In April, the cybersecurity community held its breath as the Common Vulnerabilities and Exposures (CVE) program was plunged into a moment of existential crisis. In the end, an eleventh-hour reprieve saved the day.
While CVEs do not encompass the full scope of network security issues, they are still a critical component to track as part of a security program. Over the last 25 years, the CVE program has evolved into a critical, shared, and global resource that helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue.
But this is no time to celebrate. Today’s vulnerability management model fails fundamentally because exploited CVEs account for only a small fraction of enterprise exposures. Most traditional exposure management tools don’t see the whole picture, either because they only have visibility into a small subset of vulnerabilities, they can’t see all enterprise assets, or both. Network defenders need a new approach, and fast.
Why is exposure management so difficult?
Their job is getting harder thanks to a confluence of factors. A big part of it comes down to the size and complexity of the corporate attack surface. Depending on the organization, it could incorporate everything from on-premises servers and desktops to remote working laptops and smartphones, public cloud containers, edge devices, and operational technology (OT).
This creates a major visibility challenge, as cloud-native environments spread assets widely and cause them to remain dynamic and short-lived.
In the meantime, threat actors are professionalizing with greater determination.
The problem with CVEs
Effective exposure management will be key to ensuring that organizations remain ahead over the coming years. But the tools and methods many of them use are fundamentally flawed, because they don’t represent the entirety of vulnerabilities/exposures out there. Threat actors actively exploit misconfigurations, segmentation issues, and internally exposed assets.
Verizon found that only a third of recent data breaches involved known exploited vulnerabilities. NIST reports that attackers exploit only 0.5% of known vulnerabilities in the wild.
More opportunity for attackers comes from the fact that traditional tools don’t cover all the assets spread out across a typical corporate attack surface. The unknown and the unmanageable include not just shadow IT, but operational technology (OT), IoT devices and countless other environments where agent-based and credential-dependent solutions aren’t feasible.
Another boon for threat actors (and impediment for network defenders) is the oft-underestimated complexity of CVE scoring systems and their ultimate reliance on experts using them effectively to sort and prioritize fixable issues.
Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS) and Stakeholder-Specific Vulnerability Categorization (SSVC) framework all have something to say about prioritization, but none tell the whole story, leading to possible alert overload for already stretched teams.
Securing the entire attack surface
To get back on the front foot against attack surface risk exposure, security and IT teams need to look beyond agent-based approaches, and way beyond CVEs. By combining active scanning, passive discovery and API integrations it’s possible to gain comprehensive visibility into internal and external attack surfaces, including shadow IT devices and potentially unmanaged assets such as OT and IoT endpoints.
Next, it’s about extracting as much context-rich data as possible by via fingerprinting technology, to profile each asset, what services it uses, who is the asset owner, whether it’s unpatched or misconfigured, what it’s connected to, and so on. The deeper the dive here, the more accurate the profile. Combining information-gathering techniques, such as performing precise system-level identification with tailored next-step interrogations covering default passwords specific to those unmanaged devices, enables defenders to quickly and accurately build out complete, actionable profiles of their networks’ “dark matter.” This will ultimately provide deep insight into exposures that might otherwise remain a mystery, like missing security controls, end-of-life software, and high-risk assets bridged to other networks and devices.
Above all, the focus must be on simplicity and data-driven insight. That means consolidating these cutting-edge capabilities into a single platform capable of using risk-based insight to deliver prioritized alerts on exposures.
Learn how to detect vulnerabilities with Nessus Vulnerability Scanner.
