Combating vulnerability fatigue with automated security validation

Security operations teams have been dealing with “alert fatigue” for far too long.

The introduction of log monitoring (e.g., SIEM), firewall, and AV technologies over two decades ago provided valuable tools for IT teams to be alerted to known suspicious network behavior. However, as time goes by and digital transformation is at a record high, the underlying technologies supporting security teams on their day-to-day operation have not changed.

It is now harder than ever to distinguish between benign and malicious behavior as attacks have turned more sophisticated, often using legitimate operating system toolsets, and are harder to spot amongst regular network behavior. The problem is not all suspicious behavior is malicious behavior – far from it. As a result, what was supposed to provide a useful glimpse into network activity has become the bane of many security professionals.

Dealing with a problem with the wrong toolset leads to reverse evolution – as we can see in the vulnerability management market, where tools are becoming more of a distraction to security professionals than the insightful guide to better security that they promise to be.

Legacy vulnerability management tools flood security teams with long lists of community prioritized vulnerabilities – there were more than 15,000 vulnerabilities found only in 2020. Of these, only 8% were exploited by attackers. Not to mention the top 30 recently reported by CISA.

Currently, it’s a cat and mouse game that the customer can never win – chasing an ever-growing list of vulnerabilities without knowing whether they fixed the ones that attackers want to target, exposed the most risk-bearing vulnerabilities, checked if there is an active exploit for a specific vulnerability, or analyzed what the possible risk and impact is that may originate from a vulnerability.

All that context is required for security and IT teams to reduce the risk, maintain business continuity, and be a step ahead of the adversary. Unfortunately, the chase for more and more vulnerabilities has kept us away from the goal of where we want and need to be. At this stage of the battle with cyber adversaries, CISOs can’t go backward into the world of vulnerability fatigue. They need to move at the same pace of innovation as attackers, which requires an understanding of how attackers reconnoiter and target an organization. This is the fundamental job that vulnerability management systems are failing at.

Trapped in a never-ending whack-a-vulnerability game

According to CVE Details, the average organization with 5,000 employees will have 3-4x that number of vulnerabilities to manage. But of this group, only 13% are typically deemed “critical”. But how can one assess criticality? Looking at a single vulnerability is like checking your fever once-a-year: meaningless.

Without the ability to determine which vulnerabilities are most likely to be exploited by attackers, security teams are playing a never-ending game of patching whack-a-mole – when one vulnerability gets found and added to queue for patching, another pops up. This amount of patching can be overwhelming and makes it impossible to effectively mitigate risk and focus on improving resiliency.

In a recent memorandum issued by the Biden administration after devastating ransomware attacks on Colonial Pipeline and JBS Foods, the White House urged businesses to take proactive steps to reduce the risk of advanced attacks. This includes updating and patching systems promptly and using a “third-party pen tester to test the security of your systems and your ability to defend against a sophisticated attack.”

While penetration testing can be effective in identifying the most critical vulnerabilities, it is a manual process and provides only a point-in-time snapshot of an organization’s security posture. An organization needs continuous assurance of its attack preparedness, and this is where automated security validation comes into play.

The dawn of a continuous approach to security validation

The IT network is a living organ undergoing constant change – adding and removing users, updating access and policy, migrating to cloud and distributed environments. This is why legacy vulnerability assessment with an agent-dependent architecture is no longer enough – leading CISOs are embracing a broader, comprehensive approach to automated security validation, which requires a real-life look at how an attacker will approach your environment.

Here are a few key ways in which automated security validation differs from legacy vulnerability management:

• Vulnerability that matters – Most legacy systems are good at finding vulnerabilities but that’s it. No security team wants more vulnerabilities. What they do want is the right context and risk associated with the most critical vulnerabilities. This includes the most risk-bearing vulnerabilities based on exploitability, possible risk and impact to the organization and business operation.
• Adversarial validation – The only way to truly know which vulnerabilities to prioritize is to emulate the actual tactics and techniques real world attackers use to exploit your network. Legacy systems lack the ability to conduct reconnaissance, sniff, spoof, crack, harmlessly inject malware, move laterally, and escalate privileges, and exfiltrate data. By exposing networks to real adversarial actions, teams gain a complete attack operation view to provide a true assessment of their resiliency against attacks.
• Re-testing capabilities – With legacy vulnerability assessment, IT teams often struggle to understand if the changes they have made have improved security or caused collateral damage to the network. With a security validation tool, security teams can retest their environment immediately and compare against the baseline to ensure complete protection.
• Security controls efficacy – Yet again, vulnerability as the goal falls short leaving security teams with empty hands to take an action under-confidently answer the question of readiness against an attack. With continuous change to IT infrastructure, and sophisticated adversary evolution, security controls need to be validated to make sure they are working as intended and are configured properly.

Automated security validation changes the paradigm, and with that the game. Enabling security teams to get ahead of the vulnerability curve by zeroing in on the vulnerabilities that matter the most can expose the true root-cause of the problem. This helps them to not only better deal with the continuous cycle of patching per possible business risk but also combat vulnerability fatigue.