Cmon, as a cybersecurity leader, do you really need any stats to tell you that your job has never been more challenging?
No, probably not – but here is the thing; you may not realize the full scope of challenges to be dealt with.
- The World Economic Forum reports that the COVID-19 pandemic was responsible for a 50% increase in security breaches.
- 95% of security breaches are caused by human error.
- 54% of companies say their defenses are not sophisticated enough to offer sufficient cyber-risk management.
- Only 5% of companies’ folders are properly protected, on average.
Ehhh, it’s not exactly the rosiest of pictures. So how can you help your organization stay one step ahead of attackers?
By adopting optimal cyber exposure management practices.
What is Cyber Exposure?
Cyber exposure is the entire collection of vulnerabilities and risks connected to an organization’s networks, systems, applications and data. Understanding cyber exposure is important – it allows you to accurately gauge the strength of your security posture relative to the threats that are most likely to cause problems. This means that you can identify where vulnerabilities exist, how they may be used against your defenses, and the risks that exist as a result of those security gaps.
Getting a clear view into your cyber exposure grants the visibility needed to discern where you’re vulnerable, the consequences of those vulnerabilities, and the steps to be executed to protect your most valued assets.
Four Steps to Managing Cyber Exposures
If it seems like getting a handle on your cyber exposures would be a challenging task, well the truth is you’re right – achieving a full and nuanced understanding of your exposures is tantamount to understanding your cyber security posture in general – and that’s no simple undertaking. But with the right approach, it is possible, and moreover scalable and repeatable, so that you can continue to manage – and ultimately reduce – your exposures over time as your organization inevitably changes. And as with most areas in cybersecurity, getting this right is dependent on the convergence of people, processes, and technology.
Step 1 – Understand your main areas of potential exposure
This initial step is going to require building a master list of your entire attack surface, i.e. every place you can possibly be compromised from. Some key areas to include: Your networks, social media accounts, ports, domains and subdomains, APIs, servers, clouds (public, private and hybrid), shadow/orphan IT among other areas. The list of potential exposed areas changes based on your particular infrastructure and organizational structure but you can use the above list as a jumping point.
The real point here is to start thinking about it – what are the areas you have previously not considered as risky that need to be taken into account?
Step 2 – Consider and then weigh your risks
Now that you have this working list of potential areas of exposure, it’s time to start thinking about the risk that each of these exposures pose. Not every risk/exposure holds the same level of gravity for your organization – and thus, it doesn’t pay to spend time addressing those ones, at least not in the initial stages.
For example, what if you have an exposure – let’s say a CVE with a very high severity score – but in your environment, that CVE only exists on a machine with no connection to any critical assets. Leave that for later and focus now on what will have the greatest impact on your overall security posture.
Step 3 – Establish your response team
Okay, no one likes committees but this is an important one and hopefully one that won’t be called upon too often if you play your cards right. The people on this team are responsible for springing into action if and when an exposure like a breach is detected. This team should include people from: legal to deal with the legal impact; internal and external communications, to handle the response to and inevitable questions from media, stakeholders, customers, and partners; subject matter experts, to lead the process of fixing what’s broken; customer success managers, to guide customers through their questions. Additional roles may be needed as per your organizational structure.
Step 4 – Employ the right tool set
Commonly used tools like vulnerability scanners may identify security gaps and alert you to their severity, and this is a good start – but generally, they fail to provide risk context, and as we mentioned above, without understanding context it’s really hard to prioritize remediation effectively. And while penetration testing, or red/blue team exercises, can also identify vulnerabilities that can compromise critical assets, these point-in-time testing tools only provide visibility while it is being undertaken. The weeks or months in between tests remain black boxes — and ripe opportunities for attackers.
A more optimal tool set will include context-based analysis to ensure the right efforts are invested into the right areas of exposure. These tools help grant an intuitive way to discover, understand, and prioritize risks and cut off attack paths at key choke points.
Your long term exposure reduction plan
Effectively managing cyber exposure should be a fundamental goal. But to get to that point, you need a smart plan. Hopefully the steps above can serve as a guide to help you get started on your way to reducing and managing cyber exposure.