Most organizations currently rely on vulnerability scanners to inform their day-to-day decisions. The problem with traditional scanners, however, is that they can only state which assets have what vulnerabilities. They cannot sort vulnerabilities based on their risk to the business or ongoing business operations.
Knowledge of a vulnerability itself is only the beginning of remediation efforts. Analysts must then gather whatever relevant asset attributes they can track down to make informed decisions. Yet pulling data from across endpoint management, EDR, VDI, cloud, and other organizational platforms is incredibly time-consuming. Moreover, varied data structures can lead to problematic correlations of asset information.
Overall, the cumbersome process often only leads to best guesses. It is all but impossible for security and IT operations teams to efficiently focus on the critical vulnerable assets that pose the highest risk to the business and gain control over the vulnerability management lifecycle.
When it comes to vulnerabilities, security and IT operations teams are facing a kind of “perfect storm”. With every new asset deployed in support of growth, innovation, and efficiency efforts, the enterprise attack surface expands. The number of vulnerabilities is also rising rapidly year over year while the time it takes for attackers to exploit them is dropping. And with manual data-gathering approaches, the mean time to remediation (MTTR) has ballooned to 60 – 150 days.
One of the most effective ways to remediate risk is to access a real-time list of CVEs on connected assets. However, to prioritize efforts based on the organizational impact, there is a need to dig into the importance of every asset along with its relationships and dependencies within the environment. In other words, a clear understanding of the asset’s business context is required.
Why has context become essential?
Did you know that most vulnerability scanners miss up to 40 percent of the assets in a typical scan of the organization? This can be down to network restrictions, ephemeral type assets on Cloud, or missing or misconfigured vulnerability agents. Even for assets they can see, the sheer number of alerts combined with the lack of context makes it difficult to understand which of the critical vulnerabilities put critical assets at risk, and impossible to effectively prioritize them based on risk to the business.
Consider a bank with a list of thousands of CVEs, several hundred of which are deemed critical; not every critical vulnerability corresponds to a critical asset (based on function, location, and risk to the business). In fact, they are likely spread across assets with a low, medium, and critical impact on the business. But without context, all you can do is chase down every critical vulnerability as fast as possible.
That may mean getting to an asset, such as a developer’s laptop faster than a server running critical business banking applications. Delays and risks are only compounded as new vulnerabilities pop up. Moreover, despite avoiding incidents, it’s a never-ending and very costly cycle that is full of visibility gaps.
Establishing a single source of truth for assets, risks, and vulnerabilities
Asset Vulnerability Management (AVM) eliminates cumbersome manual tasks, visibility gaps, and guesswork so organizations can focus on what matters most to vulnerability management. The context and risk-based approach enable organizations to quickly identify and remediate the vulnerabilities that attackers are most likely to exploit in order of importance to the business. AVM is designed to work alongside existing vulnerability scanners and can be deployed in minutes, requiring no changes to the way assets are currently scanned.
Most importantly, AVM performs this multidimensional analysis on all assets continuously, providing up-to-date views of the attack surface and evolving vulnerabilities. Given how fast cyber threats are moving, real-time awareness of vulnerabilities, threats, and exploit attempts is now a necessity.
(About the author: As co-founder and CTO, Nadir Izrael guides the technology vision behind Armis to protect the new connected or IoT devices in and around the workplace. Prior to Armis, worked at Google as senior software engineer)
