Like the speeds of sound and light, everything has its limits. Has enterprise vulnerability management efforts hit its limit of effectiveness? Perhaps.
When it comes to mitigating software vulnerability risks, enterprises face steep challenges. Most notable is the dramatic increase in the addressable attack surface security teams must manage. That expansion initially kicked in with the accelerated adoption of cloud computing and continues to accelerate with today's digital transformation efforts.
MarketsandMarkets research pegged the global digital transformation market at $696 billion in 2023 and expects it to reach $3 billion by 2030, an annual growth rate of 24%. With each new digital asset, the addressable attack surface grows. So does the need for the scalable and efficient vulnerability management of that attack surface.
Thanks to cloud adoption and digital transformation, the typical enterprise has experienced the number of applications their internal teams use to grow from a few dozen in a handful of years to hundreds of applications today. Consider a report from SaaS management firm Zylo that found businesses with less than 500 employees have an average of 172 apps. In comparison, those organizations with 501-2,500 employees rely on an average of 255 apps. Large enterprises average 664 apps.
Such research highlights how the expanding attack surface is challenging for large and small organizations. Endpoints, including phones, tablets, laptops, and IoT devices, have seen an even greater proliferation.
The number of vulnerabilities grows with expanding attack surface
These trends make for a larger and more complex attack surface to monitor, manage, and secure. In 2023, the National Vulnerability Database recorded nearly 29,000 vulnerabilities, or about 79 daily vulnerabilities. The speed and scope of vulnerability disclosures make it highly challenging for security teams to identify the vulnerabilities that matter to their organization and keep up with remediation efforts.
"At the very macro level, the number of new vulnerabilities that are exposed and reported annually is just increasing," says Paul Murray, a senior director at Sophos. "This is an increasing problem."
The result is that more attacks are occurring through vulnerabilities, and organizations are finding it ever more challenging to identify and mitigate the most critical vulnerabilities in their systems.
In its recent report, the State of Ransomware 2024, Sophos found that exploited vulnerabilities were the most commonly identified root cause of ransomware attacks for the second year. As vulnerabilities were identified as the initial vector of ransomware attacks in 32% of the organizations surveyed, it is clear organizations are having difficulty finding and patching vulnerabilities within their environments.
These vulnerabilities and the resulting breaches are wreaking havoc within organizations. In recent years, attackers have successfully targeted vulnerabilities within cloud systems, web applications, and endpoint devices.
How threat actors use vulnerabilities in their attacks
Threat actors will scan and assess an organization's external systems, such as web applications so that they can conduct SQL injection attacks, cross-site scripting attacks, server-side request forgery attacks, and attacks on typical applications and other externally-facing systems such as servers, VPN appliances, content management systems and more. Once a vulnerability is identified, exploiting it can often be trivial with automated attack tools.
Attackers will also rely on zero-day vulnerabilities to initially breach systems. Within 2023, security vendors estimate that just under 100 zero-day vulnerabilities were identified and publicly announced.
As cloud adoption has increased, attackers also seek vulnerabilities and misconfigurations that make cloud storage buckets, databases, and workers to exploit. Attackers scan for these misconfigurations and gain access to the exposed data. After attackers do manage to exploit the vulnerability, they will then often attempt to move deeper and laterally within the organization. They'll seek additional vulnerabilities to exploit, escalate access privileges, and look for ways to maintain persistence, such as dropping trojans and remote access tools. It's wise to seal externally facing vulnerabilities and make it more difficult for attackers to get inside in the first place.
"The overarching problem is that organizations just don't know where to start," explains Sophos's Murray.
Gaining visibility into assets and vulnerabilities remains elusive
Effectively managing vulnerabilities requires an up-to-date, comprehensive, and accurate inventory of assets and an inventory of all the vulnerabilities with all of these devices, applications, and infrastructure.
To do this, enterprise vulnerability management traditionally follows finding assets, assessing them for vulnerabilities, having teams deploy patches or take other remediation efforts, and then re-assess systems to ensure fixes and patches have been appropriately applied. As Murray explains, many organizations rely on the Common Vulnerability Scoring System (CVSS) to rank what vulnerabilities should be addressed first. The problem is the CVSS risk score does not necessarily match the real-world risk a vulnerability poses to an organization within its specific environment. "Nowadays, you can't just look at generic vulnerability scores anymore. It doesn't tell you much about the risk within an organization," says Wim Remes, operations manager at cybersecurity and networking services provider Spotit.
Fortunately, more effective ways exist to manage vulnerabilities and the larger attack surface.
In our next post, we will examine how increased industry collaboration and partnerships are forming to get the risk created by vulnerabilities under control.