Taking care of security should be simple

By doing the simple things in security well, doing the hard things will become easier.

Vulnerabilities, and the exploitation of them by threats, are still the root cause of most information security breaches today. However, too much focus is placed on high-profile exploits and malware, rather than these underlying root causes. Although not all breaches result from a vulnerability being exploited, most do. Within this majority, they also come from known vulnerabilities, rather than zero-day attacks.

Zero-day attacks made up only approximately 0.4% of vulnerabilities during the past decade, but the amount spent on trying to detect them is out of kilter with the actual risks they pose when compared with the massive numbers of breaches and infections that come from a small number of known vulnerabilities that are being repeatedly exploited.

This is like worrying more about great white sharks, rather than the humble mosquito. One consistently kills millions of people each year, while the other causes roughly the same number of deaths as being struck by lightning. Are zero days real? Absolutely. Are they the biggest issue for most organisations? No.

The top issue in vulnerability management is that organisations aren’t prioritising their patching and compensating controls to align to commonly targeted vulnerabilities. Organisations need to align their vulnerability management priorities with what the threat actors are actually using.

Although Gartner is seeing persistent and advanced threats, most threat actors don’t use overly sophisticated means to achieve their goals in most cases. Gartner believes that 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.

If you deal with the ‘elephant in the room’ first, then you’ll have a better foundation. I’m not saying that you shouldn’t stop with the idea of continually inching toward improvements with a vulnerability management program. However, we’re clearly not executing well on the critical issue of reducing your attack surface by closing the biggest risks.

The number of exploited vulnerabilities year over year for the last decade is actually flat, despite the number of breaches increasing and the number of threats appearing. Essentially, more threats are leveraging the same small set of vulnerabilities.

As a critical operational security priority, focus your efforts on patching the vulnerabilities that are being exploited in the wild or have competent compensating control(s) that can. This is an effective approach to risk mitigation and prevention, yet very few organisations do this.

This pragmatic prioritisation reduces the number of vulnerabilities to deal with, which means more effort could be put into dealing with a smaller number of vulnerabilities for the greater benefit of your organisation’s security posture.

Craig Lawson is a Research Vice President at Gartner, focusing on network security, vulnerability management, advanced persistent threats, vulnerability research, threat intelligence, managed security service providers, cloud access security brokers and cloud security. He will be speaking at the Gartner Symposium/ITxpo, 30 October–2 November.