Page 154 - Cyber Defense eMagazine January 2023
P. 154

that vulnerability, and if there are compensating controls that can protect against that exploit,” wrote Erik
            Nost, Senior Analyst at Forrester, in the Forrester blog, “Vulnerability Programs Must Regain Trust to
            Inspire Action.”

            It's  time  to  be  smarter  about  how  we  prioritize  vulnerabilities  because  there  is  no  one-size  fits  all
            approach. To do this, we need to bring more meaning to the vulnerability data with contextualized risk
            intelligence that incorporates threat intelligence and impact to the business. You need data to tell you
            what the vulnerabilities mean for your specific organization.

                       •  Do you know your assets?
                       •  Is the vulnerability present on mission critical asset?
                       •  Are there threat actors currently exploiting this vulnerability within my industry?
                       •  Do we have compensating controls in place?
                       •  What is the likelihood of a threat being realized?

            This is how vulnerability management is evolving – into Risk-Based Vulnerability Management – and it
            will solve a major problem for a lot of organizations. But to get there, you need to take a few steps.


            Step 1: Discover Your Assets

            We see a lot of organizations experience issues with asset detection, and that’s no surprise given the
            increasing number of assets and entry points that each organization has. Not to mention shadow IT –
            where organizations are spinning up resources or signing onto technologies that the IT teams don’t know
            about.

            Keep in mind that attackers are scanning your environment to try and discover your assets.
            So being able to map your entire attack surface is very important. Start with your on-prem assets, as well
            as assets with external facing IPs. Then make sure to discover mobile devices, and dynamic assets, like
            cloud infrastructure, web applications and containers. Automating the continuous identification of assets
            is fundamental to developing a risk base vulnerability management program. CISA recently published a
            Binding  Operational  Directive  on  Improving  Asset  Visibility  and  Vulnerability  Detection  on  Federal
            Networks calling attention to the importance of knowing the assets and managing them accordingly.


            Step 2: Classify Your Assets

            Once you’re able to gain that initial view, you need to be able to classify those assets because they will
            all have varying degrees of criticality to your business. Correct asset classification enables vulnerability
            prioritization.

            To understand which are the most valuable resources, you need to understand what type of data is
            stored,  processed  or  transmitted  on  them,  that  tells  you  how  important  specific  asseets  are  to  the
            business. We suggest doing a business impact analysis and making sure that you have agreement from
            the C-suite.

            Make sure to also do an analysis of compensating controls, which can help you de-prioritize certain
            vulnerabilities. And finally, you must automatically discover new assets on a continuous basis and ensure
            those new assets are classified according to business impact.






            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       154
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   149   150   151   152   153   154   155   156   157   158   159