Nearly 90% of data breaches happen because of poor cybersecurity posture. Unfortunately, a strong cybersecurity posture is not necessarily a function of dollars invested or the number of tools deployed. Organizations struggle to understand and improve their security posture even with an arsenal of cybersecurity products. This is mostly because the visibility they have into their attack surface lacks color.
If you’re a CISO or CIO, you may have (or might be in the process of gaining) basic visibility into CVEs that your core assets are vulnerable to. However, there are many more levels to visibility: the gray parts of your enterprise digital attack surface. A comprehensive view of enterprise cybersecurity posture can be likened to appreciating 50 different shades of gray.
When I say 50 shades, I’m not exaggerating. This starts with 10 types of vulnerabilities which traditional tools have trouble assessing, times 5 attributes that dictate the risk of each type of vulnerability.
10 Classes of Vulnerabilities
First, let’s take a look at the 10 types of vulnerabilities that attackers try to exploit.
1. Password Issues
In almost all organizations, there are numerous instances of weak, default and reused passwords, often stored and/or transferred in the clear. Some CISOs and CIOs try to address this problem with strong password policies, which lead to much angst amongst users who are forced to somehow remember dozens of nonsensical strings. Even such policies can’t address the more problematic issue of password reuse, which frequently extends to platforms and accounts beyond the security team’s control. Then, there are password issues related to poorly designed software which stores or transmits passwords in the clear or improperly encrypted.
Gray question number #1: For your organization, how do you feel about password-related risk?
2. Unpatched Systems
Timely security patching is very challenging, mostly due to the overwhelming weekly volume of new CVEs. Anyone who has seen the output of legacy vulnerability tools knows what this means. Since an accurate notion of risk does not exist, it is very hard to prioritize patches based on risk. Less than 20% of vulnerabilities are easy or even practical to exploit. Similarly, not everything in your network is equally important from a business impact standpoint, but traditional methods of vulnerability assessment and patching either completely ignore or grossly simplify the business criticality of vulnerabilities.
Here is our second gray question: For any given software update that contains security content, do you know what systems must be patched right away, those which can wait a couple of days, vs those which are just noise?
3. Phishing, Web & Ransomware
There is often poor security awareness amongst employees and a lack of modern endpoint security tools and controls. Keeping your enterprise safe starts with identifying your weakest links and putting measures in place to defend them. The weakest links are always some users.
Do you know which of your users introduce the most cyber risk exposure to your organization due to their browsing behavior?
Numerous misconfigurations in application and OS settings exist across the enterprise. There are generally no mechanisms in place to continuously look for such instances and fix the issues.
Here is a particular thorny gray question: how many configuration items exist in your enterprise that have a cybersecurity related failure mode?
5. Encryption Issues
In most enterprise networks, there is a large amount of unencrypted or incorrectly encrypted communications. Data is often stored unencrypted or improperly encrypted. Without real-time visibility into your attack surface, it is impossible to remediate your encryption issues.
6. Malicious Insiders
In its general form, the malicious insider problem is a very hard problem. However, in most organizations, there is a complete lack of basic visibility and controls for detecting and preventing rogue users from exfiltrating or destroying key data using straightforward methods. Most enterprises have trouble detecting and investigating the use of printers, file sharing, or USBs to take IP or data.
7. Denial of Service Fragility
The enterprise network is not designed for availability under a (distributed) denial-of-service attack or a compromise/failure of some important asset. With these attacks coming from 100+ threat vectors, it is extremely difficult to see where you are most at risk.
8. Physical Vulnerabilities
The physical security of guest wi-fi, printers, and employee devices are frequently overlooked. Although typically less likely to be exploited than pure cyber-attacks, physical vulnerabilities can be quite severe when taken advantage of.
9. Trust Relationships
Third party and internal components that are tightly integrated with your critical assets are one of the first places that attackers look for when trying to move deeper into your organization. Understanding the level of access that each trust relationship could provide if exploited by an adversary is crucial for maintaining a robust security posture.
10. Zero Day Vulnerabilities
Security teams dread zero day vulnerabilities for good reason. They cannot be patched — and implementing reasonable mitigating controls for them is expensive and stressful.
Gray question: how resilient is your enterprise network when some components of the network are suddenly subverted? Can you arrange things to limit damage?
It should be clear that vulnerabilities are not just unpatched software CVEs. Any attack vector that puts your enterprise at risk is dangerous. Vulnerabilities arising from weak or stolen passwords, phishing, misconfigurations, ransomware, encryption issues, etc., can be equally damaging and all types of vulnerabilities should be considered while prioritizing remediations.
For each of the 10 vulnerability types, there are 5 attributes that dictate the risk of a breach— i.e., how difficult it would be for an adversary to effect a breach and the resulting impact of the breach.
The hardest challenge regarding calculating cyber-risk for an enterprise is simply knowing the asset inventory— i.e., what vulnerable devices, applications and users are present on the network. Clearly, you cannot protect what you don’t know about.
Another gray question: do you know exactly what assets are active in your network at this instant?
2. Relevant Threats
New threats emerge almost on a daily basis and it is key to understand which ones are important from an organization’s standpoint. Mapping real and emerging threats – what is currently fashionable (or possible) for the adversary – to specific vulnerable assets and then observing and prioritizing these threats is key.
3. Asset Exposure
Besides threats, exposure is key to the risk calculation. Exposure due to asset usage is multidimensional, encompassing factors such as duration for which the asset has been present on the network, availability and frequency of use, as well as type of use. A device with unpatched IE is not necessarily a critical risk if the default browser of the user is Chrome and they never use IE. Similarly, risky behavior of privileged users increases exposure.
4. Business Criticality
With a myriad of assets in your network, it is important to understand the impact of each on your business if it is compromised. To properly estimate the adverse effect to the enterprise if an asset were to be breached, take into account both inherent (e.g. asset category, business unit) and contextual properties of the asset (roles, applications, user privilege, and interaction with other assets).
5. Mitigating Controls
Investments into security controls like firewalls, anti-phishing systems, and EDR tools successfully mitigate risk. Ideally, you need to have an up to date inventory of existing security controls scored by their effectiveness.
You can then combine this information with inventory, vulnerability, threat, exposure and business criticality information into a mitigated risk model that allows for the prioritization of any necessary remediation actions based on risk.
With 10 classes of vulnerabilities and 5 attributes by which these attacks should be interpreted, it becomes obvious why the average team’s visibility into their security posture can be likened to discerning between 50 shades of gray.
The 51st shade: Real-Time
Looking forward, there is a 51st shade of gray that is the most consequential given the rapidly expanding asset landscape. This shade relates to the real-timeness (or staleness) of your visibility.
Proactive Cybersecurity Posture Management
Proactive cybersecurity posture management requires a continuous and comprehensive system of observations, calculations, and visualizations that result in a prioritized set of actions that are necessary to remediate cyber-risk. You can’t patch everything instantly, so cybersecurity issues must be prioritized to decide which issues need fixing immediately, those that can wait a few days, and those that are just noise.
Proactive cybersecurity posture management is quite different from traditional vulnerability scanning where scanning tools spew out alerts in the hundreds of thousands without any priority order. Cybersecurity posture management also means evaluating numerous options for fixes and executing the one that makes most sense considering the risk-level of vulnerability x.
Part 2: Gaining Color in your Visibility
Gaining color into the 50 shades of gray is key to proactive vulnerability management. Part 2 of this blog series will cover the calculation at its most basic and dive into the five pronged algorithm that will help you see your vulnerabilities through a new lens.