Legacy vulnerability management concepts contribute to blindsiding defenders and risk managers at a time of Ransomware proliferation

The Rising Vulnerability Tide

As the pace of digitization and new software applications rises, more and more code is written with suboptimal security practices. As a result, the number of vulnerabilities introduced to the world continuously grows. Despite the modern DevSecOps practices, the tide is still coming.

When the vulnerability management practice was introduced roughly 20 years ago there weren’t that many vulnerabilities to deal with. For reference, in the year 2000, there were approximately 1000 disclosed vulnerabilities. The manual process of reviewing and analyzing the vulnerability scan, checking its validity, and then remediating according to the outcome, correlated with the number of findings.

Since then the number of vulnerabilities has increased exponentially. Every year, thousands of new vulnerabilities are discovered, piling on one another, and making it more difficult to prioritize the critical fixes. The severity of the vulnerabilities today (CVSS) is based on an aggregated score and has at times a questionable correlation to the risk it presents to the business. Security teams are left playing catch up to try to keep up with the patching requirements without knowing if they’ve fixed the most risk-bearing gaps.

In 2020 alone, more than 15,000 vulnerabilities were found.Of these, Gartner published, only 8% were exploited by attackers. To further narrow it down, the Cybersecurity and Infrastructure Security Agency (CISA) recently reported the top 30 vulnerabilities. These reports show the industry’s realization of the need for focus and a new approach to security validation. All this context is crucial for IT and security teams to reduce risk, maintain business continuity, and stay ahead of the adversary.

The Cyber Security Arms Race

This past decade has also seen a shift in the adversaries’ toolset. As exploiting a new vulnerability has a tangible economic value for an attacker, there is a strong incentive on the defenders’ side to discover these vulnerabilities and on the attacker’s side, to exploit them. Driven by these forces there has been an increase in the availability of free cyber-attack toolkits, affecting the number of potential attackers. As the attack toolsets have flourished, so have the defense controls evolved. This “cyber arms race” has led organizations to acquire security technology, complicating the security program and inevitably leading to human configuration errors which create new risks to the network. Now, in addition to the thousands of static vulnerabilities disclosed every year, security teams have dynamic vulnerabilities, aka misconfigurations, that are specific just to their networks.

The severity of the issue is accentuated when we realize that the processes implemented today for security integrity testing are the as from 20 years ago, with relatively little change in toolsets and technologies. To that extent, following a few devastating ransomware attacks in the US on Colonial Pipeline and JBS Foods, the Biden administration issued a memorandum urging businesses to take proactive and continuous steps to reduce the risk of advanced attacks. This includes updating and patching systems promptly and using a “third-party pen tester to test the security of your systems and your ability to defend against a sophisticated attack.”

While penetration testing can be effective in prioritizing the most critical vulnerabilities, it is a manual process, therefore limited in scale, and provides only a point-in-time snapshot of an organization’s security posture. It is clear in today’s threat landscape that organizations need continuous validation of their attack preparedness. This is where automated security validation comes into play

The Dawn of SecVal Automation

As noted earlier, the network is a living organism that evolves and changes constantly. Every new technology added or removed users, migration to the cloud, or mergers between companies, all pose security gaps that need to be considered and addressed. Security executives are taking a broader and more comprehensive approach to automated security validation. This approach allows a true perspective to how an adversary would approach the network and enable constant focus on the gaps that hold potential adverse business impact.

Pentera is the first Automated security validation platform to change the paradigm.  Enabling security teams to get ahead of the vulnerability curve by focusing on the vulnerabilities that matter the most and expose the true root cause of the problem. This helps to not only better deal with the continuous cycle of patching per possible business risk but also save costs and optimize resources.

According to Pentera CEO, Amitai Ratzon, “We’re not here to become a better vulnerability management platform, but rather, we’re introducing a different approach to the industry, to focus on the vulnerability that matters”.

True Risk – Means Test for Exploitation Potential

These are a few key elements in which Pentera provides a different approach –

• Test for the exploitable implications – Security teams want to address the vulnerability with the highest associated risk to their organization. To know where a vulnerability might lead to, one needs to build the attack vector all the way to the victim system.
• The attacker’s perspective – The only way to truly know which vulnerabilities to prioritize is by emulating the exact tactics and techniques a real-world attacker would use to exploit your network. By exposing networks to real adversarial actions, a complete attack operation view is gained to provide a true risk assessment.
• Remediation validation – One of the struggles with legacy vulnerability assessment, is that teams don’t have visibility to the effectiveness of their remediation efforts. With Pentera, security teams can retest their environment immediately and compare it against their baseline to ensure proper protection.
• Security controls efficacy – as noted above, the static nature of vulnerability management doesn’t take into account the continuous changes to the IT infrastructure controls. Pentera enables continuous validation to ensure they are configured properly and work as intended.

Future GRC Based on ‘Trial by Combat’

Pentera helps over 400 enterprise organizations in over 30 countries discover their real-world, real-time security exposure by emulating real-life attacks on every cybersecurity layer, on-demand. “We don’t deploy agents, so within just a few hours we provide visibility to true “kill-chains” leading to the organization’s crown jewels followed by remediation instruction, says Ratzon.

Pentera is a research-led company with a bold vision—to become the world’s cybersecurity validation authority. Under the leadership of Amitai Ratzon and the team, Pentera is set to redefine the security outlook of businesses. Its research team builds safe replicas of malware and ransomware into the software which adds up to existing security tests. The same team provides the surgical remediation recipes to counter security gaps when discovered. Recently, the Pentera team identified a zero-day in VMware vCenter, contributing to the cybersecurity community as a whole. “We believe that the current vulnerability management space is broken. Our security should be challenged by the same force and sophistication as the real threats. That’s why we are spearheading the Automated Security Validation revolution and providing each enterprise its true risk assessment and remediation roadmap”, concludes Ratzon.