Why vulnerability scanners aren’t enough to prevent a ransomware attack on your business

Vulnerability scanners are still essential tools for defenders protecting enterprise and government networks. But given the rapidly increasing complexity of today’s cyber threat landscape, these scanners are not enough to win the fight against an increasingly overwhelming volume of vulnerability alerts.

Three specific drivers have made vulnerability scanners obsolete as standalone security tools in the contemporary threat landscape:

1. Ransomware attackers should be called “threat debt collectors”

Skybox Research Lab reported the discovery of 9,444 new vulnerabilities in the first half of 2021, and NIST’s Vulnerability Database subsequently revealed that 2021 once again broke records, noting 18,400 discovered vulnerabilities in production code as of December 9. The cumulative weight of these new vulnerabilities – temporarily putting aside those that were discovered and not addressed in prior years – has left security teams underwater.

2. The attack surface continuum

As an unintended side effect of digital transformation initiatives, the attack surface has drastically expanded in complexity across critical infrastructure, IoT, and cloud assets. As operational technology (OT) assets have come online, hackers have recognized their relative security weaknesses, capitalizing on frequently unpatched devices and sometimes unpatchable OT vulnerabilities. Additionally, the Skybox Security Research Lab spotlighted a massive 46% year-over-year increase in OT vulnerabilities from 2020 to 2021.

3. The growing challenges of instantaneous remediation

Ideally, the discovery of each new vulnerability exposure would trigger immediate remediation, but in the face of widespread and deeply nested zero-day vulnerabilities such as Log4Shell, quick fixes aren’t always possible. Compounding that challenge, threat actors continue to weaponize older vulnerabilities despite the longstanding availability of patches, exploiting the mountains of known weaknesses that cybersecurity teams have yet to address. As a result, it’s clear that the old scan-and-patch approach is poorly suited to our present threat environment.

Why scan-and-patch is a losing strategy

Yes, vulnerability scanners are needed in most security toolkits. However, reactively detecting and alerting organizations to the presence of vulnerabilities means companies cannot keep up. Vulnerability scanners are akin to equipping security teams with an alarm system that’s constantly flashing lights and sounding sirens everywhere – so many alerts at once that it overwhelms security operations.

Given the significant transitions many organizations’ digital infrastructures are undergoing, along with the complex and quickly evolving threat landscape, a scan-and-patch approach reliant on vulnerability scanners as a first line of defense is simply insufficient to protect organizations from current and future threats.

As such, relying on vulnerability scanners is a dangerous strategy in the modern era, when vulnerabilities are actively and regularly weaponized for successful ransomware attacks. The dynamic shift in the threat landscape requires an equally dynamic shift in how organizations approach their cybersecurity programs.

Digital transformation inadvertently breeds new vulnerabilities

The modern threat landscape’s challenges were magnified by COVID-19, which spurred many organizations to undertake sudden digital transformations without sufficiently considering the security implications. Business leaders now appreciate the security risks created by the abrupt shift to remote work.

These fears (and realities) were particularly strong in industries that rely heavily on OT devices. From civil and manufacturing infrastructure to IoT devices, previously disconnected technology from the digital world is increasingly blending with IT infrastructure, introducing new security risks for those organizations.

Pioneer a new approach to proactive cybersecurity

To pioneer a new approach to proactive cybersecurity, answering these three questions is foundational for security operations:

• Asset and network visibility: Do we understand the entire attack surface we need to protect?
• Exposure analysis: Which exploitable vulnerabilities are exposed across my attack surface?
• Targeted remediation beyond patching: How can we automate remediation? If we can’t patch, then what?

Vulnerability scanners will remain in most security toolkits to reactively identify imminent threats. But going forward, they won’t be the end of the cybersecurity discussion. Combining comprehensive vulnerability discovery, exposure analysis, and optimal remediation paths will give CISOs the insights to prevent breaches.

As a result, we’re at the end of the era where security teams waste time and resources playing “whack-a-mole” with threats. The cybersecurity industry is finally starting to embrace the fact that exposed vulnerabilities cause ransomware breaches. Don’t try to patch everything – you’ll fail. Instead, focus on the vulnerabilities that are exposed and exploited in the wild.

At this critical moment, organizations will benefit from a proactive, comprehensive approach that helps security teams effectively identify and mitigate the impacts of numerous cybersecurity blind spots, rather than leaving a growing number of alarm bells to ring everywhere, unaddressed.