Security operations teams have been dealing with “alert fatigue” for far too long.
The introduction of log monitoring (e.g. SIEM), firewalls, and AV technologies more than two decades ago have provided valuable tools for IT teams to be alerted to known suspicious network behaviors. However, as time passes and digital transformation reaches an all-time high, the underlying technologies that support security teams in their day-to-day operations have not changed.
It is now harder than ever to distinguish between benign and malicious behavior, as attacks have become more sophisticated, often using legitimate operating system tool sets, and are more difficult to spot among network behaviors. normal. The problem is not that all suspicious behavior is malicious behavior, far from it. As a result, what was supposed to provide useful insight into network activity has become the bane of many security professionals.
Dealing with a problem with the wrong set of tools leads to the opposite evolution – as we can see in the vulnerability management market, where tools become more of a distraction for security professionals than the insightful guide to better the security they promise to be.
Legacy vulnerability management tools flood security teams with long lists of community-prioritized vulnerabilities – there were over 15,000 vulnerabilities found only in 2020. Of these, only 8% were exploited by attackers. Not to mention the top 30 recently reported by CISA.
Currently, it’s a cat-and-mouse game the customer can never win: chasing an ever-growing list of vulnerabilities without knowing if they’ve fixed the ones attackers want to target, exposing the riskiest vulnerabilities. , checked if there is an exploit for a specific vulnerability, or analyzed what is the possible risk and impact that can come from a vulnerability.
All this context is necessary for security and IT teams to reduce risk, maintain business continuity and stay one step ahead of the adversary. Unfortunately, the pursuit of more and more vulnerabilities has taken us away from the goal of where we want and need to be. At this point in the battle against cyber adversaries, CISOs cannot step back into the world of vulnerability fatigue. They must evolve at the same pace of innovation as attackers, which requires understanding how attackers recognize and target an organization. This is the fundamental job that vulnerability management systems fail.
Trapped in a game of endless vulnerability
According to CVE details, the average organization of 5,000 employees will have 3 to 4 times more vulnerabilities to manage. But among this group, only 13% are generally considered “critical”. But how to assess criticality? Looking at a single vulnerability is like checking your fever once a year: it doesn’t make sense.
Without the ability to determine which vulnerabilities are most likely to be exploited by attackers, security teams play a never-ending game of patches – when a vulnerability is found and added to the queue for it. fix, another one appears. This amount of fixes can be overwhelming, and it’s impossible to effectively mitigate risk and focus on improving resiliency.
In a recent memorandum released by the Biden administration after devastating ransomware attacks on Colonial Pipeline and JBS Foods, the White House urged companies to take proactive steps to reduce the risk of advanced attacks. This includes the rapid updating and remediation of systems and the use of a “third party pen tester to test the security of your systems and your ability to defend against a sophisticated attack”.
While penetration testing can be effective in identifying the most critical vulnerabilities, it is a manual process and only provides a one-time snapshot of an organization’s security posture. An organization needs continuous assurance of its attack readiness, and this is where automated security validation comes in.
The dawn of a continuous approach to security validation
The IT network is a living organ in constant evolution: adding and removing users, updating access and policies, migrating to cloud and distributed environments. This is why assessing legacy vulnerabilities with an agent-dependent architecture is no longer sufficient – major CISOs are taking a broader and comprehensive approach to automated security validation, which requires a real examination of how an attacker will approach your environment.
Here are some key differences between automated security validation and legacy vulnerability management:
- A vulnerability that matters – Most legacy systems are good at detecting vulnerabilities, but that’s it. No security team wants more vulnerabilities. What they want is the right context and the right risk associated with the most critical vulnerabilities. This includes the most risky vulnerabilities based on exploitability, possible risks, and impact on the organization and operation of the business.
- Contradictory validation – The only way to really know which vulnerabilities to prioritize is to emulate the real tactics and techniques that real world attackers use to exploit your network. Existing systems lack the ability to perform discovery, sniff, spoof, crack, safely inject malware, sideways move, elevate privilege, and exfiltrate data . By exposing networks to true adversarial actions, teams gain a comprehensive view of attack operations to provide a true assessment of their resilience to attacks.
- Retest capabilities – With the assessment of legacy vulnerabilities, IT teams often struggle to understand whether the changes they made improved security or caused collateral damage to the network. With a security validation tool, security teams can retest their environment immediately and compare against the benchmark to ensure complete protection.
- Effectiveness of security checks – Again, vulnerability as the target is not met, leaving security teams empty-handed to confidently take action to address the issue of preparedness against an attack. With the continuing evolution of IT infrastructure and the sophisticated evolution of adversaries, security controls must be validated to ensure that they are functioning as intended and are configured correctly.
Automated security validation changes the paradigm, and with it the game. Allowing security teams to get ahead of the vulnerability curve by focusing on the most important vulnerabilities can expose the real root cause of the problem. This not only helps them to better manage the continuous cycle of patches per possible business risk, but also to combat vulnerability fatigue.