Vulnerability management is at a crossroads. Faced with exploding asset counts and a surge in the volume of new vulnerabilities, enterprises large and small are struggling to keep up with the pace of evolving attack surfaces.
This growing risk gap between what organizations are tasked with accomplishing and what they are able to achieve is driving many teams to rethink their approach and the need for:
- Better discovery of unknown assets
- Greater prioritization of vulnerabilities
- A shift to risk-based reporting and metrics
- Increased automation and integration of workflows
Many organizations are increasing their spending on vulnerability management but most continue to struggle to keep up with rising risks. Money alone will not address these issues, to make progress vulnerability management teams need to find ways to improve the efficiency of their approach.
This blog details three steps vulnerability managers can take today to reduce visibility gaps, improve prioritization, and increase the ROI of their programs using an Attack Surface Management (ASM) solution like Randori Recon.
- Step 1: Use black-box reconnaissance to conduct a gap analysis
- Step 2: Leverage an attacker’s perspective to prioritize likelihood, not severity
- Step 3: Report on external risk, not vulnerabilities
Step 1: Conduct a Gap Analysis
With today’s cloud, distributed and SaaS-based environments, maintaining a perfect inventory of your external assets and ensuring they are patched is quickly becoming an impossible task. The world simply moves too fast.
There always have and always will be unknown risks, but having a firm understanding of the size of the gap is essential. Shadow IT poses a significant risk because unmanaged unknown assets are far more likely to contain vulnerabilities or be misconfigured – increasingly the likelihood they will be targeted by an attacker.
For this reason, understanding the size of your visibility gap is a critical first step. To do this, organizations need to conduct a gap analysis, comparing their list of know assets to those found by an ASM solution and assessing the severity of the risk posed by unknown assets.
The focus here is not on the percent of total assets found, no outside party will find all of your assets, but the relative number of unknown assets discovered and the severity of the issues they contain. When done on an ongoing basis, this gap analysis can become a critical KPI that vulnerability management teams track and work to reduce over time.
How to conduct a gap analysis:
- Gather a list of your known external facing assets
- Use ASM to conduct a black-box assessment of your attack surface
- Compare IPs, subdomains, and services – flag any not previously known to IT
- Scan unknown assets to confirm vulnerabilities
- Prioritize remediation based on risk
While conducting a gap analysis in the past was time-consuming and expensive, the emergence of ASM solutions, such as Randori Recon, make identifying gaps easy with automated black-box discovery and out-of-the-box integrations with leading asset management solutions, such as Axonius and Panaseer.
Step 2: Prioritize Likelihood, Not Severity
Vulnerability management teams today are tasked with prioritizing an ever-growing list of vulnerable systems. In 2019, more than 22,000 new vulnerabilities were discovered. Of those, a third were given CVSS ratings of high or greater. With attack surfaces growing by more than 20% a year, it is no wonder vulnerability management teams feel overwhelmed.
For years, vulnerability management has followed a fairly standard approach to prioritization — assessing assets on the severity of the vulnerability and the business criticality of the asset. This one-size-fits-all approach ignores important environmental context critical to understanding how likely a particular vulnerability is to be leveraged by an attacker to breach your organization. By fixating on vulnerability severity, teams can often end up prioritizing highly vulnerable assets that are of no interest to an adversary before those that are far more likely to be actively targeted.
With just 5.5% of vulnerabilities ever exploited in the wild, being able to better prioritize assets based on the likelihood of attack can enable vulnerability management teams to dramatically improve the ROI of their work.
By leveraging an attacker’s perspective to enrich existing information on vulnerable systems, vulnerability teams can begin to assess not just the severity of the vulnerability but the likelihood a specific asset on their perimeter will be compromised. With this information, teams can begin to deprioritize high-severity vulnerabilities that are of little adversarial value and prioritize those that present an adversary a lower friction path to initial access.
To do this, you need a way to assess and understand the factors, i.e., beyond vulnerabilities, that an attacker considers when deciding which assets on a perimeter to attack. While less useful for defending against opportunistic threats, this approach can be incredibly helpful in enabling a team to defend against the types of targeted attacks that are far more likely to result in a catastrophic breach.
While many ASM solutions fixate solely on asset discovery, which lacks critical context, Randori Recon leverages our unique external perspective to go further — evaluating the unique attributes of each target on a continuous basis to provide you a quantified assessment of how likely an asset is to be targeted by an attacker. Dynamic and updated with the latest information, Randori’s assessments can be fed into SOAR or VRM solutions to ensure the latest information is always being used to prioritize work. This comprehensive approach reduces risk and optimizes the use of an organization’s limited security resources.
Grounded in our team’s decades of experience conducting high-end red team engagements and the thousands of attack results gathered by our continuous Attack Platform, Randori Recon’s Target Temptation model provides a realistic adversarial assessment of a target’s likelihood to be attacked. Used internally by the Randori Attack Team to prioritize vulnerability research — it is not a theoretical model, but rather one backed by results and put into action.
By evaluating each asset on six temptation factors and a myriad of detectable characteristics, Randori Recon provides vulnerability management teams a far richer assessment of the risk profile of each external asset than competitive solutions. These findings can be used to refocus efforts on patching or locking down high-risk assets that may have previously been deprioritized in favor of more vulnerable, but less exploitable, systems.
Step 3: Report on Risk, Not Vulnerabilities
It’s no surprise that you measure what matters most. Unfortunately, this may not be the case when it comes to vulnerability management metrics — where metrics focused on volume may unintentionally encourage management and the business to fixate on the number of vulnerabilities, rather than the relative risk they pose. While raw numbers are important, when it comes to vulnerabilities they can be misleading.
If the data is to be believed, 95% of vulnerabilities pose no real threat to an organization — so reporting the raw number is of little practical value. Of far greater interest should be the number of assets either with vulnerabilities or misconfiguration that truly pose a risk to your business and how those numbers either increase or decrease over time. This is key in both absolute and relative terms to an organization’s attack surface — as the number of external-facing assets continues to grow.
By changing the conversation, vulnerability management teams can position themselves to have more strategic conversations with business stakeholders around what is and is not acceptable and better demonstrate the value of their work. Shifting the conversation can often have the added benefit of reenergizing teams with a new sense of optimism, as they no longer feel they have to react to every new vulnerability and can proactively assess and hunt down risk.
Key external risk metrics worth reporting:
- Number of high-risk external assets (top targets)
- Percent of attack surface categorized as high risk
- Average time to remediation for high-risk assets
- Number of new unknown external assets discovered per week
When done on an ongoing basis, tracking and reporting on external risk can become a critical KPI that vulnerability management teams track and use to demonstrate both immediate and long-term value over time.