From vulnerability management to cyber exposure management

Technology has evolved rapidly over the last few decades and so have the mechanisms to protect our systems. And as long as technology has existed, so have threat actors. From the first known instance of a ransomware attack in 1989, that hid all directories and encrypted filenames, cybercrime has evolved. 

Today, threat actors have turned ransomware into a self-sustaining business model. For this reason, organizations of every size and across every industry have to evolve their security practices to align with how they conduct their operations.

New security tools are introduced to the market every so often, by vendors trying to reimagine new ways of securing the cyberspace. Both small and large organizations are fair game to threat actors, which makes it imperative to maintain basic cyber hygiene. 

Yet, security strategies are not evolving at the rate of digital adoption, with many organizations still using legacy security tools. Only 34% of Indian organizations are considering decommissioning legacy cybersecurity technologies. Which is perhaps why more than half (56%) of the CISOs in India are not confident about their team's abilities to understand and anticipate new strategies used by cybercriminals.

A compliance-driven approach to security, focusing on the present rather than a risk-based approach centred around current and future threats, is still dominant in India. No matter how dramatic the evolution of tools and technologies is within our organizations, it is critical that security teams execute one of the most important, long-standing and fundamental practices well: vulnerability management.

Shifting perspectives for stronger security

Most often, business leaders perceive vulnerability management as something security professionals have been doing for the last two decades — scanning networks and identifying missing patches on Windows and Linux systems. Two decades ago, that could have constituted vulnerability management. But in 2022, it’s much more than that.

For example, organizations are no longer operating with one data centre and a dedicated server in a controlled environment. In the age of public cloud and hyperscale data centres, traditional methods of software inventory, network status among other things aren’t enough to detect vulnerabilities and misconfigurations that make systems vulnerable to attacks. For instance, web applications can be vulnerable to manipulation attacks that leverage structured query language (SQL) Injection or cross-site scripting to cause the application to serve up data it shouldn’t or be staged for fraudulent browsing.

Even the latest cloud technologies that are being leveraged to quickly scale and provide service to customers can be taken advantage of by attackers through misconfigurations, poor system policy enforcement or inappropriate access controls and rights being implemented across the cloud infrastructure, containers and other parts of the deployment architecture.

From fixing patches to cyber exposure management 

Vulnerability management has evolved from merely scanning patches into a crucial cybersecurity practice that is a combination of tools and sensors meant to assess every asset and identify the vulnerabilities that pose the greatest risk to any given organization. Modern vulnerability management programs incorporate threat intelligence about real-world attacks that give organizations context about their state of risk and combine it with what vulnerabilities are most critical.

Traditional vulnerability management has now evolved into cyber exposure management. This allows security teams to understand the security posture, how vulnerabilities expose organizations to risk and the right context on which vulnerabilities pose the greatest threat. It reduces an organization’s overall risk and establishes the first line of defense, shrinking the potential number of targets an attacker can leverage.

Cyber exposure management isn’t just a rebranding of vulnerability management — it is a change in approach to a cybersecurity strategy. Today, it has not only evolved into a proper risk management and business-enabling function but an important tenet of any security program. As technology evolves, so will exposure management, ensuring organizations have the right technology and methods to understand cyber risk and where to deploy security tools to protect the attack surface. 

Nathan Wenzler

---

Nathan Wenzler is the Chief Security Strategist at Tenable.