Vulnerability Management Is Falling Behind
Vulnerability Management (VM) programs have served the security industry well, providing a proven way for IT teams to ensure a base level of protection against known software vulnerabilities. But as the cloud, endpoints, tools, and the sheer volume of vulnerabilities expands, vulnerability management programs can no longer keep up. Traditional software vulnerabilities are only one of several kinds of vectors attackers can exploit (others include misconfigurations, weak passwords, and data leakage.) You need several different services to make up a complete security posture — Attack Surface Management is the one you need to add now.
If you run a Vulnerability Management program, you’re most likely drowning in alerts and have no idea what to patch first. Enter: Attack Surface Management.
Randori’s ASM platform integrates with your VM program. It prioritizes your results by attackability, so you know precisely what and where to patch, where to add logging and monitoring, and what to disconnect because you don’t or no longer use the assets.
Attack Surface Management: Combatting Attackers Where They Are
Think about protecting your house. The best practice is to continuously monitor the perimeter, checking the outside of your home for gaps in security. You would check every door, window, and air vent to make sure they’re locked and, ultimately, hardened.
A Vulnerability Management program is like a house inspector. Their job isn’t to tell you if the house is secure or if it’s the right home for you – their job is to check the home and point out as many potential issues as they possibly can. You give them the address and they’ll take a walk around the perimeter and fill out a checklist. At the end, they’ll deliver you a list of possible entry points, but offer no advice or insight into where you should devote your attention first. Meanwhile, if the list is 100 plus pages long, you probably won’t read it anyway.
It’s important to keep in mind that of all the ways a hacker could break into your system, only about 5% of all vulnerabilities are ever exploited in the wild, and VM programs have no means of determining which 5%. They have no method of prioritization besides CVSS scores, which only show part of the picture.
According to former Gartner analyst Brad LaPorte, who originally identified the ASM market in 2019, “The benefit of attack surface management is being able to proactively identify areas with a high likelihood of attack. Having the response capabilities in there, having the tactics, techniques and procedures to essentially prevent that from happening. Once you know where to look first, you can implement hardening techniques to shore up those specific devices.”
Randori’s Attack Surface Management platform is like having an actual burglar try to get into your house over and over again. They rattle the locks, test the doors and windows, and rank them by attackability. Then they sit down with you and explain which attack vectors were easiest to penetrate. Once you’ve got a prioritized list, you can go top to bottom, adding a deadbolt here, a motion sensor there, until your opponent’s cost to break in becomes untenable. What’s more, it’s continuous. This way, your picture of your attack surface remains current, rather than capturing a snapshot of a single point in time in a constantly changing environment. So as soon as you finish hardening your security, they’ll repeat the process and come back with new data as conditions change.
Managing Your Attack Surface Efficiently
Vulnerability management is designed to solve problems with patching. But since your problems are not always vulnerabilities, your solution is not always patching. You need a solution capable of helping you find the other sources of risk.
Calculating the best course of action often comes down to how much you need a device that could easily be compromised. If it is pivotal to business operations, you probably need to add logging, monitoring, and segmentation. If it is not, you can shut it off (or at least disconnect it from the internet) until it becomes vital to turn it back on.
The volume of vulnerabilities inherently grows as organizations expand in the cloud and devices are added. The more programming exists, the more errors exist within that programming. And since programming errors require constant maintenance, the amount of work necessary to keep attackers at bay expands as well. Your attack surface will never be secure, but it can be managed.
Vulnerability Management needs Attack Surface Management
Attack Surface Management and Vulnerability Management are always each going to have their place in the security world, and they will always overlap. Different components work together to address the overall goal of reducing overall exposure. There are many different ways to break into a house, and nothing designed to be accessible will ever be entirely secure. The key is to balance the resources at your disposal to make attacking you as tricky as possible. Chances are if you’ve had a vulnerability management platform over the past several years, you’ve watched it decline in the value it creates. The list of vulnerabilities it spits out gets longer and longer while your patch windows remain the same, and you have no reliable framework for prioritization. You’ve had to rely on waiting to be attacked to see where you are most vulnerable. But if you’re waiting to react to an attack, you’ve already lost.
As is, your VM budget probably isn’t fully delivering on the value you need from it. Your next step is to split your VM budget and invest in an ASM platform to prioritize your vulnerabilities using an attacker’s perspective. Attack Surface Management is about getting ahead of your opponents by seeing yourself through their eyes so you can close their points of entry before they even find them. You can use the attackability metrics you receive from the Randori ASM to reduce your attack surface and execute restrictions until you have no doors or windows big enough for an attacker to squeeze through.
