Page 154 - Cyber Defense eMagazine January 2023
P. 154
that vulnerability, and if there are compensating controls that can protect against that exploit,” wrote Erik
Nost, Senior Analyst at Forrester, in the Forrester blog, “Vulnerability Programs Must Regain Trust to
Inspire Action.”
It's time to be smarter about how we prioritize vulnerabilities because there is no one-size fits all
approach. To do this, we need to bring more meaning to the vulnerability data with contextualized risk
intelligence that incorporates threat intelligence and impact to the business. You need data to tell you
what the vulnerabilities mean for your specific organization.
• Do you know your assets?
• Is the vulnerability present on mission critical asset?
• Are there threat actors currently exploiting this vulnerability within my industry?
• Do we have compensating controls in place?
• What is the likelihood of a threat being realized?
This is how vulnerability management is evolving – into Risk-Based Vulnerability Management – and it
will solve a major problem for a lot of organizations. But to get there, you need to take a few steps.
Step 1: Discover Your Assets
We see a lot of organizations experience issues with asset detection, and that’s no surprise given the
increasing number of assets and entry points that each organization has. Not to mention shadow IT –
where organizations are spinning up resources or signing onto technologies that the IT teams don’t know
about.
Keep in mind that attackers are scanning your environment to try and discover your assets.
So being able to map your entire attack surface is very important. Start with your on-prem assets, as well
as assets with external facing IPs. Then make sure to discover mobile devices, and dynamic assets, like
cloud infrastructure, web applications and containers. Automating the continuous identification of assets
is fundamental to developing a risk base vulnerability management program. CISA recently published a
Binding Operational Directive on Improving Asset Visibility and Vulnerability Detection on Federal
Networks calling attention to the importance of knowing the assets and managing them accordingly.
Step 2: Classify Your Assets
Once you’re able to gain that initial view, you need to be able to classify those assets because they will
all have varying degrees of criticality to your business. Correct asset classification enables vulnerability
prioritization.
To understand which are the most valuable resources, you need to understand what type of data is
stored, processed or transmitted on them, that tells you how important specific asseets are to the
business. We suggest doing a business impact analysis and making sure that you have agreement from
the C-suite.
Make sure to also do an analysis of compensating controls, which can help you de-prioritize certain
vulnerabilities. And finally, you must automatically discover new assets on a continuous basis and ensure
those new assets are classified according to business impact.
Cyber Defense eMagazine – January 2023 Edition 154
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.