In cybersecurity, it’s widely known that security gaps create risk, and it’s well established that software and hardware vulnerabilities present an ever-present chink in organisational armour. Furthermore, the rapid transition from legacy on-premises systems to the cloud creates additional fissures.

Speak with a Skybox Security expert

For years, the pace and volume of these vulnerabilities have accelerated, driven by everything from geopolitical tensions to remote working. Ironically, this blizzard of individual vulnerabilities has crystallised into a very singular technical question for security leaders: how does one discover, prioritise and remediate vulnerabilities more effectively to reduce risk?

The old ways of vulnerability management are no longer effective

As Marc Andreessen predicted, software is eating the world. Nowhere is this more evident than inside large organisations, where operations rely on a dizzying array of applications and services hosted in the cloud, on-prem, and in hybrid, multi-cloud and OT platforms.

While eating the world, software also chiselled many large holes in security. This is both at a granular level – for example, vulnerable code or hardware, all the way to the underlying infrastructure, where weakness in network policy or configuration presents additional risk.

Unfortunately, as the environment sprawled, it didn’t retain essential security controls. Traditional approaches to vulnerability management became siloed, trapping them in single lanes without full visibility and context. The result? Security leaders often feel their teams are merely ticking issues off a long but partial list of problems.

The gold standard of remediation is patching. It’s theoretically a simple process, but it’s one that often drags on for months. Uncertain of their impact, known vulnerabilities sit exposed in a holding pattern, waiting to be discovered and then waiting again to be addressed, with organisations hoping they don’t get exploited.

Without a thorough, risk-based vulnerability management tool working for you, this problem will only grow as digital transformation continues to multiply and scatter technical assets across the estate. Already spread thin, security teams will be further overwhelmed and directionless — a finger stuck in the dam facing an endless treadmill of blind triage.

Get the VTM Buyer’s Guide to help you choose modern vulnerability management technologies.

Attackers rely on outdated remediation processes

As always, an issue for security teams is an opportunity for attackers. Helped by an organisation’s lack of a true understanding of their cyber exposure, threat actors gain access and move laterally by slipping unseen into organisational cracks.

This is compounded by a lower barrier to entry to becoming an attacker. With the rise of cybercrime-as-a-service and easier access to TTP (tactics, techniques and procedures), breaching security has become more effortless than ever. Attackers don’t need to be well-resourced APT (advanced persistent threat) groups developing exotic zero days to succeed in compromising large organisations.

For this reason, even older, less high-profile common vulnerabilities and exposures have just as much relevance for security teams as celebrity vulnerabilities in today’s headlines. Greater numbers of lower-skilled attackers mean more adversaries taking advantage of low-hanging fruit. However, without a strategy for determining vulnerability impact, organisations have no idea of what is below the radar yet dangerous and what is benign.

Similarly, while a useful guide for gauging general severity and active exploitation, security leaders are reluctant to put too much faith in CVSS scores. Although the process is improving, scores are solely based on external factors, so they lack valuable organisational context critical to prioritisation.

The importance of context – cyber risk quantification

This all highlights the importance of context in getting a true picture of risk. Moving beyond mere visibility to effective action requires understanding one thing: each vulnerability’s impact on your specific environment.

For this to be possible, controls such as continuous exposure management must have complete visibility of all assets, systems, processes and dependencies in the estate. Only with this can you truly understand the nuanced dance of technology in your environment and how, if attacked, operations and business value will be affected. One person’s innocuous asset could be another’s potential regulatory fine.

By mapping vulnerability data on top of this, organisations can see where exposure truly lies – uncovering the paths adversaries may use to cause reputational and financial damage. Playing out a multitude of theoretical incidents, security leaders can better score risk so security operations are better prioritised and effective.

To answer the security leader’s question of whether such initiatives lead to better business outcomes, just ask Equifax. One missed vulnerability and half a billion dollars in fines later will attest to the importance of using context to uncover and prioritise the gaps.

Learn how Skybox can help you better manage vulnerabilities. Speak with an expert today.

About Skybox Security
Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our SaaS-based Exposure Management Platform delivers complete visibility, analytics and automation to quickly map, prioritise and remediate vulnerabilities across your organisation.