CPO Magazine Article on Holistic Vulnerability Management

Apr 17, 2023
admin

In March 2023 CPO Magazine published the following article written by By Ravi Pentapaty, Brinqa Cybersecurity Evangelist.

Recent research from PwC revealed that U.S. executives’ number-one concern — cyberthreats — ranked higher than talent acquisition and production costs. This heightened focus on cybersecurity means vulnerability management (VM) teams are squarely in the spotlight. They have the monumental task of identifying all of their organization’s security risks, understanding how they affect the business, developing risk prioritizations, and orchestrating swift and effective responses. For many organizations, these teams are the first line of defense against cyberattacks.

But the average company has approximately 76 security tools deployed across their infrastructure, which inevitably generate an incredibly high volume of findings. This poses a challenge to VM teams: with risks being discovered by such a wide range of solutions, how can they ensure their vulnerability risk management programs are actually targeting the highest-priority risks and therefore supporting ongoing cybersecurity goals? When these tools and their findings are siloed, the answer is, unfortunately, simple: they can’t.

Top three attack surface areas organizations must integrate
Before VM teams can break down these silos, they must first understand which areas of their attack surface are most important to their organization and which security tools to connect under a single overarching VM program:

On-premises infrastructure: It’s obvious that on-premises infrastructure — including laptops, routers, switches, wireless access points, printers, etc. — should be included in every company’s VM program. Using vulnerability scanners, such as those from Rapid7 or Qualys, to scan hosts connected to on-premises networks and locate potential risks in code execution, privilege escalation, and encryption packages is a baseline.
Once upon a time, the average VM program might have ended there. But in the modern workplace, on-premises infrastructure is just one of many parts of the attack surface that teams must address.

Applications: A robust and cross-functional VM program must include application security. Software applications are the foundation of modern work, from inventory management platforms to customer service tools, and significant resources are spent to deploy and maintain them. As a result of their high-profile nature, security teams must constantly monitor them for possible cybersecurity risks that could threaten the entire company. Traditional application security scanning tools such as SAST and DAST and newer solutions, including secret scanners, provide insight into possible cyber risks.

The cloud: In pursuit of digital transformation, businesses have made significant investments to build and extend their cloud infrastructure footprint with resources such as compute, storage and more. Whether companies use Amazon Web Services, Microsoft Azure, or Google Cloud Platform, these cloud footprint expansions inherently increase organizations’ attack surfaces due to the nature of the cloud and its proximity to the edge. A whopping 43% of data breaches are estimated to be cloud-based, which exposes companies. In response, cloud security posture management tools, virtual machine scanners, and container scanners are all deployed to identify vulnerabilities within these assets.

For each of these attack surfaces, tools are available to search for potential vulnerabilities and rank findings. But these prioritizations can be skewed and lead VM teams in the wrong direction. The rankings they produce are derived from the individual tool’s perspective, meaning it’s common for a vulnerability scanner to erroneously mark a large volume of discovered vulnerabilities as high-priority. Only when VM teams get involved and compare these findings against the greater business context do they realize the situation isn’t as severe as the tool presented or is already being protected by compensating controls. But by then, considerable time that could have been spent addressing actual critical threats has been consumed. This is why a VM program must be holistic and wide-reaching to be truly successful.

Why siloed risk management fails
When security tools and their vulnerability findings are kept divided, enterprise cybersecurity suffers. As threat actors’ methods to breach cyber defenses evolve and new systems are added to corporate technology stacks, attack surfaces naturally expand. But without a holistic perspective of this attack surface and its associated vulnerabilities, VM teams lack the capabilities and visibility to carry out proper remediation efforts. After all, teams can’t mitigate vulnerabilities if they don’t know they exist. Mitigation, if performed at all, often uses ad-hoc processes and is done outside the VM team’s purview, which often undermines prioritization efforts. This means organizations may spend resources remediating vulnerabilities thought to be high-priority that turn out to be less significant when other factors are considered.

Without a comprehensive approach that unites a wide variety of security tools and their vulnerability findings, seemingly low-priority risks may go unresolved for weeks, months, or even years, leading to a higher risk of security breaches. By breaking down security silos between on-premises infrastructure, applications, and the cloud, VM teams can evaluate and compare findings across these categories to gain a bird’s-eye-view of the company’s entire security posture. Once divisions between security tools are eliminated, VM teams can holistically identify and prioritize their company’s cyber risks.

Uniting security tools for greater risk prioritization
For teams just starting out, these three attack surfaces — on-premises infrastructure, applications, and the cloud — are a perfect starting point for building out their VM programs. But ideally, teams shouldn’t stop there. Aggregating, analyzing and classifying security findings within a VM program improves the ability of teams to prioritize and efficiently remediate risks.

Once these three attack surfaces and their security solutions are effectively integrated within a single program, VM teams should continue leading the effort to prioritize risks in the applications and other areas that are most critical to the business. In doing so, security teams can unlock the ability to level up their vulnerability management program and deliver the best possible security outcomes for the organization and its customers.

Ravi Pentapaty is a cybersecurity evangelist for Brinqa, a leader in cyber risk management. Ravi has spent most of his 18-year career building and leading programs related to application security, cloud security, and threat and vulnerability management at Fortune 500 enterprises, including more than 9 years with Warner Bros. Discovery.

Related resources