some cybersecurity enthusiasts. Hear me out, and then form your opinion. As someone previously responsible for attack surface management (ASM) and who now works at a company that provides some of the best ASM capabilities in the world, I feel uniquely qualified to speak on this matter.
Let's first talk about what attack surface management is. Our friends at Palo Alto Networks define ASM as 'the process of continuously identifying, monitoring, and managing all internal and external internet-connected assets for potential attack vectors and exposures.'
Shouldn't we be monitoring these assets as part of already-established processes like vulnerability management, application security, penetration testing, and threat management? I think so. Internet-facing applications should be reviewed more frequently as part of your Application Security program due to the increased exposure. Vulnerabilities affecting internet-facing servers should be prioritized over internal assets with the same vulnerabilities and so on and so forth.
Attack Surface Management is not a function or a process; it's an input. Key Insight: By incorporating attack surface context like internet reachability into your existing vulnerability management processes, you can better prioritize remediation of internet-facing critical vulnerabilities, enhancing efficiency and reducing risk without needing a separate ASM function.
Key Insight:
More mature organizations that have already incorporated Continuous Threat Exposure Management (CTEM) as one of their fundamental security processes, are likely already using factors like internet reachability, threat intelligence, known attack vectors and even runtime detection as part of their assessment and prioritization strategy. Even if you're not there yet or not a CTEM fan, you can still pull this risk context into your assessment and prioritization methodologies. That is if we agree that the likelihood of exploitation is increased for internet facing assets targeted by known threat actors.
If I am incorporating these risk factors and prioritizing responses accordingly, why do I need a separate Attack Surface Management team, process, and tooling to detect, monitor, and respond to these types of exposures?
Now, if you're flush with resources and security staff, this may make perfect sense for your organization. However, the reality is that most organizations are resource-constrained and working hard to support the capabilities and processes already in place. So let's focus on maturing those processes and ensure we are prioritizing vulnerabilities and other exposures on the attack surface to reduce risk in our environments. More isn't always better.
Business Criticality Is Important, Just Not So Important for Exposure Assessment
Business criticality is often utilized as a key input in organizational risk methodologies. That's a good thing. This is necessary context when evaluating availability risk. Availability risk or downtime is usually one of the largest risks that organizations are working to protect against. That's because, if you're engaged in e-commerce and your website or primary means of transaction with your customers is down, you're not making money, or at least not as much as you would as if your website were functional.
We now have established that business criticality is important, so let's talk about how criticality is often used in the assessment and prioritization of vulnerabilities and exposures. Just as many organizations align their risk methodologies to confidentiality, integrity, and availability, many also consider these risks as part of their assessment and prioritization methodologies. In fact, CVSS allows organizations to integrate these into your assessment of vulnerabilities as part of your environmental metrics.
I have already established my affinity for the CVSS scoring system, especially when used to incorporate threat and environmental factors into your assessments. However, I question the significance placed on business criticality as part of this assessment by many organizations. Does this truly align with how attackers are working to infiltrate your network and systems?
Key Insight:
If you were a burglar (I hope not), would you try to break in through the window or door closest to the item of greatest value, or would you first look for an easier entry point, like an unlocked door or cracked window? I say a smart burglar, who prioritizes not being detected, looks for the easiest avenue of entry also understanding that the rooms containing valuables are more likely to be well defended and monitored.
Just like the burglar in this analogy, cyber attackers are looking for easy points of entry into your network. They also know that you are likely defending and monitoring your critical apps and assets much more rigorously than those deemed less critical. And they should be better defended! Hardened configurations, robust encryption protocols, and an increased frequency of patching are just a few of the preventive controls that should be in place for critical assets and applications.
When it comes to prioritizing these systems as part of your vulnerability and exposure management program I put significantly less emphasis on criticality. We know threat actors are more and more likely to prioritize the exploitation of lesser-known vulnerabilities. In general, threat actors will work to gain any available foothold into your network and then navigate laterally or escalate privileges to gain access to your critical systems.
Oh and guess what. Business criticality is often defined by application or asset owners with an increased likelihood that it is incomplete or inaccurate. That's why I always felt it was critical (pun intended) to prioritize using high integrity, system-validated data like the data and telemetry from your security tools. How about you? After saying all this, I am not telling you to discard this input altogether, especially if you have confidence in the accuracy of the data. I am saying that this should be considered lower in your assessment and prioritization methodology in favor of more pertinent environmental metrics, like internet reachability, runtime, and compensating controls.
Conclusion
In this blog, we discussed how incorporating attack surface context, like internet reachability of vulnerable assets, can help security teams better prioritize their backlog of vulnerabilities to increase efficiency and maximize improvement of risk posture. In the next blog, we will examine Strategies for Improving Communications in an exposure management program.
To discuss your exposure management program, and how Zafran might help you sharpen the focus on the vulnerabilities most likely to be exploited, click Get A Demo to connect with an expert.
Who is Nate Rollings?
Nate is an accomplished cybersecurity leader with more than 15 years of experience at Fortune 500 companies. He is a subject matter expert well versed in building high-functioning vulnerability and exposure management programs. Nate is a respected voice in the cybersecurity community, and currently serves as Zafran’s Field CISO.
