The security and threat landscape can turn on a dime. One day business is running smoothly; the next, countless companies around the world are locked out of their IT systems, hospitals turned away patients and assembly lines went quiet. This was the case with the recent WannaCry ransomware attack. While it was quickly contained with relatively small profits gained by the attackers, the next incarnation of a Wanna Cry–style attack could come with a bigger price tag and not be stopped so easily.
Ransomware like WannaCry is part of a larger model of cyber attacks called “distributed cyber crime.”Such attacks target as many victims as possible, require limited skill or effort to pull off and often take advantage of known vulnerabilities packaged in tools readily available for purchase on the dark web. Attackers using distributed cybercrime tools look at your organization not as a specific target with a specific vault to unlock but, rather, as a cog in a larger money–making machine.

The bad news: due to its ease of use and ROI, the height of distributed cybercrime is likely ahead of us. The good news: you can take advantage of a chink in its armor to efficiently protect your business.

Get Smart
The ‘patch everything all the time’ approach to vulnerability management has long been a problem for under–staffed, under–resourced security programs. The approach is to apply every possible patch for every vulnerability in your network. Sound impossible? It is.For enterprise networks have thousands if not millions of vulnerabilities in their systems, it’s also ineffective and unnecessary. It results in security teams with a never ending to–do list and no understanding of priorities.

A smarter approach to vulnerability management starts with complete visibility of the attack surface-all the ways in which a network is vulnerable to an intrusion. Using the context of vulnerabilities, the assets they affect and the network surrounding them, automated technologies are able to pinpoint the small number of vulnerabilities posing the biggest risk. This approach quickly highlights which vulnerabilities are directly or indirectly exposed to attack. Layering in threat intelligence also shows you which vulnerabilities attackers are most likely to target.

A dirty not–so–secret truth about distributed cyber crime: it uses (and re–uses) a relatively small handful of known vulnerabilities. This is the chink the armor cyber defenders need to take advantage of and use to reshape their security strategy. Consider this:

• The vast majority of vulnerabilities don’t have a known exploit

• According to the Skybox™ Research Lab, exploit kit shave historically used just 100-200 vulnerabilities, and active kits use only 20-50 vulnerabilities, with just a few kits dominating the landscape at any given time
• According to Gartner research, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year, and Gartner argues remediating known vulnerabilities is a better investment than trying to prepare for surprises

Focusing on the subset of known vulnerabilities posing an imminent threat — those actively exploited in the wild or exposed in your network — will greatly reduce your chances of a damaging cyber attack or data breach

Focusing on the subset of known vulnerabilities posing an imminent threat — those actively exploited in the wild or exposed in your network — will greatly reduce your chances of a damaging cyber attack or data breach. It also improves the use of existing human and tech resources. Security team action is more targeted and strategic, and ROI increases for network and security products now contributing to a bigger picture.

The New Way of Doing
Traditional approaches to vulnerability management are typically centered on a standard, worldwide system that assigns scores to reported vulnerabilities. Relying solely on these scores fails to consider the unique characteristics of your organization as well as doesn’t take into account what attackers are up to and how that could your business.

The new approach of threat–centric vulnerability management (TCVM) incorporates intelligence on vulnerabilities,the network surrounding them and the threats aiming to exploit them, giving you a superior understanding of where and how best to take action.A typical TCVM process looks like this:

• Assessment: gather data on the vulnerabilities currently within your organization’s systems and incorporate them into a model of your network and its assets

• Vulnerability and Threat Intelligence: use intelligence feeds and security analysts’ research to understand which vulnerabilities are actively being exploited; packaged in ransomware, malware or exploit kits; or have published but inactive exploits

• Prioritization: use attack vector analytics, modeling and simulation to understand how attacks could play out, assessing the true risk of each of your vulnerabilities and prioritizing what to fix first

• Remediation: apply patches or other compensating controls (access rules, segmentation changes, etc.) to prevent exploitation; the urgency of remediation is aligned with the threat a vulnerability presents

• Oversight: track remediation to ensure threats are neutralized and progress is made in reducing overall risk; monitor remaining vulnerabilities in case their threat level escalates

Preparing for the Future
The business model behind distributed cybercrime means its attacks will indiscriminately target each and every industry. It also means they’ll likely be more frequent as more attackers see the opportunity to make an easy buck.

So even if you’ve yet to have your own experience with, say, a ransomware attack and think,“My security program must be flawless,” unless you have complete visibility your attack surface, it’s more likely you’ve just been lucky.

You need to be ready for what’s next. Taking the TCVM approach means your security strategy is ready to tackle the threats of today and adapt to those yet to come.