Cyber Defense eMagazine May 2021 Edition

Layers and Lists vs. Risk-Based Vulnerability Management: Why It's No Competition
Piling security controls on top of security controls and working with endless streams of poorly prioritized
Common Vulnerabilities and Exposures (CVEs) is no way to protect your assets. Unfortunately, that's the
status quo for many enterprises.
While firewalls, standard Vulnerability Management (VM) and endpoint tools have their uses, all of them
can be defeated by a simple human error. They don't always play nice with each other. Additionally,
server misconfigurations, credential mismanagement and other mistakes are a perpetual problem.
Larger organizations are often deluged with alerts, and the amount of time security teams spend chasing
down patches for relatively low risk vulnerabilities is enormous. Without key risk context, defenders often
spend precious hours addressing the wrong set of problems at the wrong time. Not only does it place
your most valued assets at risk, it's also a massive waste of time and energy.
Fortunately, there is a better way: Constant, attack-centric analysis of exposures caused by exploitable
vulnerabilities and human error paired with effective prioritization. Integrating these concepts into an
existing security posture allows you to achieve continuous, risk-based vulnerability management -- and
provides the best tool we have against Advanced Persistent Threats and other sophisticated attackers.
Beat Them at Their Own Game
To adopt an attacker's mindset, defenders need to stop thinking "lists" and start thinking "attack graphs."
In practical terms, this means incorporating risk-based VM software that can continuously scan a network
and identify exposures from exploitable vulnerabilities and errors. Then, such software can launch
simulated attacks against critical assets seeking to illuminate paths that can be exploited.
The outcome of all of this continuous scanning and attack modeling is a targeted and ranked list of
exposures that put your business-critical assets at the most risk. Factor in context-sensitive and least
effort remediation advice, and SecOps teams can begin quickly patching exposures. The entire process
of identifying, classifying and addressing vulnerabilities can be profoundly streamlined and made vastly
more effective.
Now let's contrast this sort of tool with the conventional approach.
You've got a slew of siloed security controls, but no real visibility into evolving vulnerabilities in complex
hybrid environments -- places where even the smallest change can create new security gaps.
You've got vulnerability scanners, but you're missing key risk context. Without understanding how
exposures can be exploited and which vulnerabilities are truly exploitable, you can't efficiently prioritize
your patches. Without a risk-based VM tool to point you to the most accurate vendor patch or update,
you may waste untold hours of research time. Larger enterprises may deal with thousands of CVEs, each
of which must be researched and prioritized. In many cases the issues are low risk or require a patch
that has been superseded by another patch. Without all the needed context, defenders are often
struggling to make the right decisions.
Cyber Defense eMagazine – May 2021 Edition 63
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.