“Traditional vulnerability management has been a tactical and operational exercise for far too long”.- Kartik Shahani, Country Manager, Tenable India
Here’s the interview snippet from the interaction with Mr. Kartik Shahani, Country Manager, Tenable India.
Saumya: Why is securing data more than just patching vulnerabilities?
Kartik: Traditional vulnerability management has been a tactical and operational exercise for far too long. Scanning for missing patches, building a list of the patches to be deployed and then deploying the patches every month is a slow process requiring a lot of effort. While this kind of tactical work is a necessary measure of cyber hygiene, modern IT environments have far more potential exposures that could be exploited by attackers to gain access to critical systems and/or data. This could be code flaws in web apps and misconfigured cloud services to unnecessary administrative privileges and much more. Cyber risk exists on many frontiers and patching vulnerabilities is only one of the remediation methods that can mitigate threats that various exposures present.
Securing the modern, dynamic attack surface requires a change in mindset — moving away from merely deploying software fixes towards a broader approach that includes business risk management and analysis. This helps to identify where exposures exist in the entire environment, prioritize which exposures present the most potential harm to the business, and then build comprehensive remediation strategies. This is exposure management and it is necessary in protecting organizations’ most critical assets including data.
Saumya: Why do organizations need visibility into the entire breadth of the attack surface to predict, prioritize and remediate?
Kartik: With so many potential attack vectors, organizations must have visibility of the full breadth and scope of the assets within the environment. And that’s not always a simple thing to do, given the explosion of cloud platforms and services, virtualization and containerized services, web applications, credentials, and so much more. If there are blind spots in these areas, it would be impossible to see where vulnerabilities and cloud misconfigurations exist and make the right decisions about which ones to address first that have the greatest potential impact for damage to the business itself. Gaining greater visibility means understanding where the exposures lie — in the cloud, on internet-facing assets, who has access to what assets and what level of access they have.
Organizations need to start identifying the “known unknowns” or identifying areas where you know you have no visibility but may just need some new tooling or automation in order to assess the assets there. The next step is addressing the “unknown unknowns”, or the areas where organizations have no visibility. For instance, leveraging External Attack Surface Management (EASM) tools to identify assets that are in the public internet space that is associated with your organization. More often than not there are servers that were supposed to be decommissioned but weren’t, application services that are forgotten, domain names or other domain records that haven’t been cleaned up or even fraudulent sites that leverage your organization’s identity to trick customers into thinking they are legitimate. Getting visibility across the entire attack surface is critical and needs to be the first thing done to understand the problem. And with the right context — how these assets interact with each other can help organizations prioritize which areas to remediate first.
Saumya: Why do businesses need exposure management solutions to tackle data silos?
Kartik: Security programs are often reactive to changes in the IT environment and most often security teams address the gaps in the attack surface by purchasing “best of breed” security tools with a narrow and specific scope of functionality. This approach eventually creates an illusion of security as the product stack is filled with numerous individual tools that don’t interoperate with each other, creating data silos. Without a unified view of the security posture, security teams end up spending more time and effort in stitching together the fragmented data from these different tools and dumping it in spreadsheets.
If organizations want to have an effective cybersecurity strategy, they need to be less reactive and build a common set of policies and procedures. Moving away from static, point-in-time data that often causes a knee-jerk reaction every time a new exploit is discovered is important. Instead, organizations should focus on analyzing consolidated data to make proactive, strategic decisions that maximize their efficiency and effectiveness to manage cyber risk. This is what exposure management does. With a database of threat intelligence, exposure management helps organizations understand cyber exposure and also see what attackers see. Tackling the modern attack surface requires a proactive approach to security — that is to predict, prioritize and remediate the security gaps that pose the greatest threat to organizations.
Saumya: How can organizations quantify cyber exposure and why is it an important aspect in crafting holistic cybersecurity strategies?
Kartik: While prioritizing remediation efforts, contextualizing the way risk is communicated to the organization both up and down the chain is incredibly important. Operations teams may want to hear risk metrics that are based on volume. They want to know how many vulnerabilities exist in the environment that require patching because that clearly reflects the workload that they’ll need to accomplish so they can plan accordingly.
C-suite executives, on the other hand, likely lack the context of what the risk metrics based on volume mean. Often the question is — how secure are we?? This would require communication in terms of trends, percentages, or pairing the impact to financial or legal considerations. Exposure management helps CISOs communicate risk in a more effective way as it quantifies risk with the right context. It incorporates a more dynamic approach to how and what is communicated throughout the organization but also quantifies cyber exposure in a way that helps the creation of better security strategies and policies.
Saumya: How exposure management can help businesses build resilience into the core of their business and why this plays a major role in business continuity and also adhere to regulatory norms
Kartik: Today’s security practitioners must understand that cyber risk is really another business risk that should concern everyone within an organization and must be prioritized. It is always easy to fall back to what has always been done. The “If it ain’t broke, then why fix it” mindset needs to change. A shift towards a more strategic, risk based approach like exposure management means more visibility into the assets and their exposures as well as having better business context around the real nature of the threats and impacts they pose.
Exposure Management, at its core, is a shift in how security practitioners and leaders approach security programs, and how operational efforts are prioritized. With a full understanding of the length and breadth of the attack surface, exposure management enables organizations to build security into core business functions. In other words, it helps build resilience into the core of the business. Exposure management helps organizations understand the security state of the assets, so they can build remediation and mitigation strategies that will allow them to close attack vectors before they’re exploited by an attacker. This essentially addresses cyber risk and also the risk it poses to business continuity.