Think like a hacker by mapping all your application vulnerabilities – not just the critical ones

With nearly 20,000 new application vulnerabilities discovered in 2017 alone, triage has become a necessary part of CISOs’ remediation strategies – but with many attackers now aiming for the less-patrolled middle ground, one security expert warns, taking a more visual approach can help head them off before they get into their target network.

“Everyone running a vulnerability management program knows they have to take care of the critical and high” priority vulnerabilities as they are discovered and evaluated within the widely-used CVE Details database, Illumio founder and CTO PJ Kirner recently told CSO Australia.

“But because mediums are hard to prioritise, and because they are building up a backlog, attackers are targeting the mediums because they exist longer in the environment. Some of those might be a lot riskier than you think – regardless of standard classification methods.”

Sheer weight of numbers means that the number of medium-priority vulnerabilities is expanding at a record pace. According to the , 19,954 new vulnerabilities – equivalent to 54 per day – were discovered in 2017. The CVE Details database lists 5647 additional vulnerabilities detected so far this year.

Given that these kinds of volumes force businesses to pick and choose which vulnerabilities they pick, Kirner believes the company’s recently-announced partnership with Qualys will prove invaluable by helping companies figure out exactly how attackers might get into their network.

The maps are generated by combining Illumio’s Adaptive Security Platform application dependency tool with Qualys’ Cloud Platform, which amasses a large quantity of threat data. The combined databases are used to not only map the vulnerabilities in a company’s installed software applications, but to map the linkages between those applications to generate graphical maps showing which vulnerabilities might be used to leapfrog between systems inside the company network – or, in many cases, out to public clouds.

“A lot of people don’t have visibility into what’s communicating with what inside a public cloud,” Kirner said. “A lot of times, the public cloud workloads are communicating back into the data centre – which could be an issue.”

An ‘East-West exposure score’ quantifies the riskiest aggregate exposure, helping companies prioritise the vulnerabilities with the highest actual risk of being exploited – and not just the most severe vulnerabilities. Illumio’s microsegmentation technology enables isolation of exposed elements of the application environment until the security holes can be patched.

Limiting attackers’ ability to move within a network and between systems – known as East-West, or lateral, movement – is critical to containing or preventing massive data breaches. Verizon’s recent Data Breach Investigations Report (DBIR) 2018, for one, found that 73 percent of analysed incidents were perpetrated by outsiders – including 50 percent carried out by organised groups

Some 40 percent of hackers said they can typically breach a company perimeter within 5 hours, according to the recent Nuix Black Report 2018. In 68 percent of cases, Verizon found, intruders spent months lingering out of view on penetrated networks before being discovered.

Proactive “vulnerability hopping” can help head off this sort of activity, according to Kirner. “We literally map the path an attacker might take to get to a valuable asset,” he explained.

“For unpatched vulnerabilities, we allow you to change your policies to restrict access into those vulnerabilities. And because we can measure the benefit of your segmentation policies, your reduction in risk is literally quantifiable.”

The ability to evaluate risk and focus highly-granular data controls is proving particularly popular amongst companies rushing to met their obligations under the looming European Union general data protection regulation (GDPR), which will come into effect on 25 May and will require, among other things, that businesses be able to identify, track, and protect citizens’ private information.

Illumio – which opened an APAC regional office in Sydney in March, under the stewardship of Asia Pacific vice president Rob van Es – is riding an upswell of interest thanks to GDPR and other recent compliance obligations.

“It’s a lot of fun to show customers the product and to get their reactions,” Kirner said, “because it’s able to reduce risk and solve problems for them. They can see how they inherit risk from other workloads and applications inside their data centre, as well as from the public cloud. It has been an eye-opener for customers and a fun product to work on.”