Getting on top of cyber risk

Katie Inns at WithSecure explains how organisations can reorient their priorities to help them get on top of cyber-risks

With digitisation increasingly dominating the business agenda, most organisations are continually racing to invest in new hardware and software to expand their capabilities and deliver new services. For many companies, this means two or three decades of new additions, often in concurrent stages. 

This digital sprawl can inevitably lead to repositories of neglected, unsecured, and often unnecessary data and technologies that present ripe targets for cyber-criminals.

With threat actors constantly looking for unsecured tech that will open easy attack pathways for them, business leaders face a pressing question: How exposed are we? 

One of the best ways to answer this question is with exposure management, an approach that aims to provide a true 360-degree view of the IT environment and all its potential vulnerabilities and threats.  The solution is not to try for a perfect defence, which doesn’t exist, but to recognise and address the risks and points of vulnerability that matter most.

The expanding threat landscape

Corporate IT environments have become significantly decentralised as businesses embrace third-party assets, systems, devices, and applications. The dense interconnectivity of supply chains has increased the difficulty of protecting digital assets. This complexity has introduced a growing number of potential attack paths for threat actors to exploit and made it steadily more difficult for organisations to identify and manage points of exposure. 

The challenge is further compounded by a constraint facing nearly every business: the scarcity of expertise and resources. No organisation possesses unlimited resources to address the growing demands of protecting against cyber security threats whilst also meeting compliance requirements. 

At the same time, cyber-crime has become much more industrialised and commoditised. Cyber-criminals, armed with AI and automation, can identify and exploit vulnerabilities with unprecedented efficiency. Dark web marketplaces are more accessible, offering all the resources a threat actor needs to launch an attack without major technical expertise. 

From exposed credentials to automated phishing kits and ransomware-as-a-service, cyber criminals today don’t suffer from the same resource constraints as businesses. Enterprises are faced with threat actors who are well organised and determined to exploit gaps in their defences.

The siloed approach to cyber-security

Many organisations still have a heavily fragmented approach to managing their cyber-security. Key activities such as penetration testing, threat intelligence management, and vulnerability scanning often operate in silos, each with a narrow focus on specific segments of the organisation’s digital ecosystem. 

This compartmentalisation significantly limits the security team’s visibility into the overall security posture. Decision makers end up with a piecemeal defence and lack the ‘big picture’ perspective needed to understand the scope of threats they face.

The consequence is a cyber-security strategy that lacks cohesion. Without a unified view of all vulnerabilities and potential attack paths, businesses are perpetually a step behind cyber-criminals, increasing the chances of suffering a serious breach.

Reorienting priorities with exposure management

Between the expanding threat landscape and evolving attack tactics, no organisation can consider itself impenetrable. Instead, the focus needs to be on identifying and limiting the most critical threats. 

This is where exposure management comes in—a combination of approach, framework and process that helps security teams understand, prioritise and reduce their cyber-risks across their entire attack surface.

Exposure management is set apart from other strategies due to its scale. It incorporates every single relevant element of the IT environment, including internal networks, cloud services, managed devices and digital IDs. Other activities, such as external attack surface management (EASM), fall under the exposure management remit, creating a single holistic view of all cyber-risk.

Armed with this visibility, business leaders can reorient their priorities by asking three distinct questions: 

• What does my organisation look like from an attacker’s point of view? 
• What configuration has my organisation set that will make it vulnerable to attack?
• How would our defensive controls cope, and how would response processes perform?

Businesses need to adopt an attacker’s perspective, understanding how threat actors identify targets and exploit weaknesses. This involves simulating attack scenarios to uncover the most vulnerable points in the digital infrastructure, revealing immediate threats and prioritising them based on their potential impact on critical assets.

Organisations also need to scrutinise their network configurations and defensive controls. For example, misconfigurations in cloud environments are a common entry point for cyber-criminals. However, regular audits and adjustments based on the latest threat intelligence would help mitigate these risks.

Similarly, assessing how defensive controls would perform under attack and refining response processes can significantly improve an organisation’s resilience to cyber-threats.

Putting threats into context 

Implementing these strategies requires a repeatable approach to exposure management. 

To achieve a more cohesive view of the threat landscape, security teams must first understand what they have. This means carrying out discovery exercises to compile together the various areas of their attack surface. They need to then understand the risks to different assets, both by scanning and by applying business context and threat insights to those results. 

AI-powered solutions can help here by simulating potential attack paths, identifying critical vulnerabilities, and creating risk-focused recommendations. Context is a crucial factor here; decision makers need to understand how vulnerabilities relate to their business priorities in order to prioritise them properly.

Automated tools should be taking on as many repeatable, high-volume security tasks as possible. But it’s human-led tasks manual pen testing, red teaming, and EASM testing that make the real difference in dealing with complex and high-risk threats. AI-powered, automated systems should be geared around supporting human professionals as much as possible.

This discovery work will help them understand which assets are most critical to their organisation, and which vulnerabilities are most relevant and most likely to be exploited. From there, they’re left with this more refined list of high priority issues for remediation.

When it comes to giving decision makers context, rather than relying on factors such as CVSS scores in isolation, risk scoring should relate directly to the potential impact on the company. This also needs to feed into a continuous threat exposure management (CTEM) approach that identifies new issues as they emerge over time.

This approach not only streamlines the prioritisation of cyber-security efforts but also enhances the organisation’s ability to prevent breaches proactively. It shifts the cyber-security paradigm from reactive to proactive, focusing on protecting potential attack paths to critical assets and prioritising actions that bolster resilience and improve the security posture.

As digital landscapes evolve, so must the strategies organisations employ to protect themselves. By adopting a unified approach to exposure management, businesses can ensure they are not merely reacting to threats; rather, they are keeping steps ahead, proactively securing their digital frontiers.

This strategic reorientation is not just about technology; it’s about adopting a mindset that values anticipation and prevention as the keys to cyber-security in the digital age.

Katie Inns is Head of Attack Surface Management at WithSecure

Main image courtesy of iStockPhoto.com and MicroStockHub