Skip to main content

The conventional approach for protecting critical assets is broken. Here's what's needed to fix it.

(Image credit: Image source: Shutterstock/deepadesigns)

Let’s take a closer look at a few reasons why current strategies are flawed and the tools organisations can deploy to create a truly mature and effective strategy for critical asset protection.

It seems intuitive — or even plainly obvious: An organisation’s most critical assets (the “crown jewels,” so to speak) should be protected in the most forward-looking, vigorous manner possible.

Unfortunately, the statistics show that’s not always happening. Some 39 per cent of respondents in a recent ServiceNow / Ponemon Institute survey of 3,000 US IT professionals say that their organisations are aware of breaches that were linked to known vulnerabilities — an increase of 5 per cent over last year’s survey. Additionally, 88 per cent of respondents say that the security team isn’t the sole group responsible for patching these vulnerabilities and that they need to coordinate with other departments. As a result, patches are often delayed by an average of 12 days. That’s nearly two weeks in which an organisation is vulnerable to threats that have known fixes. With numbers that high (and escalating), it’s fair to say that the current approach toward assessing and responding to critical asset risk is lacking.

The shortcomings of conventional vulnerability response management

One way to fix the problem of inadequate risk management is an enhanced focus on effective vulnerability response for any and all critical assets in jeopardy. Yet while organisations oriented toward automation are improving at patching, the current framework being used is insufficient. The Common Vulnerability Scoring System (CVSS), a 1-10 scale (with 10 being the most severe) that determines the severity of threats based on several defined metrics, including ease of implementation and the potential impact on the organisation, is often the only metric considered when evaluating patch prioritisation. While CVSS is certainly a step in the right direction, it does not consider asset criticality and systems as a part of overall vulnerability response. Which assets are most critical may seem like common sense, but considering that security analysts are already undergoing notification overload, neglecting to include this metric in a quickly digestible format is setting them up for failure.

More money does not always equal better security

Organisations have not been shy about throwing money at the vulnerability management problem. The ServiceNow / Ponemon survey showed that today’s organisations are spending $1.4 million annually, on average, for vulnerability management. This is a significant increase over 2018, during which $1.16 million was spent, on average. Clearly, spending more money on preventing, detecting and remediating vulnerabilities isn’t enough to protect critical assets. You also have to spend money the right way. Increasing spending to prop up a broken model is ultimately counterproductive.

Patch paralysis remains an issue

Patches, correctly applied, stop data breaches. Unfortunately, significant numbers of breaches continue to occur even when patches exist to close the vulnerability. In the ServiceNow / Ponemon survey, nearly half of respondents reported their organisation had suffered a data breach within the last 24 months, and 60 per cent of these respondents indicated this breach could have occurred despite the existence of an available patch for that vulnerability. Most of these respondents were simply unaware of the vulnerability, unaware of the patch, or simply failed to act. Patch paralysis, rather than patch awareness, continues to be a primary cause of data breach incidents.

Finding a better approach

Most vulnerability management programs are immature. This means they lack the ability to prioritise the vulnerabilities that pose the most urgent risk to the security environment. CVSS scoring, despite its prevalence, is the only patch prioritisation metric that excludes criticality and systems response, which means that it cannot provide truly effective prioritisation. Any program built solely around CVSS scoring is, by definition, immature and invites unneeded risk.

Threat intelligence, incident response and security automation platforms are the most powerful tools for improving vulnerability response, and all are seeing a corresponding rise in adoption. Yet according to the ServiceNow / Ponemon survey, only 46 per cent of respondents are now incorporating this technology into the business, leaving over half with an archaic form of managing threat response.

To implement a mature vulnerability management program that protects critical assets, it’s advisable to include an advanced breach and attack simulation (BAS) platform.

Why breach and attack simulation is a cornerstone for critical asset protection

As mentioned above, patch paralysis continues to be a significant problem, and relying on CVSS scoring to prioritise patches is an incomplete solution. A BAS platform can help organisations create a truly mature program for vulnerability management.

The process works like this: A BAS platform launches continuous attack simulations against an organisational security environment in an effort to discover vulnerabilities. These simulations are, in essence, automated red teams, attempting to find weaknesses across the entirety of the network. By probing for weaknesses in an automated and continuous manner, BAS platforms allow defenders to assume the mindset of attackers and take a less reactive approach to organisational security — ultimately providing the highest level of security for critical assets. This level of proactivity allows a security team to not only discover which endpoint could be the “patient zero” of an attack but fully analyse the complete journey of how that attack would spread throughout the organisation.

Yet simulated attacks are only one aspect of an advanced BAS solution. These platforms also provide prioritised remediation recommendations that identify the most urgent steps defenders need to take to protect their crown jewels. Unlike CVSS scoring, criticality and systems are factored into this approach.

A fully automated BAS platform allows organisations to help ensure that critical assets are protected both on-premises and in the cloud. For any business seeking to improve its vulnerability management program and protect its most valuable assets in multiple environments, an advanced solution is the current gold standard in security. Not only does it help to keep the organisation safe from cyber-threats, but it also helps reduce the information overload that's often bludgeoning the analyst team, allowing everyone to go home happy, literally.

Gus Evangelakos, Director of North American Field Engineering, XM Cyber

Gus Evangelakos is the Director of North American Field Engineering, at XM Cyber. He has extensive experience in cyber security, having managed implementations and customer success for many major global brands such as Varonis, Bromium and Comodo.