Modernizing Vulnerability Management: The Move Toward Exposure Management

Controlling vulnerabilities in the regularly evolving technological landscape is a hard undertaking. Even though vulnerabilities arise routinely, not all vulnerabilities current the very same amount of risk. Classic metrics this kind of as CVSS rating or the selection of vulnerabilities are insufficient for efficient vulnerability administration as they deficiency business enterprise context, prioritization, and knowing of attackers’ options. Vulnerabilities only signify a little aspect of the attack surface area that attackers can leverage.

In the beginning, businesses used handbook procedures to address known security weaknesses, but as technology and cyber threats evolved, a more automated and comprehensive approach became important. Nevertheless, legacy vulnerability management tools ended up developed mostly for compliance and modern day resources nevertheless facial area difficulties in prioritization and limited assets, especially in dynamic and agile cloud environments.

Contemporary vulnerability management integrates security tools such as scanners, menace intelligence, and remediation workflows to provide a far more productive and successful option. Yet, organizations continue to deal with challenges these as:

• A rising listing of vulnerabilities
• Inaccurate prioritization
• Lacking organization context
• Misalignment of priorities and resources amongst IT and security groups
• Lack of coverage and a unified view of risk

Exposures are broader than a common CVE and can encompass more than just vulnerabilities. Exposures can end result from several components, this kind of as human error, improperly outlined security controls, and poorly created and unsecured architecture. Several security instruments tend to target on precise types of exposures, this kind of as vulnerabilities, misconfigurations, or identities, and address each and every one in isolation. Having said that, this method fails to take into consideration how attackers watch networks and devices. Attackers will not seem at the personal exposure – somewhat, they leverage the toxic combination of vulnerabilities, misconfigurations, overly permissive identities, and other security gaps to go across devices and achieve sensitive assets. This route is called an attack route and this variety of lateral motion can go undetected for weeks or months, permitting attackers to bring about considerable and ongoing hurt when hiding within networks.

A modern publicity administration application entails combining several exposures on to an attack graph to have an understanding of the partnership and context of risk towards critical belongings. This will allow for focused remediation that decreases risk in the most price tag-economical fashion. To create a present day publicity management software, companies really should acknowledge the evolution of risk actors and their practices, build an operational approach for guaranteeing ongoing security posture enhancement, and implement a plan consisting of remediation scheduling, remediation critique, risk mitigation and mitigation verification.

At XM Cyber, we believe that that only by combining several exposures alongside one another onto an attack graph that visualizes all achievable attack paths, can we have an understanding of the romantic relationship and context of risk in direction of critical assets. And by comprehending context, we can precisely prioritize issues to target on the exposures that need to have remediating in which they converge on choke details. This makes it possible for for productive remediation that reduces risk in the most price tag-economical method.

The three crucial pillars to setting up a modern day publicity administration program are:

• Comprehending publicity insights – constantly establish and observe likely pitfalls to critical property, as perfectly as figuring out any gaps in security controls or deviations from compliance requirements.
• Analyzing attack paths – develop an attack graph perspective that visualizes all achievable attack paths to critical belongings.
• Prioritizing remediation efforts – target on the most critical issues and choke factors that need instant awareness to minimize risk publicity in a value-productive manner.

By combining these 3 pillars, organizations can build a complete and effective publicity administration software that aids to guard critical property and lessen total risk publicity. This enables for successful remediation that cuts down risk in the most value-efficient manner. By continuously analyzing and monitoring exposures, corporations can build a sustainable and scalable process for taking care of risk about time.

Observe: This article is penned and contributed by Michael A. Greenberg, Director of Products Marketing at XM Cyber.

Uncovered this article exciting? Comply with us on Twitter  and LinkedIn to go through a lot more unique articles we put up.

Some parts of this short article are sourced from:
thehackernews.com