In today's increasingly interconnected digital world, the threat landscape is continuously evolving. This presents new challenges for organisations striving to protect their information systems and assets. Cyber resilience is front of mind for organisations both large and small, however one fundamental shared characteristic for any good cyber security strategy, is in addressing and maintaining appropriate levels of security hygiene, to reduce organisational risk and exposure.
Traditional Vulnerability Management began, and still is, a reactive and time-intensive process that focuses on identifying and remediating vulnerabilities across the technology estate. Remediation typically requires manual intervention, for the implementation of a patch, fix, or workaround. While this approach has served organisations well enough, it’s no longer a sustainable solution at scale, with most incumbent systems and processes not being geared to proportionately address the complex and integrated surface of attack we’re now faced with. Let us explore how Vulnerability Management has evolved, and why it’s so important that we adopt a holistic, risk based, contextual approach to managing our attack surface, to keep pace with the threats of today, and the threat actors of tomorrow.
Customarily, vulnerabilities have been viewed at a very discrete level, focusing on specific systems or applications. Processes often fail to consider the inherent and interconnected nature of modern IT environments, where vulnerabilities in one context, create a ripple effect downstream across other interrelated systems and components. The reactive nature of these practices means that organisations are continuously on the back foot. The time to identify affected systems, prioritise remediation, implement a patch or workaround, and validate their efficacy, all compounds organisational exposure. This delay ultimately provides adversaries with a window of opportunity that on average, according to InfoSec Institute, sits between 60 to 150 days, to exploit a given weakness in a target environment, long before it can be mitigated.
“The Common Vulnerability Scoring System, or CVSS, is the industry benchmark for severity scoring, and while the CVSS should be used as a guiderail, it cannot provide organisation-specific context to drive remediation efforts”
Vulnerability Management systems have also primarily focused on the identification of purely technical vulnerabilities, called “Common Vulnerabilities and Exposures” or CVEs for short. The Common Vulnerability Scoring System, or CVSS, is the industry benchmark for severity scoring, and while the CVSS should be used as a guiderail, it cannot provide organisation-specific context to drive remediation efforts. This CVE and CVSS-centric view has blinded organisations to the presence and prioritisation of critical risk factors such as misconfigurations, human-induced errors, identity related exposure, even supply chain related risks. This narrow approach has ultimately left organisations more vulnerable and exposed.
Next came systems that integrated Threat Intelligence (TI) and other criteria to provide a more well-rounded view of your vulnerability footprint. While these systems provide an improved snapshot for prioritisation, actual threat information, ease of exploitability, and recommended remediations; such tools are still complex and time consuming in nature, requiring significant administrative overhead to manage. They still lack the organisation specific context to enable truly effective riskbased decision making and prioritisation.
With the proliferation of hybrid and multi-cloud-based services, increased mobility, remote teleworking practices, accessibility and integration of AI, and the pervasive use of social media, technology adoption and innovation has become ubiquitous. As such, Vulnerability Management norms have intrinsically changed; where Vulnerability Management systems and processes previously didn’t extend beyond the realms of keeping Operating Systems patched and up to date, today this is but a link in a much broader chain. Recognising these past limitations has driven the emergence of a more proactive and holistic approach to safeguarding our systems. Underpinned by the rapid development, convergence, and adoption of two separate yet interrelated domains: Attack Path, and Attack Surface Management.
Attack Path Management involves analysing the interconnected pathways that potential attackers could exploit to move laterally through a network. By understanding these potential paths of attack, organisations gain heightened visibility into the critical relationships and dependencies that exist between their infrastructures. This enables contextual prioritisation of vulnerabilities based on their potential impacts, facilitating a far more proactive approach to managing uncertainty. Attack Path Management goes beyond simply identifying individual vulnerabilities and focuses on understanding how such vulnerabilities can be chained together to create a pathway for attackers to exploit. This allows organisations to assess risks from a systemic perspective, identifying the most effective ways to mitigate threats and prioritise resources accordingly.
Attack Surface Management on the other hand considers the broader attack surface of the organisation, which includes not only vulnerabilities within the network but also external factors that may expose the organisation to exploitation. This approach considers factors such as cloud hosted systems and data, IoT / OT devices, third party integrations (API’s), supply chain, and even human-related risk factors. By adopting a holistic Attack Surface Management approach, organisations gain a comprehensive view of their entire digital landscape. Enabling the identification of potential weakness that could otherwise be leveraged by an attacker, even if they’re not immediately apparent through traditional vulnerability scanning mechanisms. By addressing vulnerabilities across the entire attack surface, organisations can more effectively reduce their overall risk, whilst enhancing their cyber resilience.
We as an industry must be responsive to these advancements, shifting away from legacy Vulnerability Management practices towards more holistic Attack Surface and Attack Path Management. Through these proactive capabilities Security Operations teams can be further empowered to identify and mitigate vulnerabilities more effectively. By understanding the interconnected nature of our IT environments and considering factors beyond the technical realm, we can better protect our digital assets from the evolving cyber threat landscape. Embracing new and pre-emptive approaches will be crucial for organisations looking to stay ahead of the threat curve, whilst ensuring the sustained resilience of our systems and operations.
