Why CISA’s Directive 22–01 Is Only Half the Equation
Share with Your Network
In 2021, the Department of Homeland Security (DHL) issued a request to hackers everywhere to do what they do best—hack them. This “come at me bro” style invitation wasn’t designed to flex their security strength or prowess but to unearth their weakest points and find vulnerabilities they may have missed. And the ruthless expertise of professional hackers paid off, culminating in one of the most successful bug bounty programs initiated by a federal entity in recent years.
Increasingly sophisticated and aggressive attacks, coupled with the outdated security infrastructures of U.S. and state agencies, are pushing many public sector organizations to overhaul their cybersecurity approach. The heightened threat landscape prompted the Cybersecurity Infrastructure and Security Agency (CISA) to issue Binding Directive 22-01, requiring public entities to focus their remediation efforts on active exploits listed in a catalog maintained by the agency.
Risk-based vulnerability management is going mainstream
CISA’s directive reflects a larger shift in the security industry towards risk-based vulnerability management. Public sector organizations aren’t the only ones feeling the effects of a surge in cybersecurity threats, but they are one of the biggest targets. In 2021, the number of cyberattacks businesses suffered in a week jumped 50%, with Education and Government topping the charts in most attempts.
With limited remediation resources and capacity (on average, most companies can patch about 15% of their vulnerabilities), assuming a risk-based approach to prioritization helps manage the mountain of vulnerabilities facing organizations today. Last year saw an average of 55 new CVEs published daily, adding yet another reason why risk-based vulnerability management is becoming what many security leaders are turning to.
Readying security operations to do more with less
While the CISA directive is a step in the right direction, it’s still a blanket strategy that fails to account for an organization’s unique needs and environmental makeup. And this is where risk-based vulnerability management really shines.
An intel-driven, risk-based vulnerability management approach coupled with CISA’s Binding Directive 22-01 empowers teams to:
- Catch threats CISA called out—and ones it missed. Risk-based vulnerability management (RBVM) accounts for an organization’s appetite for risk, asset criticality, and specific business profile. Active exploits emerge rapidly so waiting for CISA to capture them in its known exploit catalog means risking exploitation. Enhanced, real-world threat and vulnerability intelligence—including CISA’s catalog—identifies potential threats in the wild and supports faster and more accurate decision-making.
- Anticipate the next big threat. Leading RBVM solutions have highly calibrated, predictive models baked into their offering so teams can anticipate threats before they become an issue.
- Optimize finite resources. The ability to funnel the right amount of remediation resources to just those vulnerabilities with the greatest potential impact on an organization’s risk profile saves time, money, and effort, increasing efficiency. Teams can lower risk in as few moves as possible.
- Align teams and leadership around shared goals. With an intel-backed single source of truth, security and IT can move quickly and efficiently, eliminate patch debates, and measure the effectiveness of their vulnerability management efforts. And with the ability to better measure and communicate progress, stakeholders outside of security can rally around a shared understanding of risk and how to approach it.
Here’s what happened when this public entity embraced risk-based
Before embracing risk-based prioritization, the Fire and Police Pension Association of Colorado struggled under the sheer volume of vulnerabilities unearthed by scanners. Plagued by remediation inefficiencies and inflated CVSS-based fix lists, effective and timely patching always remained out of reach leaving teams frustrated and overwhelmed. “Qualys vulnerability reports were 12,000 pages long for 50 servers, recalls IT security engineer Matt Wilson. “How is that useful?”
Fast-forward to an established vulnerability management program anchored around risk and the organization began reaping the benefits of prioritization driven by real-world threat intelligence, machine learning, and organizational context. After partnering with Kenna Security, remediation teams were able to glean meaningful and actionable data from the vulnerability management platform, telling them what they needed to fix first and how much risk was present in their environment.
“When that data was parsed by Kenna our risk meter was medium or low on those same servers, and the Kenna data showed us what to fix.” And because prioritization was backed by multiple threat intelligence feeds, it was easy to trust the data.
Navigate the future with confidence and resilience
As uncertainties continue to rise and unprecedented events become the norm, public sector security leaders are challenged to future-proof security operations and tackle any threats with confidence, no matter how severe they might be. While CISA’s binding directive is a worthwhile effort to help focus remediation efforts, it offers only a limited scope of risk. Forward-thinking leaders know that success hinges on their ability to prioritize the biggest risks facing their organization and trust the data backing it.