Page 217 - Cyber Defense eMagazine September 2025
P. 217

What is required is a single source of truth when it comes to vulnerability and exposure management,
            and one that reflects the real-world risk landscape – not just CVEs.



            The CVE crisis

            CVEs give you a snapshot of enterprise assets, but they fail to provide a complete picture. They overlook
            critical issues like misconfigurations, segmentation flaws, and internally exposed assets, all flaws that
            attackers could exploit. Traditional tools fall short when it comes to asset discovery. Agent-based and
            credential-dependent  solutions  struggle  to  detect  shadow  IT,  operational  technology  (OT)  and  IoT
            devices, all of which are increasingly common on today’s attack surfaces, and difficult to monitor with
            traditional endpoint detection and response (EDR) and authenticated scans.

            With under-resourcing a problem across the board, affecting not only the CVE program but also the
            National Vulnerability Database (NVD), an approach that isn’t entirely CVE-centric is urgently needed.



            Rising risk

            This urgency is amplified by the complex nature of the modern corporate attack surface, which has
            become a tangled web of on-premises servers and desktops, remote working laptops and smartphones,
            public  cloud  containers,  edge  devices,  and  operational  technology  (OT).  It  is  virtually  impossible  to
            maintain visibility and detect exposures with so many transient and dynamic assets and defenders are
            constantly left in the dark.


            This is taking place in tandem with major changes to the threat landscape, which is becoming increasingly
            dangerous as actors grow more sophisticated and professional.



            The cost

            The  consequences  of  cyberattacks  are  escalating  and  impossible  to  ignore.  In  the  US  alone,  data
            compromises have reached a  near-record high, with almost 1.4 billion victims receiving notifications
            regarding a breach. Ransomware also remains a top concern, and recent research by Sophos indicates
            that half of 3,400 responding IT professionals paid ransomware operators in the first part of this year.
            The cost of the ransomware payment itself is just the tip of the iceberg, beyond this there is the business
            interruption, cost of missed sales and IT and legal costs.

            When breaches stem from preventable exposures, organizations also risk facing regulatory penalties.
            Senior  managers  can  be  held  personally  accountable  for  instances  of  serious  negligence  and
            organisations can face huge fines and reputational damage if they can’t give evidence which proves all
            assets are visible and secure.








            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          217
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   212   213   214   215   216   217   218   219   220   221   222