According to Claroty, traditional approaches to vulnerability management narrow an enterprise's attack surface and overlook significant risks.
Organizations need to take a holistic approach to exposure control
To understand the scope of exposure and associated risks faced by cyber-physical systems (CPS) environments, Claroty's research group Team82 has identified more than 20 million operational technology (OT), connected medical devices (IoMT), Analyzed data from IoT, and IT assets. environment.
The study focused on assets defined as “high risk,” with insecure internet connections and at least one exploited known vulnerability (KEV). Researchers defined “high risk” as exploitative based on a combination of risk factors, including end-of-life status, communication over insecure protocols, known vulnerabilities, weak or default passwords, and PII or PHI. This is defined as having a high possibility of being affected and having a large impact. data, failure results, and a few other things.
“When measuring the risk associated with overly exposed assets used to control systems such as power grids or provide life-saving patient care, the impact of numbers greater than zero “It is important to understand the . “Organizations need to take a holistic approach to exposure management that focuses on the ticking time bomb in their environment. Even if they manage to master the possible tasks, they still miss nearly 40% of the most vulnerabilities “dangerous threats to their organizations.'' ”
CPS assets pose high-impact risks
23% of industrial OT and 22% of medical devices have vulnerabilities with a CVSS v3.1 score of 9.0 or higher, making them impossible to patch. Reclassify high-risk devices based on other factors, such as whether they are connected to the internet insecurely or contain vulnerabilities that have already been exploited, to identify which devices are at the highest risk of exploitation. systems and can significantly reduce the number and percentage of devices being exploited. Prioritized and mitigated.
1.6% of OT and IoMT are defined as “high risk”, meaning they have an insecure internet connection and contain at least one KEV. This is the culmination of exposure factors that pose a real and immediate danger to the organization. This represents tens of thousands of high-risk CPS assets containing vulnerabilities that can be remotely accessed and exploited in the wild by threat actors.
Operating under traditional vulnerability management approaches creates significant blind spots regarding an organization's true risk posture. The analysis shows that a total of 38% of the highest-risk OTs and IoMTs could be missed if CVSS v3.1 scores were the only risk metric. Traditional approaches also leave asset owners and operators challenged with the difficult proportion of devices that require remediation per organization. By focusing on the highest-risk risks, organizations can reduce immediate risks and reduce the time and resources needed to remediate.
The KEV database shows that attackers are much more likely to target known old vulnerabilities than write zero-day exploits (although Google has reported 265 zero-day exploits since 2021) ).
According to Gartner, “Security leaders are constantly seeking to improve frameworks and tools for mitigating cybersecurity risks. Traditional approaches to managing the attack surface can no longer keep up with the speed of digital; organizations can't fix everything. Continuous Threat Exposure Management (CTEM) walks a tightrope between these two impossible extremes, continually adjusting priorities, when you can't be completely sure which vulnerability fixes can be safely postponed. A practical and effective systematic approach to
Grant Geyer, CPO at Claroty, said: “A solely vulnerability-focused view distracts organizations from focusing on what matters most and reduces potential risk to safety and availability. It leaves you with some real exposure.” “Mitigating risk moves beyond traditional vulnerability management programs to consider the characteristics and complexity of your unique CPS assets, your unique operational and environmental constraints, your organization's risk tolerance, and the desired outcomes of your CPS cyber risk program. We need to evolve to a more focused and dynamic exposure management program.”
