Study Reveals: Growing Attack Surfaces Are Redefining Vulnerability Management in the Wild
Share with Your Network
For the past two tumultuous years, security leaders around the world have been hustling to meet the escalating demands of a post-pandemic world: growing interconnectedness up and down supply chains, meeting the challenges of a hybrid workforce, fending off skyrocketing cyber threats, and more.
Prompted by today’s uniquely difficult cybersecurity landscape, the Enterprise Strategy Group (ESG) surveyed 398 IT and cybersecurity professionals in North America to see how teams were monitoring and managing cyber-risk. The results included in the report, titled Security Hygiene and Posture Management, outlines a cybersecurity world still adapting to a newly evolving normally.
Some organizations are adapting faster than others. For instance, 73% of respondents admitted spreadsheets still play a large role in daily security operations. But manually managing security processes are causing some leaders to rethink their outdated practices, especially since 70% said managing security hygiene and posture management has grown more difficult over the past two years. More and more are realizing the status quo isn’t going to serve them in this unprecedented era.
Beyond taking a few initial vitals, the survey revealed industry peers are struggling with common vulnerability management challenges. Yet they are also finding promising paths forward in the ongoing battle against risk.
What’s driving your expanding attack surface?
Two-thirds of the ESG surveyed say their attack surface has increased over the past two years. Why? Endpoints are multiplying, wreaking havoc on once predictable perimeters. With the explosion in remote work, more connected devices are introducing problems to IT environments. And soon, there will be three times the number of connected devices as there are humans on the planet.
But it’s not just devices causing headaches. Increased reliance on third-party vendors is creating supply chain intricacies many struggle to monitor or manage. Then there is growing use of public cloud infrastructure, followed closely by an uptick in SaaS applications and servers.
All of these problem players introduce more and more assets into an organization. And recent research conducted by Kenna Security and the Cyentia Institute determined that most assets—95%—harbor at least one highly exploitable vulnerability.
Prioritization decisions are proving to be problematic
Cyber-risk issues like these introduce cascading challenges. More assets are being introduced into organizations every day, increasing the need for asset inventory systems—often more than one. On average, organizations derive asset inventory data from 10 different sources. Managing the data from these disparate systems is a difficult task even for the most well-resourced teams.
Once this data is aggregated, normalized, de-duped, and organized, unearthing the vulnerabilities present on these assets is the next hurdle. And with the volume of vulns lobbed at organizations daily, this is no small task. 2021 saw an average of 55 new CVEs published daily, pushing next-level prioritization capabilities to the top of every security leader’s wish list.
ESG found the biggest struggles facing security and IT professionals are evenly distributed between keeping pace with the sheer volume of vulns, automating vulnerability management workflows, and coordinating these workflows and data across tools and teams.
Prioritizing these vulns should be top of mind. ESG’s research points to multiple influences for decision-making around vulnerability prioritization, such as the use of specific vendor products, vulns deemed “critical” by vendors, and regulatory compliance guidelines.
While just 20% of participants say CVSS scores play a role in prioritization and patching decisions, ESG emphasizes that in the organization’s collective experience, CVSS scores tend to play a role in all vulnerability prioritization decisions because they commonly are incorporated into vendor solutions. Yet research from Kenna Security and Cyentia Institute reveals that relying on CVSS scores alone—in other words, prioritizing vulnerabilities without the benefit of vital contextual information such as real-world exploit data—is hardly more effective at reducing your organization’s exploitability than patching CVEs at random. And using only CVSS scores is marginally better than doing nothing whatsoever.
How risk-based vulnerability management shapes stronger security posture
Modern enterprises deserve better than solutions that are no better than simple guesswork. This is why risk-based vulnerability management (RBVM) is fast becoming the industry standard for managing rising risks and expanding attack surfaces. Leading RBVM solutions equip teams with data-driven vulnerability prioritization based on predictive analytics and machine learning, organizational context, and enhanced threat intelligence (including intel on exploit likelihood or active exploit code), giving teams an intuitive and actionable view of the biggest risks facing their organization.
RBVM helps bring order to the sheer volume of vulns in their environment, surfacing the riskiest to the top and providing data-backed marching orders. Acting as a single source of truth, RBVM allows teams to remediate the risks that have the biggest impact on the org’s risk profile, effectively measure progress, and optimize resources. When remediation teams know which vulnerabilities they need to focus on (and which ones they don’t), allocating the right amount of time, money, and effort becomes a simple task.
A heartening number of respondents indicated prioritization decisions were made using risk scoring systems, contextual performance data, asset criticality and location, and the likelihood of weaponization.
To get a better understanding of what life before risk-based vulnerability management looked like for one large enterprise and how RBVM helped it solve some key challenges, learn what happened when Deloitte & Touche LLP decided to go risk-based.
Want to improve your security posture? The study reveals top tips.
For a deep dive into leveling up your organizational security posture and vulnerability management and to get analyst insight into the research, register for Posture Perfect: 5 Tips for Straightening Up Your Posture Management.
Ed Bellis, Kenna Security at Cisco Co-founder and CTO, and Jon Oltsik, Enterprise Strategy Group Senior Principal Analyst and ESG Fellow, will serve up actionable tips and insights gleaned from the survey findings.
- How growing attack surfaces impact your vulnerability management program
- Common challenges plaguing security teams
- How successful security teams approach vulnerability prioritization in the wild
- 5 tips for improving your vulnerability management program today
Link to LP [SF1]