New cybersecurity vulnerabilities increased at a never-before-seen pace in 2021, with the number of vulnerabilities reaching the highest level ever reported in a single year. As a threat analyst that monitors security advisories daily, I also observed a 24% jump in new vulnerabilities exploited in the wild last year — indicating threat actors and malware developers are getting better at weaponizing new vulnerabilities. Not only are vulnerabilities proliferating at an unprecedented rate, but threat actors have also gotten better at racing to take advantage of them with a range of new malware and exploits.
These findings were reinforced by the Cybersecurity and Infrastructure Security Agency (CISA) alert issued in April 2022: "Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."
Focus on Active Threats and Exposure
There is a silver lining to this compounding surge in vulnerabilities year-over-year: As counterintuitive as it may sound, fixing all vulnerabilities is likely unnecessary for most organizations. And with many large companies battling millions of vulnerabilities, immediately fixing all flaws identified by traditional vulnerabilities scanners is an impossible task.
Why does alert fatigue exist? Traditional approaches to understanding the severity of vulnerabilities rely almost exclusively on the Common Vulnerability Scoring System (CVSS). However, CVSS only provides a general picture and does not consider how the vulnerability would be exploited within a specific network. As a result, organizations are left dealing with a massive list of vulnerability alerts with little to no visibility into how they should be prioritized based on specific security controls and configurations.
While cybersecurity breaches rose sharply year-over-year, the good news is that 48% of organizations with no breaches took a risk-based approach. This risk-based approach includes five key ingredients:
- Attack surface visibility and context
- Attack simulation
- Exposure management
- Risk scoring
- Vulnerability assessments
Actual risk reduction requires focusing on eliminating the threats that matter. Thankfully, cybersecurity leaders are now embracing the fact that not all vulnerabilities are created equally. This new way of thinking enables SecOps to ruthlessly prioritize the vulnerabilities that matter for remediation and quantifiably reduce risk.
Modeling Cyber-Risk Management
Risk management is an essential principle of cybersecurity, allowing security teams to prioritize threats based on their potential impact to an organization.
For a comprehensive risk score, consider adding these elements to the static CVSS:
Exploitability: Are threat actors exploiting the vulnerability in the wild?
Exposure: Are existing security controls protecting the vulnerable asset?
Asset importance: Is the asset mission-critical? Would it expose sensitive data?
Financial impact: How much will it cost your business per day if the system is compromised?
Now is the time to leverage the data you have to embrace breach prevention that will combat the side effects of digital transformation and modern cybercrime strategies. That means focusing on active threats that are accessible to adversaries and have the potential to devastate your business financially — instead of the millions of vulnerabilities that aren't even exposed.
Armed with cyber-risk modeling, security teams are empowered to pinpoint the risks that matter and prioritize remediation where it's genuinely needed. Telling a CISO that you've retired thousands of exploitable vulnerabilities and malware families in a single month will result in a happy executive.