With KEVs being fixed 3.5 times faster than other vulnerabilities, how does your organization measure up? See where you stand and what you can do to improve.
7 Types of exposures to manage beyond CVEs
As cybersecurity leaders try to get ahead of threats to their organization, they're increasingly seeking ways to get off the hamster wheel of chasing countless CVEs (common vulnerabilities and exposures). The brass ring that most CISOs reach for today is prioritization of exposures in their infrastructure (and beyond), so their teams can focus on tackling the ones that present the greatest risk. In some cases, the highest priority exposures will still be critical CVEs on mission critical assets. But in many other instances the exposures and threat factors that need to be managed extend far beyond vulnerability management. This is where the promise and practices of exposure management kick in.
The following are seven types of exposures that security teams should seek to manage beyond CVEs. Continuous monitoring for exposures, combined with a comprehensive analysis of risk prioritization and ratings, can help security leaders finally get their fingers around that brass ring.
1. Cloud misconfigurations
As cloud-native applications and infrastructure proliferate in the enterprise today, cloud configurations are increasingly the most frequent and most risk exposures facing organizations today. Recent studies show cloud misconfigurations as the number one concern for cloud security firms, worrying 59% of security leaders. Almost one in four security pros say their org has experienced public cloud incidents recently, most commonly caused by misconfiguration. Security teams need exposure management visibility and controls that make it easier to remediate these risky problems.
2. Exposure to zero days
An effective exposure management program should act as the engine that powers speedy assessment and remediation of zero day exposures at scale. To do this, organizations must establish accurate, real-time reporting of these 0days within enterprise and third-party assets, as well as tooling and processes that can coordinate internal remediation and outreach to vendors and other third parties who need to address the risk in systems relevant to the organization.
3. Exposure in high-value assets
The value of the assets exposed to vulnerabilities, misconfigurations, stolen credentials and other attackable issues absolutely plays a part in risk exposure calculations. Organizations need tooling that can account for business value of assets impacted by specific exposures and exposure clusters.
4. Third party exposures
Many organizations consider EASM as a way of broadening risk visibility from just on-premises systems to all of their cloud assets. But really, exposure management needs to extend beyond that. There's a whole world of risk from connected third-party vendors and partners that needs to be monitored as well if an organization is going to truly minimize its exposure levels. The best exposure management tools and practices should be embedding third-party risk management (TPRM) visibility and analysis into the mix.
5. Critical infrastructure exposures
As attackers increasingly focus on critical infrastructure that powers operational technology and the IoT, CISOs need more data about exposures in these systems that could open up their organization to physical safety issues and other huge risks should they be successfully attacked. Whether it is power plants, manufacturing equipment, or industrial internet of things sensors that power maintenance on critical infrastructure, misconfigurations and other exposures in these systems need monitoring.
6. Exposed credentials
Real-world data about leaked or stolen credentials can help direct security operators to areas in the infrastructure that are most likely to be targeted by attackers sniffing around company assets. Timely mitigation of the threats posed by credential exposures can greatly reduce an organization's attack surface. The context of findings about exposed credentials for assets that also suffer other vulnerabilities and flaws can especially bolster prioritization of action.
7. Geographical risk
Geographical context can be a very important data dimension by which companies should be analyzing and categorizing risk. Geographical cues have long been considered important when it comes to the potential threat of sources. But cyber risk management also needs to closely track the location of the assets, the business itself, and the business unit affected by any given exposure. These factors will impact the risk level of certain threats that are more likely to target an exposure, which is why exposure management programs need to be able to fold geographic risk into their risk prioritization calculations. Not only is this good at an asset by asset level, but the added visibility could show if an organization has high levels of geographical risk in aggregate for certain regions.
One of the biggest drivers behind the implementation of exposure management tooling is context. While tools like attack surface management (ASM) and continuous threat exposure management (CTEM) platforms are unmistakably an evolution of vulnerability management and asset discovery tooling, the good ones are no carbon copy. The real differentiation delivered by these tools--and the risk management practices built around them—is the scope of contextual information offered about points of exposure. When done right, exposure management expands risk visibility and gives better clues to where action should be taken first, next and maybe even never.