Why A ‘Layers And Lists’ Approach To Cybersecurity Is Doomed To Fail

By Gary Fischer, VP Americas, XM Cyber

Why is cyber-defense such an asymmetrical war? Hackers can launch a barrage of attacks on a single target and keep going until they find one overlooked weakness. Defenders, meanwhile, are often overwhelmed with alerts, unsure what to patch first and have little real visibility into the weaknesses of their ever-changing environments.

In a battle between active adversaries who only need to land a single blow to win — and passive defenders who aren’t even sure where they are truly vulnerable — the outcome is almost pre-ordained.

Fortunately, there is something IT teams can do right now to flip the odds: Drop the old approach of siloed security products and disconnected lists and build a cybersecurity defense that mimics the attacking mindset of adversaries — and turns it against them.

Layers and Lists vs. Risk-Based Vulnerability Management: Why It’s No Competition

Piling security controls on top of security controls and working with endless streams of poorly prioritized Common Vulnerabilities and Exposures (CVEs) is no way to protect your assets. Unfortunately, that’s the status quo for many enterprises.

While firewalls, standard Vulnerability Management (VM) and endpoint tools have their uses, all of them can be defeated by a simple human error. They don’t always play nice with each other. Additionally, server misconfigurations, credential mismanagement and other mistakes are a perpetual problem.

Larger organizations are often deluged with alerts, and the amount of time security teams spend chasing down patches for relatively low risk vulnerabilities is enormous. Without key risk context, defenders often spend precious hours addressing the wrong set of problems at the wrong time. Not only does it place your most valued assets at risk, it’s also a massive waste of time and energy.

Fortunately, there is a better way: Constant, attack-centric analysis of exposures caused by exploitable vulnerabilities and human error paired with effective prioritization. Integrating these concepts into an existing security posture allows you to achieve continuous, risk-based vulnerability management — and provides the best tool we have against Advanced Persistent Threats and other sophisticated attackers.

Beat Them at Their Own Game

To adopt an attacker’s mindset, defenders need to stop thinking “lists” and start thinking “attack graphs.” In practical terms, this means incorporating risk-based VM software that can continuously scan a network and identify exposures from exploitable vulnerabilities and errors. Then, such software can launch simulated attacks against critical assets seeking to illuminate paths that can be exploited.

The outcome of all of this continuous scanning and attack modeling is a targeted and ranked list of exposures that put your business-critical assets at the most risk. Factor in context-sensitive and least effort remediation advice, and SecOps teams can begin quickly patching exposures. The entire process of identifying, classifying and addressing vulnerabilities can be profoundly streamlined and made vastly more effective.

Now let’s contrast this sort of tool with the conventional approach.

You’ve got a slew of siloed security controls, but no real visibility into evolving vulnerabilities in complex hybrid environments — places where even the smallest change can create new security gaps.

You’ve got vulnerability scanners, but you’re missing key risk context. Without understanding how exposures can be exploited and which vulnerabilities are truly exploitable, you can’t efficiently prioritize your patches. Without a risk-based VM tool to point you to the most accurate vendor patch or update, you may waste untold hours of research time. Larger enterprises may deal with thousands of CVEs, each of which must be researched and prioritized. In many cases the issues are low risk or require a patch that has been superseded by another patch. Without all the needed context, defenders are often struggling to make the right decisions.

The Takeaway

Ultimately, relying on layers and lists alone is a recipe for subpar security and wasted resources. Attack-focused, risk-based VM solutions represent the next wave of risk quantification for cloud and on-premises environments. Using a tool that allows you to think like an attacker — and helps you understand potential impact, asset criticality, related connections and choke points — is essential for meeting today’s cybersecurity challenges.

The right risk-based VM tool should be able to help identify vulnerabilities that allow attack paths leading to business-critical assets and prioritize based on risk to those key assets. This then allows you to immediately perform the right remediation work to close the attack chain.

By working smarter, you not only lower your risk but save your team a substantial amount of time and effort. An attack-centric, risk-based VM tool can help you focus on the most critical patches, which can reduce workloads by up to 90-percent — because you are only working on the 10-percent of CVEs that pose the gravest risk.

Less wasted time for defenders and better security for your crown jewel assets. Everybody wins — except for the adversaries trying to steal your data.

About the Author

Gary Fischer is the VP Americas for XM Cyber. He has been in the cybersecurity software arena for over 20 years. Prior to joining XM Cyber, Gary served as Vice President of Sales for the Americas at Skybox Security for close to 10 years. Before that, he held other senior sales leadership roles in the cybersecurity field. He has a proven track record of taking startup companies from early stage to acquisition. Gary can be reached online at https://www.linkedin.com/in/gsfischer/ and at our company website http://www.xmcyber.com