Chief strategy officer with Sevco Security, security industry entrepreneur, board advisor, investor and author.
Before NASA and its contractors launch a rocket into space, they perform an exhaustive series of checks to ensure everything is in place. At certain times, they may find one or two elements aren’t quite perfect, but they determine that they are still within an acceptable range—as close to perfect as they can get—and declare that the mission is OK to proceed. If anything falls outside the acceptable range, they scrub the launch and plan for another day. It’s all about managing risk.
Launching a new IT service into the cloud can be viewed similarly. Every part of the system may be working and secure, except for one or two small components that contain vulnerabilities. It must then be determined if the new IT service’s potential launch into the cloud, like a NASA or SpaceX rocket, is a “go” or “no go.” That’s where an in-depth approach to vulnerability hunting and management—what we can call exposure management—comes into play.
Before taking steps like launching a new service in a cloud region, entering a new partnership or integrating with a new supply chain, an organization needs to understand what assets are exposed to and the extent of those risks. It’s one thing to know that an application contains a CVE vulnerability. Still, you should also understand environmental vulnerabilities, such as how critical the application is, the nature of the risk, whether the risk is being addressed and whether, once fixed, it will remain that way. That is, what’s the real exposure?
If you have that information, you can make a business decision, determining, for instance, that the risk is acceptable and that the launch can proceed. Or you could decide not to proceed because the risk is too significant. The important thing is that you make an informed decision.
Identifying And Prioritizing Risk
In assessing risk, organizations need to understand more than the fact that a vulnerability exists. If an asset has a particular CVE vulnerability, for example, it’s essential to know how critical that asset is to business operations. Equally important is knowing what compensating controls exist on the system and whether those controls are up to date as well as communicating with the management console.
If a vulnerability exists on an endpoint, but you have an up-to-date functioning endpoint security control that mitigates that vulnerability, the issue becomes a lower priority. If the vulnerability affects a highly valuable asset that doesn’t have endpoint security, it becomes a higher priority. If an administrative account is attached to that asset, it becomes an even higher priority. Understanding risk means understanding how assets are connected.
For many organizations, automation is an essential aspect of vulnerability hunting and remediation. If you have a handful of assets, finding and fixing vulnerabilities isn’t much of a problem. However, for organizations with thousands or tens of thousands of assets, having a couple of dozen assets with vulnerabilities that don’t have compensating controls will put you at a high level of risk.
Automation features also help address environmental vulnerabilities that can occur in the cloud. Environmental drift can result from several causes (often unintentional), such as a firewall configuration change being made for a test but then not returned to its original state. Updates and modifications can also result in exposing systems and data to exploitation. An automated monitoring system can detect and mitigate the causes of drift.
Following Through On Remediation
Addressing risk doesn’t end with remediating a vulnerability. Once a vulnerability has been found and fixed, you also have to validate the remediation. It’s then essential to know that it will remain fixed. You need to monitor the systems for environmental drift. Make sure they’re being updated and communicating with the management console. Problems like losing communication can happen after a week, a month or longer, so it’s essential to maintain monitoring.
Once an exposure management system is set up, you can use it with breach and attack simulation tools to see how it would respond to a ransomware attack, data exfiltration or other scenarios based on the system’s configuration. How would those security controls perform? Would they send alerts to the SIEM? It’s essential to have exposure management built into the monitoring and alerting processes so that you can respond as quickly as possible and lower risk exposure.
A vulnerability hunting and management system can be integrated with ticketing and case management solutions to automate business processes and workflows. It also provides a means to visualize vulnerabilities in a dashboard that displays vulnerable assets and helps teams prioritize risk.
Using Exposure Management In Making An Informed Decision
A serious vulnerability in a mission-critical asset can create enough risk for a company to postpone the launch of a service. However, several low-level risks can also amount to a critical risk. The important thing is to make an informed decision.
Your risk is never going to be zero, and cybersecurity risk is only one element in making a business decision. But to make the decision, you need information on vulnerable assets, and you need it to be clear, accessible and easy to understand. Exposure management allows an organization to make an informed decision based on evidence rather than assumptions or hopes.