Organizations today rely on an increasing number of applications installed on enterprise devices just to “keep the lights on” and business functioning. Being able to immediately access emails, files, communications, and web conferencing tools has never been more critical with the rise of remote and hybrid work.
According to the 2023 Resilience Index Report by Absolute, the average enterprise system has approximately 67 applications installed. The report also indicated that 10% of enterprise systems have over 100 applications installed. Applications are built from thousands if not millions of lines of code. On average, there are any between 15 to 50 defects per 1000 lines of code. While not all defects become vulnerabilities, a good percentage of them do. In 2024 alone there were over 40,000 new Common Vulnerabilities and Exposures (CVEs) published, which is a 72% increase over the previous year.
“In 2024 alone there were over 40,000 new Common Vulnerabilities and Exposures (CVEs) published, which is a 72% increase over the previous year.”
If that is not enough, we also need to concern ourselves with weaknesses and vulnerabilities that are introduced because of insecure and misconfigurations. This makes having the capability to detect, identify, assess, prioritize, and mitigate vulnerabilities in a timely manner critical to effectively manage risk and reducing the potential to suffer a crippling cyber security event. What does that mean?
To start organizations need include all applications, systems, devices, and networks in their vulnerability management practice. Especially if there is an ability to interact with production systems and data. Malicious actors will use any path they can to negatively impact an organization, including that system that resides in the dark corner of your network that rarely is used and often forgotten about. After compromising that system, it often takes them minimal effort to move laterally to other more important systems.
Additionally, any public IP address space that is owned by or assigned to an organization should be included, even if the organization isn’t providing any public facing services. We want to ensure that what is being exposed publicly (or not being exposed publicly) is what we expect, and if not, become aware and address it quickly.
There two primary methods used to detect, identify and manage vulnerabilities:
Agent based
The ability to capture information about vulnerabilities is accomplished using an agent that is installed on the target system. Providing an efficient way to collect information about the target system regardless of where a target system is located. It doesn’t matter if a system is on premises, in the cloud, or at a remote location as long as the system has internet connectivity. Additional benefits include complete visibility into the system, minimal resource utilization, and fewer false positives.
Network based
The ability to capture information about vulnerabilities is accomplished by scanning the target system over the network using a scanner system. This provides an effective way to run scheduled scans to determine what a target system is presenting to the network and collect information on systems you don’t have the ability to install, or the operating system doesn’t support installing agents. For this type of scan to work, the target system must be reachable by the scanner system over the network.
This type of scanning can be performed two ways:
-
-
- Uncredentialed – This type of scan provides information about which ports are open and the services listening on those ports. Vulnerabilities are identified based on the information in the responses from the target system when listening services are queried. The ability to identify vulnerabilities with this type of scan is limited and there is a greater potential for false positives. This is a good approach if the goal is to understand what the target system is presenting to the network or that a firewall is restricting traffic inbound to the target system as intended.
- Credentialed – This type of scan provides all the information that is captured by the uncredentialed scan with the ability to go a step further. The scanner will attempt to log onto the target system using credentials that have been preconfigured to collect information with visibility like that of an agent based method. As a result, there is a greater amount of vulnerability information provided and the potential for false positives is reduced.
-
Once vulnerabilities have been identified they need to be assessed to determine how the level of risk associated with the vulnerability, based on the potential impact and likelihood of exploitation. The Common Vulnerability Scoring System (CVSS) is a method often used to measure the severity of vulnerabilities. This system assigns a numerical score of 0 – 10 based on factors including attack vector, complexity, and impact. To better manage vulnerabilities, the higher the assigned score the more severe it is and the greater the risk.
While CVSS scores provide a good place to start in understanding the potential risk of a vulnerability; contextual information needs to be considered to get a more accurate understanding of the real level of risk. The risk posed by a vulnerability will change depending on whether the affected system is directly exposed to the internet or not. Other factors that will potentially affect the level of risk is the function of a system or the type of data stored or processed on that system.
After the risk for identified vulnerabilities has been determined, those vulnerabilities need to be prioritized to enable the organization to focus efforts on remediating vulnerabilities in a manner that has the greatest impact on reducing overall risk. It is common for vulnerability scans to identify hundreds, if not thousands of vulnerabilities and addressing them all could be a lengthy quick process taking weeks, months, or longer.
Traditional vulnerability management platforms typically don’t make assessing the real level risk posed by a vulnerability easy. Vulnerability risk (severity) is often determined using solely the CVSS scores assigned to the identified vulnerabilities. It then takes human effort to factor in contextual information to get an accurate understanding of risk. This can be a daunting task, consuming valuable time that could be better utilized to remediate vulnerabilities and reduce risk based on the organization’s priorities. This delay lengthens exposure time, providing malicious actors more opportunity to attempt to exploit identified vulnerabilities
Additionally, traditional platforms often leverage a periodic (weekly, monthly, etc.) approach to scanning for vulnerabilities. If a new vulnerability is published the organization must wait for the results of the next scan to determine its presence. If an effort is made to remediate vulnerabilities, verification that remediation efforts were effective requires waiting for the results of the next scheduled scan.
A next generation vulnerability and attack surface management platform is instrumental in enabling an effective and efficient vulnerability management practice. These platforms leverage machine learning and criteria defined by the organization to influence the risk severity rating of a vulnerability and establish asset contexts. Allowing us to quickly gain intelligence and insights through tailored posture and remediation reporting. As a result, we are able swiftly prioritize remediation activities and mitigate risk in a manner aligned to the organization’s priorities and what it deems most critical.
Next generation platforms also provide the benefit of a continuous approach to scanning systems for vulnerabilities; in some cases, near real time using the agent based scanning method. This provides organizations with the ability to understand their current state risk and vulnerabilities at any point in time.
Effective vulnerability management is essential for safeguarding your business against evolving threats. For example, with 11:11 Continuous Risk Scanning, you can gain clear visibility into your assets, enabling you to prioritize risks and act quickly. With 11:11 Managed OS services we can take care of OS patching thus helping remediate vulnerabilities. By aligning vulnerability management with your organization’s unique needs, you can reduce your attack surface and strengthen your overall security posture. Now is the time to take control of your vulnerabilities and protect what matters most.
To learn more about how 11:11 can help your organization manage vulnerabilities check out these 11:11 resources and tools.
