Organizations are looking for ways to get in front of the risks created by the vulnerable software within their environments. But they can't do it alone. It will take increased information sharing and industry collaboration to improve their ability to identify and mitigate at-risk systems.
Fortunately, that's exactly what's happening. There are increased collaborative efforts within the industry and increased security vendor partnerships — all designed to help organizations better manage the continuous stream of vulnerabilities they face.
Industry groups come together to unify threat intelligence and vulnerability management
Consider the Cybersecurity and Infrastructure Security Agency's (CISA's) Joint Cyber Defense Collaborative (JCDC) program. The JCDC program facilitates sharing actionable cyber threat intelligence across public and private sectors.
The JCDC's mission is to coalesce cyber defenders from organizations worldwide to proactively gather, analyze, and share actionable cyber risk information. The idea is to enable more coordinated vulnerability analysis, cybersecurity planning, defense, and response within the 16 critical industry sectors.
The JCDC is working to achieve these through collaboration and information sharing between public and private sector entities regarding cybersecurity threat intelligence and vulnerability data to provide increased visibility into the broader cyber threat landscape, identifying systemic risks and vulnerabilities that could impact organizations.
By pooling resources and leveraging the diverse expertise of JCDC partners, organizations can gain a more complete picture of their attack surface and potential vulnerabilities.
While such efforts strengthen the broader society and critical infrastructure organizations, more is still needed to bring the same capabilities to individual organizations so they can more rapidly identify vulnerabilities within their organizations, prioritize the most pressing vulnerabilities, and provide for rapid mitigation.
The security industry is seeing increased cooperation in threat intelligence and vulnerability collaboration among security providers. For instance, vulnerability management service providers are partnering with managed service providers, managed security service providers, and value-added resellers to make comprehensive vulnerability management capabilities available. While Industry consortiums like the Industry Consortium for Advancement of Security on the Internet) are working to bring technology companies together to solve cross-industry vulnerability management challenges.
The need for effective attack surface management and response spurs vendor partnerships
An example of one such partnership is Sophos Managed Risk, which combines attack surface and vulnerability management technology from Tenable with threat expertise from Sophos, delivered as an attack surface management service.
Paul Murray, a senior director at Sophos, says there's no shortage of security tools, but there is a shortage of budget and skilled staff to run and manage those tools.
"Tenable's vulnerability and attack surface management is very powerful, and it requires the know-how to process this data and make decisions on what vulnerabilities to prioritize for remediation, so organizations know what to fix first," says Murray.
Sophos wanted to introduce a service that complements its managed detection and response offering with attack surface management. We went to look for the right technologies to use to underpin that service. And we very quickly chose tenable," Murray says. "Regarding vulnerability management, we recognized that we had a portfolio gap. But we didn't want to release another plain vulnerability management tool. There are so many like that on the market. Instead, we chose to partner with someone who provides best-of-breed vulnerability and attack surface management."
Greg Goetz, vice president of global strategic partners and MSSP at Tenable, says the ideal approach is providing organizations with risk-based vulnerability prioritization with context-driven analytics to proactively address exposures before they become a problem. Sophos Managed Risk delivers preventive risk management so organizations can anticipate attacks and reduce risk.
Available as an extended service with Sophos Managed Detection and Risk, Sophos Managed Risk is delivered by a dedicated, Tenable-certified team to share vital information about zero-days, known vulnerabilities, and exposure risks to assess and proactively investigate environments that may have been exploited.
"Our customers also receive considerable value from scheduled meetings with our experts to review what's happening with threat actors and newly uncovered vulnerabilities and getting recommendations for what to prioritize," Murray says.
How does this pragmatically help organizations to reduce risk more effectively? One such example could be a new zero-day flaw discovered. Sophos Managed Risk would scan a customer's externally facing systems for possible risk, and if anything is found, the customer will be notified. The Managed Risk team further helps customers manage the escalation of high-risk vulnerabilities in collaboration with Managed Detection and Response investigations within one console.
"It's about getting the information customers need, when they need it, to make the right decisions," Murry says.