Complex and vulnerable –
another day in the life of your CISO
April 8, 2024 - London
When seven members of Boston-based ‘hacker think tank’ L0pht appeared in front of Congress in 1998, they were tasked with persuading an unaware senate to take the issue of cybersecurity vulnerabilities seriously.
A quarter of a century later, times have changed. The gravity of the vulnerability issue no longer requires justification. Ironically, awareness is forcing us to confront a new problem entirely. With the CVE database exceeding 225,000 vulnerabilities, 75,000 of which were discovered in the last year alone, how do organisations address them without overwhelming their teams and leaving their org exposed? Security leaders recently held this very debate at RANT in London. Here’s what they settled on.
Existing methods lag behind technical complexity
It isn’t merely a problem of volume, but of complexity. With operations now utterly reliant on an ever-fragmenting set of potentially vulnerable technologies splayed across on-prem, cloud, remote, IT, OT, and beyond – understanding the true risk picture is difficult.
Legacy tools remain siloed, so security teams’ visibility of these assets is patchy, limiting their view of dependencies and attack paths. Nowhere do they have a rounded view of how each vulnerability impacts the business they protect.
In response, security teams default to CVSS scores and ‘must-fix lists’.
This causes prioritisation problems by reinforcing a generic view of risk. For example, while externally facing and actively exploited CVEs are a priority, lower scoring vulnerabilities do not, regardless of whether they might be connected to business-critical assets. The security leaders admitted this presented exposure in the form of a ‘long tail’ of unpatched flaws.
Outside of skewing technical priorities, CVSS scores also do the same for humans. Metrics often reward the fixing of high priority vulnerabilities – not giving credit for patching lower rated CVEs – further embedding issues into an already flawed system.
Human systems are also fragmented
The complexity issue is further compounded by organisational silos which force different business areas to have different, often conflicting, objectives.
Varying compliance burdens or operational priorities, for example, can drive a wedge between people and processes with an impact on remediation, reporting, and resource allocation. For example, one of the attendees outlined that a decision to patch servers had to pass through both infrastructure and appsec teams, both of whom had differing agendas.
It was outlined that such entanglements create friction in the remediation process and cause ‘risk creep’ to take hold. As one security leader put it, “this is how medium severity vulnerabilities become severe.”
Quantify risk better
The answer, it was agreed, lies in bringing greater context to vulnerability risk assessments. A deeper, broader understanding of the specifics of each individual environment leads to more relevant decisions.
This improves standard RAG analysis which, without an ability to see the tangle of interwoven dependencies and assets, was said to either classify ‘everything as amber’ or, worse, bias towards so-called ‘watermelon risk’ – green on the outside but red on the inside.
To be effective, security teams need to enrich vulnerability data with details such as where assets sit, whether they are connected to regulated capabilities, what business processes are dependent on them, what controls are in place, threat intel, and more.
By aggregating this information, security teams can understand true risk, not just exploitability, and prioritise action accordingly. Captured on an ongoing basis, it can also be a valuable yardstick of progress which, when combined with a security champions program, can help drive maturity.
Security leaders also agreed on the strategic value in this data.
Armed with a tailored understanding of the impact of vulnerabilities, the possibility for building colourful, more relevant risk narratives for board members exists for the first time. Put bluntly, it makes it easier to detail the conditions under which vulnerable assets drag down reputation, stop factory production, or disable payment portals.
This opens the door for more accurate conversations about risk and the associated investment required in controls, as well as more strategic planning of incident response capabilities.
A resolution founded in context
The overwhelming pace and volume of vulnerabilities is a problem which, unchecked, will only compound over time as more technology is spliced into the operational DNA of organisations. A generic view of vulnerability risk is increasingly (and thankfully) becoming obsolete.
The security leaders who address this problem effectively, it was agreed, will be the ones who see the benefit in transitioning to a more personalised view of the impact of vulnerabilities. In turn, this will benefit both tactical risk reduction and strategic board level initiatives.
About Hackuity
80% of cyberattacks use a vulnerability published half a decade ago. Translation: either cybersec professionals don’t care (not true) or they can’t keep up on their own (it’s time we admit that). Fragmented teams, too many tools, and exploding vulnerabilities are a match made in heaven – for attackers.
Founded by experts from leading cybersecurity service providers, Hackuity reinvents Risk-Based Vulnerability Management (RBVM) to protect organisations worldwide:
· Aggregate 80+ market-leading tools into a single pane of glass.
· Prioritise vulnerabilities with our risk-based scoring algorithm.
· Automate remediation specific to your attack surface.
Integrate your ecosystem to help cybersec teams focus on what’s actually vulnerable – not on managing Excel spreadsheets. Hackuity’s platform breaks security silos and provides a unified view of your cyber exposure specific to your attack surface so that you can remediate the real threats, faster. In short, Hackuity is your VOC enabler.
Hackuity is the winner of PwC Luxembourg's Cybersecurity & Privacy Solution of the Year – People’s Choice Award (2023), has received the EIC Seal of Excellence from the European Innovation Counsel, and is featured on Wavestone’s 2023 French Cybersecurity Scaleups Radar. Hackuity is a member of Campus Cyber and has also won the Government-led Grand Défi competition (2023, 2021), the Assises Innovation Award (2021), the FIC Startup Jury Award (2021), and the BPI Innovation Competition Award (2019). SOC 2 Type II certified and IMDA accredited, Hackuity emerged from stealth and raised €12 million in 2022.