Gartner’s research has identified that among all the vulnerabilities identified in the previous decade, only about one-eighth of them were actually exploited in real-world attacks. The vulnerabilities that do not get exploited are often reused and leveraged in a wide range of threats.
Gartner recommends shifting focus from vulnerability management to ranking threats based on their severity. Though both vulnerability management and ranking of threats are important, systems like Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring Systems (CVSSs) does not consider the performance of threats. At the same time, relying solely on the severity of the vulnerabilities won’t help combat threats.
Refocus your goals
The security system to obtain perfection should be completely immune to exploitation. But due to a large number of vulnerabilities, the “patch everything, all the time, everywhere” approach is impossible to achieve. With restricted time and resources, the approach should be the “biggest vulnerabilities first.” When we review the security breaches from the last decade, it is clear that the approach was misguided. Gartner in his research has suggested achieving a balance between what can be fixed, and what difference it makes with available resources and time.
The difference between perceived goals and actual outcomes is due to the negligence of the organization towards fencing against the vulnerabilities. The security teams consider attending the biggest and newer vulnerabilities due to the impression that the attackers target them immediately. Whereas, attackers do not switch to new vulnerabilities if they identify that the existing ones can be exploited multiple times with decreasing costs and less expertise. Gartner observed that the attackers exploit vulnerabilities that are relatively easy and present in widely used software.
To overcome this issue is to gain fundamental right on vulnerability management and patch the vulnerabilities that were exploited earlier, instead of focusing only on the new ones.
Gartner’s report on patching
Gartner, is its research found that nearly 8000 vulnerabilities were disclosed during the past decade, with a marginal rise in their number every year. The new exploited vulnerabilities, due to new software releases, account for only one-eighth of the actual number, whereas the number of threats has increased exponentially. This shows that though the number of breaches has increased in the past decade, new vulnerabilities contribute to only a fraction of them.
Further, zero-day problems form a part of new vulnerabilities that go around 0.4% of all vulnerabilities exploited throughout the decade. Although cyber threat intelligence vendors cannot label them as ‘zero-days’ technically, patching the vulnerabilities of the software is the solution to fix a majority of expected zero-day threats. Through all these years, threat actors have evolved in exploiting vulnerabilities. They are now able to exploit them in 15 days, as against the previous 45 days. Organizations are now left with two options – either patch the systems in 15 days or have a plan to mitigate the damages.
How to fix this flaw
1. Track a metric that identifies the conjunction of existing vulnerabilities and the ones that are been exploited by the threat actors. The highest repeated metric should be patched on priority as a defense against a breach.
2. Protocols like network segmentation, intrusion protection, and privileged identity management are a great help in mitigating threats and preventing vulnerabilities in the absence of their patches. These protocols prioritize vulnerabilities that are being exploited.
3. Identifying and mitigating the threats and patching them requires specialized skills. A Certified Threat Intelligence Analyst (C|TIA). It is a program that gives an individual or organization the ability to run a threat intelligence process and allows ‘evidence-based knowledge’ and ‘actionable advice’ about existing and known threats.
Source: eccouncil.org
0 comments:
Post a Comment