Managing cyber risk is one of the biggest challenges that today’s organisations face. Keeping all IT assets protected is a massive responsibility – everything from the devices in the office and servers in data centres used daily, to infrastructure and cloud services.
It’s no secret that the number and impact of attacks are rising, with Verizon’s recent Data Breach Investigation Report unveiling nearly 24,000 attacks took place during 2021 alone. The rise in ransomware attacks last year was more than the rise that took place over the last five years combined. The report also highlighted that issues arising from software supply chains led to a huge number of breaches, in addition to misconfigurations in modern applications and cloud services that added to security problems.
In order to manage this influx of threats, security teams must understand how to prioritise the largest risks to their company environments. But the sheer number of assets that enterprises have make it difficult, if not impossible, to patch everything immediately. Teams need to take a different approach.
Looking at your risk profile
According to Qualys research, there are 185,446 known vulnerabilities that exist based on data from the National Vulnerability Database. These range from issues in niche or older software products that are no longer supported, to critical problems that affect huge swathes of IT assets. The challenge is to know what assets and software you have installed, whether any of those assets have problems that need to be fixed and whether those issues can be exploited.
While there are thousands of vulnerabilities that exist, they are not all equal in terms of risk. Of the total number of vulnerabilities, 29% (55,186) have potential exploits available – that is, where code has been created to demonstrate how a flaw works. Beyond this, only 2% of issues will have weaponised exploits against them, which enable malicious attackers to quickly exploit vulnerabilities with minimal effort. This equates to around 3,854 vulnerabilities. Only 0.4% of vulnerabilities actually have working exploits that have successfully been used for attacks by malware families or threat actor groups.
In other words, less than 2% of all software vulnerabilities are responsible for the vast majority of malware attacks and security breaches that today’s enterprises face. In identifying which issues pose the largest threats, you can effectively improve how you manage your security and where you put your efforts.
In understanding which issues affect your specific infrastructure, you can see which should be higher up the priority list for patch deployment and you are able to evaluate other security issues to see if they need additional attention. All organisations have different implementations in place. In practice, this can mean that a software vulnerability that is rated as less severe for the majority of users is actually critical for you to fix immediately. In these circumstances, knowing your own risk profile will enable your organisation to increase their security posture.
How to improve your approach
The security industry is continuously looking to improve management processes and prevent attacks. For example, the US Government has enforced new roles over federal government IT projects that mandate software bill of materials, or SBOMs. These documents aim to capture all the software elements and services that make up an application, including versions and updates that are in place. This is a crucial step because if you know all the components that make up custom applications, you can get more oversight of what issues they have. This improves how organisations get a baseline understanding of their environment.
You cannot secure what you do not know is there. Understanding your environment, tracking your software supply chain and having accurate and up-to-date IT asset lists in place are all necessary. From there, you can carry out regular scanning to track all assets that are deployed on your network.
To be a true risk to your enterprise, a specific vulnerability must have material applicability in your specific environment. Controlling cybersecurity risk is much more achievable by focusing security and IT teams on the vulnerabilities that matter most to your company’s exposure.
Once you know what you have in place and what to prioritise, you can then set out your remediation plans. Streamlining your workflow between the security team responsible for detecting vulnerabilities and the IT operations team responsible for deploying patches can improve your mean time to remediation (MTTR). These two teams often do not integrate. Automating workflow creation can make this process smoother and easier for both sides, while simultaneously improving security hygiene. For risks that are lower priority, teams can automate patch deployments and fix those problems without employing manual labour.
By looking at your whole approach to IT – from custom applications and software supply chains through to cloud services and endpoints – you can get a much clearer picture of what needs to be done in order to maintain security at scale.