With an ever-increasing number of vulnerabilities appearing each year (the stats for 2023 shows a 15% increase in CVEs for 2023 over 2022) remediation of every one becomes an impossible task. So instead of addressing thousands of vulnerabilities that may never occur in real-world attacks, the recommendation from organizations like CISA is to focus on the active threats.
“Known exploited vulnerabilities should be the top priority for remediation. Based on a study of historical vulnerability data dating back to 2019, less than 4% of all known vulnerabilities have been used by attackers in the wild.” CISA: BOD 22-01
This is backed by research from Gartner which has shown that between 2012 and 2021, only between 7% and 11% of all (software) vulnerabilities have been exploited. [Lawson, C. How to Implement a Risk-Based Vulnerability Management Methodology, 20 April 2023, Gartner, ID G00777685]
With the majority of vulnerabilities never being exploited in the wild, shifting to prioritizing remediation efforts on known exploited vulnerabilities that are active threats and a real risk to your organization, can allow teams to reduce the risk of an effective attack through strategic incident prevention. CISA suggest that “To be effective, vulnerability management programs must take active threats into consideration. CISA encourages all stakeholders to leverage the CISA catalog of known exploited vulnerabilities and to prioritize these vulnerabilities for immediate remediation.” CISA: BOD 22-01
This strategic shift is underway in attack surface management, with teams increasingly applying an attacker’s lens to proactively protect their attack surface.
Done right, proactive security also informs and enhances reactive incident response through historic attack surface posture forensics, as well as delivering proactive incident prevention within organizations to shut down-attacks, before they occur. With this shift will come an increased investment in continuous risk-based vulnerability management to provide a view of the entire attack surface, with solutions that provide an attack lens through which to view vulnerabilities, coming out on top. This is key to embedding proactive security that effectively minimizes the attack surface and improves incident prevention, forensics and response.
As the saying goes ‘an ounce of incident prevention is worth a pound of incident response’. In 2024 we’re likely to see that combined, they are invaluable.
Visit our solutions section for more information about Attack Surface Assurance.