Three Critical Cybersecurity Metrics to Fight Back

Written by

A 2021 government survey found that nearly 40% of businesses and over a quarter of charities recently suffered cybersecurity breaches, which is why business leaders worldwide are demanding a data-driven, verifiable response to that critical question. The fight to stay ahead of cyber-attacks has become constant, leading to what Accenture has described as “unsustainable” costs for most businesses. In the modern era, the smarter, proactive response begins with gaining control – evolving how the attack surface is managed – then prioritizing and addressing weaknesses most likely to be exploited.

The first essential step is making sure security teams can quantify three critical metrics:

  1. How many vulnerabilities exist across your hybrid infrastructure?
  2. How many of those vulnerabilities are actively being exploited in the wild?
  3. How many of those exploitable vulnerabilities are protected by existing security controls?

More Vulnerabilities, More Problems

The current problem with managing cyber-attacks is that the volume of vulnerabilities keeps increasing every year: Based on the latest research from Skybox Research Lab, 18,341 new vulnerabilities were discovered in 2020, with an additional 9444 new vulnerabilities emerging in just the first half of 2021. These numbers constitute a massive and growing challenge that daunts organizational efforts to stay ahead of threats.

Unfortunately, due to limited security resources and network visibility, some organizations take months or even years to remediate known vulnerabilities after patches become available. With so many vulnerability alerts to prioritize and a continued skills shortage, it is vital to target action where it is needed most. But that is impossible without the data aggregation required for advanced vulnerability management.

Security teams often rely on traditional risk scoring systems, namely the Common Vulnerability Scoring System (CVSS), to prioritize vulnerabilities. However, CVSS does not give teams adequate context to accurately understand their own risks: Vulnerabilities with high scores are not necessarily the ones that are most likely to be exploited or even reachable in their own infrastructure, a common misconception that can undermine remediation efforts.

Bad actors can operate under the radar whenever organizations don’t know their security weaknesses. For example, hackers used the SolarWinds cyber-attack to transfer malware to multiple targets by exploiting shared supply chain vulnerabilities – issues the targets were unaware of.

"Bad actors can operate under the radar whenever organizations don't know their security weaknesses"

Research reveals that cyber-criminals commonly gain access to critical assets by exploiting low and medium severity vulnerabilities they know are likely to be unpatched within enterprise environments. In some cases, attackers target older vulnerabilities with the knowledge that over-stretched security teams are struggling to keep up. For example, the US government’s Cybersecurity & Infrastructure Security Agency (CISA) reported that most of the top vulnerabilities targeted in 2020 had been disclosed during the past two years.

Security Leaders Can Win the Fight Against Breaches

Exposed vulnerabilities are the root cause of breaches. Yet, ransomware attacks unfortunately can’t be prevented solely by patching vulnerabilities. Practically speaking, reducing the chance of breaches means focusing on exposed vulnerabilities that are actually exploited in the wild. Unfortunately, new data indicates that the number of new vulnerabilities exploited in the wild grew 30% year-on-year during the first half of 2021.

Therefore, security teams must:

  1. Continually aggregate configuration and security control data across disparate and highly complex environments. This includes endpoints, cloud and physical network infrastructure.
  2. Use this data to create a network model that’s factually representative of the hybrid infrastructure. Such a model enables security teams to identify the missing jigsaw pieces until the entire network is modeled. In addition, access to more data, properly sorted, improves the team’s visibility and control over the threats within the enterprise environment.
  3. The data can deliver greater insight and focus on vulnerabilities using this network model, enabling teams to identify the highest risks. Security teams can also define what a ‘good’ network environment looks like and then continuously measure to ensure that devices are configured as expected.
  4. Last but not least, identify and prioritize remediation or management of device weaknesses, including overly permissive connectivity and device-specific vulnerabilities.

When security teams face a growing attack surface, working smarter, not harder, is particularly crucial to address threats. Government and business leaders should approach preventative cybersecurity by first developing a network model to analyze data and proactively understand the context of the attack surface.

Next, instead of relying on CVSS to prevent breaches, leaders should focus on addressing vulnerabilities hiding in plain sight, and carry out effective vulnerability remediation work, thus enabling organizations to move forward and fight threat actors. Finally, organisations will diminish the likelihood of threat actors successfully committing ransomware attacks by focusing on often-overlooked low and medium severity level vulnerabilities. 

What’s hot on Infosecurity Magazine?