Not all cybersecurity vulnerabilities are created equal. Some vulnerabilities have the potential to bring the entire organization to a halt, such as in the case of ransomware. Meanwhile, other vulnerabilities may only create limited opportunities for exploitation, putting them lower on the list of things to patch.
So out of all your security vulnerabilities, how do you know which puts your organization most at risk? That’s simple: It’s the ones you can’t see. After all, once you know about a vulnerability you can then prioritize and prepare your response. However, if you don’t know what you don’t know–a third-party vendor you aren’t tracking, an asset you missed, a misconfiguration that spans your entire network–it creates blind spots that attackers might know about, but you don’t.
As part of our Evolve from Risk Management to Risk Intelligence webinar series, I interviewed SecurityScorecard’s Chief Research Officer Alex Heid and Senior Director of Threat Intelligence Jared Smith to get their insight into how organizations can leverage risk intelligence to identify their blind spots, take the right actions, and continuously monitor their attack surface in real time.
Being Less Oblivious to the Obvious
When it comes to the attack surface, few organizations track it all. As a result, stakeholders across the organization ranging from the board and the CISO to compliance, legal, finance and privacy leaders often have only a vague understanding of the overall risk a business may face. To increase this level of understanding across stakeholders, visibility is a must. But where to start?
“What companies look for, and the tactics they use, should be the same as attackers,” Heid said. Remember that hackers are just like everyone else in that they’ll look for the easiest way to accomplish their task. By targeting the low-hanging fruit of common vectors that attackers are most likely to exploit, organizations can deter the vast majority of attacks, encouraging hackers to look elsewhere.
“Attackers and adversaries don't have time to survey every last potential vulnerability in your organization,” Smith said. “The data they are looking for is the dead-simple things that are easy to find, like default passwords, leaked credentials they can buy in forums, or an employee who isn’t security conscious that may click a malicious link.”
Defining and Redefining the Digital Footprint
Every company has a digital footprint, which comprises an inventory of all of its findable, traceable digital assets, activities, actions, contributions, and communications. If it is on your network, it’s part of your digital footprint, even if it doesn't have a direct link to the internet itself.
While defining your digital footprint is critical to gaining visibility, it’s not a one-and-done process. Your digital footprint is an organic, ever-changing collection of systems, applications, and devices. In addition, new exploits are always being publicized, so something that wasn’t an issue yesterday might become so today.
Not only is your digital footprint always changing, but a point-in-time scan will miss any subsequent hacker action that indicates reconnaissance activities, that they have gained access, or that they are trying to cover their tracks.
“You might not find something that is exposed if you run a scan on a Monday, but then it’s there on a Wednesday,” Smith said. “If it is something that’s very sensitive, your organization is at risk without continuous monitoring of your digital footprint.”
“If you’re not actively checking yourself, you can bet someone with less benevolent intentions is,” Heid said.
The Keys to Visibility
The key to gaining visibility into your digital footprint and the overall attack surface is to use the same approach as hackers by utilizing scanning tools and threat intelligence feeds to create an overview of where your vulnerabilities are.
“The reality is that few organizations have an up-to-date, accurate assessment of their attack surface. Some might have an asset list that is incomplete, which is where the highest risk for an exploitable vulnerability cropping up can be,” Heid said.
With a continuous monitoring solution, organizations can see a full list of their vulnerabilities, and then combine with data from threat intelligence feeds to triangulate where their greatest vulnerabilities may be.
“Even if you have 80% of your assets covered, it only takes one vulnerable one to give an attacker entry into your network,” Smith said. He says that often the remaining 20% comes from places outside an organization’s typical IP space, such as employees leveraging devices or applications outside of IT’s knowledge (also known as Shadow IT). It can also come from a vendor connected to your network that has a vulnerability on their end, allowing the hacker to use the exploit as a back door.
While regular activities like yearly audits, compliance checks, or pen tests still have their place, a continuous monitoring process is the only way to ensure that organizations are able to understand where their biggest vulnerabilities actually lie.
Evolve to Risk Intelligence with SecurityScorecard
A holistic approach to risk – one that combines a 360º view of the attack surface with the ability to communicate risk meaningfully and respond effectively – is critical for business success in today’s cybersecurity threat landscape. With SecurityScorecard’s latest product release, organizations now have everything they need to build a world-class risk intelligence program.
Watch this webinar on-demand to hear the complete conversation for insights into how to create the visibility required to transform from risk management to risk intelligence.