Changes in the cyber environment require organisations to respond quickly, as a lack of sufficient visibility poses a risk to business continuity. Understanding the broad impact of threats is increasingly important in recovering from them, while at the same time, cyber threats have become more complex and sophisticated.
17,305; 18,323; 20,153; 25,082; the cloud; AI & ML; IoT; edge computing; 5G; GDPR; NIS2; CER; CRA; CSA: these are the numbers, technologies and regulations that cause organisational security managers and other security professionals to have sleepless nights.
The amount of information security regulations is on the rise, and they increasingly impose concrete consequences on organisations and their management if they fail to meet their obligations. The revolution in new technologies has caused organisations to move their data from their own IT environment to cloud services managed by multinational companies.
The number of reported software vulnerabilities increases by several thousand each year, and this trend continued in 2023. The number of reported vulnerabilities increased by more than 7,000 between 2021 and 2023: in 2021, some 20,153 vulnerabilities were reported, while by December 2023, the total had reached 28,242.
As the operating environment changes, it’s important to critically assess how suitable our previous capabilities and policies are for countering new types of cyber threats.
The old ways are no longer enough
In the context of cybersecurity, the term threat management typically refers to an organisation protecting against, detecting and responding to cyber threats. The goal is to reduce the impact of cyberattacks on the organisation’s various operations and to enable business continuity at a predefined level.
Traditional cyber threat management has often operated in isolation and has been heavily technology-driven, with the purpose of ensuring compliance with external requirements through the use of vulnerability scanners and feeds as well as firewalls.
Prioritising and fixing vulnerabilities has been based on criteria such as the Common Vulnerability Scoring System (CVSS). These vulnerabilities have been viewed as an IT problem, so the risk has been ostensibly owned by the IT department or the Chief Information Security Officer.
However, this approach is being challenged by the increasing digitalisation of business and the decentralisation and expansion of the IT environment in both the cloud and the physical world as well as the growing number of vulnerabilities, while organisations are able to patch on average only 5% of new vulnerabilities per month.1
On the other hand, if the majority of published vulnerabilities are not exploited maliciously2, it is perhaps fair to ask whether the current model targets activities that have a real impact on the level of threat to organisations.
In 2022, some 32% of data breaches started with a vulnerability being exploited.3 We also know that, in some cases, attackers are still successfully exploiting known vulnerabilities from 2017!4
Modern threat management produces situational awareness and enhances resilience
Modern threat management takes a risk- and business-driven approach and broadens the perspective to be more proactive and realistic. The attack surface is managed as a whole, while the capabilities that protect an organisation are selected according to business needs and risks to cover on-premises and operational technology environments as well as different cloud services.
This requires up-to-date information on how exposed the organisation’s operations are to various cyber threats and how those threats evolve over time. Typical factors include the number and location of publicly available services, their level of protection and whether security updates have been applied.
Cyber threat intelligence (aimed at gathering intelligence on cyber threats and related phenomena) is a key enabler of modern threat management, processing intelligence and current events to support decision-making at different levels of the organisation.
Based on this information, the organisation can focus its controls where they will have the greatest impact in protecting the business. For example, this might be information on tactics, techniques and procedures used by threat actors that can be used by the organisation to develop its detection capabilities and to train the response to different threats. An organisation that has reached maturity in this respect has an ethical obligation to contribute to securing the cyber environment for everyone by sharing their analysis of threats with other actors, such as companies, the community and public authorities.
Managing the attack surface is a continuous process
The term attack surface refers to all services, known and unknown systems, vulnerabilities and service providers in an organisation that can be exploited by a malicious attacker to gain access to the organisation’s systems, networks or data.
The greater the number of vendors, systems, services and vulnerabilities an organisation has, the greater the attack surface it effectively has to protect.
Attack surface management is the ongoing process of identifying and managing potential weaknesses and vulnerabilities in an organisation’s attack surface.
In addition to this, people sometimes talk about external attack surface management, which focuses on systems and services that have unlimited visibility in the public network. The goal of both of these forms is to increase overall visibility over the existing attack surface and to manage the resulting risk to the organisation.
Traditional protection methods still have a place – but new methods are also needed
Traditionally, organisations have particularly focused on managing the external attack surface due to the higher risk it poses. However, modern threats, the rise of cloud computing, remote working and zero trust architecture have blurred the line between external and internal systems and services.
Given the rapid pace of change in cloud computing, increasing the amount of automation in security controls and continuous assessment is the only realistic way to approach the problem. Traditional periodic vulnerability testing and penetration testing still have their place, but organisations need to develop new, automated ways to detect vulnerabilities and protect the business in real time.
Purple teaming provides valuable information about vulnerabilities
The ability of an organisation to detect weaknesses in its cyber defences and successfully repel attacks can be tested through purple team exercises, which combine simulated attacks (from the red team) and active defence (by the blue team). These exercises provide insights into where the weaknesses in an organisation’s security controls lie along with suggestions for measures to protect against them. The idea is to continuously evolve the cyber defences based on the knowledge gained from attack simulations.
Don’t leave it too late to pay attention to information security
We also must not forget the threats that exist during software development and how to manage them. The later in the life cycle of a service we take security into account, the more expensive it becomes to implement. Organisations should define a software development life cycle process that considers the requirements and specifications for the security of the service and the expectations for it alongside the other phases.
Modern applications are generally composed of numerous different software libraries, which may contain vulnerabilities. It is therefore important to understand the types of vulnerabilities that can be introduced into the final product through these libraries. Supply chain risks have also been on the agenda in recent years and are receiving increasing attention from hostile actors.
One proposed solution is the use of a software bill of materials, which gives service users greater visibility over the vulnerabilities in different components of an application. This can be complemented by various security application testing tools, both static and dynamic, integrated into the continuous integration process and other development-related security testing in as automated a way as possible.
From cloud computing to prioritising vulnerabilities
The cloud-native application protection platform is one of the new solutions that can be used to protect cloud services and the applications that are developed on them, providing unified visibility and control over the various cloud services in use and the cloud-native applications running on them, highlighting vulnerabilities and misconfigurations that could pose a threat to organisations.
Public applications in particular should also be enrolled in a bug bounty program, through which benevolent “white hat” hackers can report vulnerabilities in an application and receive a reward. These programs and what we learn through them can also be used to evaluate the effectiveness of internal security testing and highlight security development needs within the programme or the software development life cycle process.
The CISA Known Exploited Vulnerabilities Catalog and the Exploit Prediction Scoring System (which assesses the probability of a vulnerability being exploited) can be used to mitigate the impact of an exploited vulnerability and prioritise recovery. Vulnerability management allows organisations to direct and focus their limited resources on vulnerabilities that are already known to be exploited in the wild or are at high risk of exploitation.
By combining a vulnerability prioritisation strategy with effective mitigation, the probability of exploitation can be greatly reduced compared to CVSS-based vulnerability prioritisation alone.5 Only 3.2% of all vulnerabilities published in the Common Vulnerabilities and Exposures system pose a real and acute risk to an organisation, while 60% of known exploited vulnerabilities require high-priority remediation.6
How to get started
Modern threat management is a comprehensive whole, and it is a good idea to put it together in phases to deploy capabilities that are tailored to your own operations. Here are some tips and guidelines on how your organisation can make use of modern threat management and where to start:
1. Identify your critical operations, the technology you use, your suppliers and your stakeholders.
2. Ensure that the conditions are in place for receiving threat intelligence by identifying the right sources of threat intelligence based on the analysis in step 1.
3. Automate the various stages of threat intelligence management from start to finish as much as possible using modern technologies, including threat intelligence reception, analysis, classification, processing, response and sharing.
Sources
1. Bitsight 2023 – Creating Trust in an Insecure World: Strategies for Cybersecurity Leaders in the Age of Increasing Vulnerabilities
2. Cyentia 2021 – Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability
3. Mandiant 2023 – M-Trends 2023: Mandiant Special Report
4. Tenable 2023 – 2022 Threat Landscape Report: A guide for security professionals to navigate the modern attack surface
5. Mandiant 2023 – M-Trends 2023: Mandiant Special Report
6. Cisco Secure 2023 – Prioritization to Prediction, Vol. 9: Role of the known exploited vulnerability catalog in risk-based vulnerability management
Links
Read also:
Elisa Cyber Security Services for customers (in Finnish)
Wärtsilä prepares for cyber threats with the help of Elisa
Cyber Security Outlook 2023 – katsaus kyberturvallisuuden ilmiöihin (in Finnish)
Kyberilmasto on muuttunut – Elisalta päästä päähän -kyberturvaa (in Finnish)
Kaikki artikkelitKirjoittanut
