Organizations are constantly challenged with managing vulnerabilities effectively to safeguard their critical assets and data. And often, traditional approaches, relying on periodic scans and prioritization based on individual risk attributes, fall short in providing a comprehensive view of the risks posed by vulnerabilities. This leads to a widening remediation deficit and increased exposure to cyber threats.
To address these challenges, XM Cyber has developed an innovative new threat-led approach to vulnerability management that considers multiple contextual viewpoints of risk analysis correlated against real-world threats, to help enhance cybersecurity posture.
Understanding the Need for a New Approach
Issues like the complexity of modern IT environments, diverse asset types, and the growing severity of vulnerabilities create a challenging landscape for security teams to navigate. Unclear ownership of assets, limited context for action, and ineffective prioritization logic hinder organizations from effectively addressing vulnerabilities and reducing their exposure.
At XM Cyber, we often discuss the advantages of transitioning from a legacy Vulnerability Management Approach to an Exposure Management Approach using CTEM as a methodology. However, existing Vulnerability Management programs that were established to address outdated compliance frameworks and industry standards can, on occasion, prove difficult to escape. More modern compliance frameworks such as DORA and the NIS 2 Directive continue to evolve their expectations for effective patch management of CVEs, with an aim to increase operational resilience without binding teams to unrealistic SLAs.
This is why we have now introduced our VRM Module to both ease the transition to CTEM, and accelerate your adherence to these modern compliance standards through a threat-led approach to vulnerability management.
What is a Threat-Led Approach?
For anyone working in Financial Services, you may have come across the term “Threat-Led” as part of the Testing requirements for the Digital Operational Resilience Act. But for many of you reading this blog, it may well be the first time hearing the term.
Threat-led refers to an approach that mimics the tactics, techniques, and procedures of real-life threat actors perceived as posing a genuine cyber threat to systems and resources.
The approach typically leverages Threat Intelligence, supported by research teams to simulate the behavior of real-world adversaries, with a goal of understanding which MITRE ATT&CK techniques might be leveraged to exploit the different weaknesses in your attack surface.
To provide this capability, the XM Cyber Platform utilizes XM Attack Graph Analysis™ to correlate all forms of exposures across all entity types, to validate their exploitability against proven attack techniques. This calculates all possible attack paths for real-world threat propagation towards business-critical assets.
This unique correlation of the threat context from our Attack Graph Analysis™ overlaid across the Vulnerabilities Risk attributes that are dynamically mapped against your CVEs, devices, and software products results in an innovative new threat-led approach to Vulnerability Management. This new approach emphasizes a dynamic and continuous assessment and validation of the exploitability of vulnerabilities, analyzed through the lens of real-world threats and attack techniques.
Risk-Based Versus Threat-Led
When we talk about risk-based, we are referring to the many risk attributes associated with Common Vulnerabilities and Exposures (CVEs), such as Severity level, CVSS Score, EPSS, CISA KEV, etc.
The first attributes listed focus on the severity that could result from the CVE being exploited, such as “access” or “control”, and the latter ones are aimed at predicting the exploitability of the CVE itself. The CISA KEV database is a list of the CVEs that have been proven to be exploited in the wild. The challenge however is that these attributes don’t take into consideration the specifics of your environment, security posture, and compensating controls – hence, they are a prediction or estimation of the exploitability.
A threat-led approach focuses first on the CVEs (and their associated attack techniques) that are proven to be exploitable in your environment, before analyzing how they contribute to your overall risk posture.
The 5 Steps to Success
In our upcoming webinar, How to Adopt a Threat-Led Approach to Vulnerability Management, we’ll be discussing and demonstrating the 5 steps to success using the VRM Module as an extension to our Continuous Exposure Management Platform. These 5 steps are as follows:
Step 1: Validated Exploitability Risk
The first step in adopting a threat-led approach to Vulnerability Management is to validate the exploitability risk that CVEs truly have in your specific environment.
To do this, the XM Cyber VRM module dynamically assesses each of these traditional CVE risk attributes, and adds an additional and unique attribute of an attack technique that has been verified by XM Cyber, which draws from our extensive Attack Technique Arsenal. This methodology validates the exploitability of each CVE based on the exact configuration of each asset in your specific environment, on each device the CVE is mapped to.
This helps you prioritize remediation efforts effectively and focus on addressing vulnerabilities that actually pose a real-world threat to your business.
Step 2: Understand Compromise Risk Likelihood
Once you identified devices with a validated exploitability, the next risk construct you can pivot to is to consider the likelihood of these devices becoming accessible to an attacker, and how difficult it might be for them to leverage the exploits to compromise those devices during a breach.
To do this, we further leverage the XM Attack Graph Analysis™ to identify all the potential breach points that have reachability to the exploitable device. The calculation considers the number of breach points, the total number of attack paths, the number of hops along those paths, and the adversarial complexity of the attack techniques needed to exploit each of the entities along the way.
This comprehensive analysis process results in our Compromise Risk Score, ranked on a scale of the Likelihood. We consider this the inbound risk of the device – and the higher this risk value is, the more likely it is that this device would be compromised during a breach.
Step 3: Analyze Business Impact Risk
Now you know which devices can really be exploited, and how likely they are to be compromised, and the final risk construct is the business impact risk.
The XM Cyber platform can automatically classify your critical assets, and with the guidance of our customer success team, you can further customize these to align with your business-critical processes.
Now, the XM Attack Graph Analysis™ comes into play again, but this time focuses on the outbound risk from this exploitable device onwards, along attack paths toward your critical assets. We again consider the complexity of the attack paths and the attack techniques needed to exploit each entity along those paths, in order to quantify the business impact risk shown as a percentage of the critical assets that could be exploited from this device if it was to be compromised during a breach.
Step 4: Define Risk Appetite and Prioritization Strategy
After assessing the exploitability, compromised risk, and business impact of vulnerabilities, organizations need to define their risk appetite and select the most appropriate prioritization strategy for remediation efforts. By understanding their tolerance for risk and the significance of each vulnerability in the context of their business operations, organizations can develop a prioritization logic that aligns with their security objectives and operational needs.
Step 5: Mobilize Effective Remediation Actions
The final step in adopting a threat-led approach to Vulnerability Management is to mobilize effective remediation actions based on the insights gained from the previous steps. The XM Cyber Platform provides a broad range of remediation guides and automated ticketing which ensures the right teams have the right information at hand to implement effective action.
If a vulnerability can be patched, we provide a detailed step-by-step patching guide, broken down by the software version the vulnerability has been correlated to.
When patching isn’t a viable option, or cannot be implemented within the required SLA, we provide a hardening guide with options for how to implement compensating controls, such as network segment in order to minimize the risk of compromise, as well as a vendor best practice guide.
Benefits of a Threat-Led Approach
Adopting a threat-led approach helps security professionals build confidence and trust in their Vulnerability Management program.
This approach empowers effective risk reduction by providing a holistic view of their vulnerability landscape, validating exploitability, and prioritizing remediation efforts based on impact and likelihood of compromise. By leveraging XM Cyber’s Vulnerability Risk Management module, organizations can foster a culture of collaboration, optimize remediation strategies, and accelerate closed-loop vulnerability patch management.
Conclusion: Adopting Innovation for Enhanced Cybersecurity
By following the five key steps outlined in this blog, organizations can significantly enhance their ability to detect, prioritize, and remediate vulnerabilities effectively, thereby fortifying their defense mechanisms against cyber threats.
XM Cyber’s Vulnerability Risk Management module empowers organizations to proactively identify and address vulnerabilities that pose the greatest risk to their critical assets. Taking this proactive and intelligence-driven approach is essential for maintaining a strong and resilient cybersecurity posture. By embracing the principles of threat-led vulnerability management, organizations can stay one step ahead of cyber adversaries and secure their digital assets with confidence and efficiency.
To find out more
If you’re interested in adopting a threat-led approach to vulnerability management and transforming your cybersecurity posture, register to join the XM Cyber webinar, How to Adopt a Threat-Led Approach to Vulnerability Management, or visit our Vulnerability Risk Management product page and request a demo to elevate your cybersecurity defenses and protect your critical assets from cyber threats.
The post 5 Steps to Adopting a Threat-Led Approach to Vulnerability Management appeared first on XM Cyber.