In vulnerability management, CVEs have always been important, but they only get you so far. Just consider what would happen if you woke up tomorrow to multiple new critical CVEs impacting assets across your organization. How would you decide where to focus your mitigation efforts?
Most organizations currently rely on vulnerability scanners to inform their day-to-day decisions. The problem with traditional scanners, however, is that they can only tell you which assets have what vulnerabilities. They can’t sort vulnerabilities based on their risk to the business or ongoing business operations.
Knowledge of a vulnerability itself is only the beginning of remediation efforts. Analysts must then gather whatever relevant asset attributes they can track down to make informed decisions. Yet pulling data from across endpoint management, EDR, VDI, cloud, and other organizational platforms is incredibly time-consuming. Moreover, varied data structures can lead to problematic correlations of asset information.
Overall, the cumbersome process often only leads to best guesses. It’s all but impossible for security and IT operations teams to efficiently focus on the critical vulnerable assets that pose the highest risk to the business and gain control over the vulnerability management lifecycle.
“Priority is a function of context.”
– Stephen R. Covey, author of the 7 Habits of Highly Effective People
When it comes to vulnerabilities, security and IT operations teams are facing a kind of “perfect storm”. With every new asset deployed in support of growth, innovation, and efficiency efforts, the enterprise attack surface expands. The number of vulnerabilities is also rising rapidly year over year while the time it takes for attackers to exploit them is dropping. And with manual data-gathering approaches, it’s no wonder that the mean time to remediation (MTTR) has ballooned to 60 – 150 days.
Given the circumstances, the million-dollar question is – what’s the most effective way to remediate risk in the fastest time possible while containing operational overhead? It’s really a business question. And like every business question, it requires context so you can focus on the things that will get you the most impactful results the fastest. Access to a real-time list of CVEs on connected assets is a start. However, to prioritize efforts based on the organizational impact you need the ability to dig into the importance of every asset along with its relationships and dependencies within the environment. In other words, you need a clear understanding of the asset’s business context.
Did you know that most vulnerability scanners miss up to 40 percent of the assets in a typical scan of the organization? This can be down to network restrictions, ephemeral type assets on Cloud, or missing or misconfigured vulnerability agents. Even for assets they can see, the sheer number of alerts combined with the lack of context makes it difficult to understand which of the critical vulnerabilities put critical assets at risk, and impossible to effectively prioritize them based on risk to the business.
Consider a bank with a list of thousands of CVEs, several hundred of which are deemed critical; not every critical vulnerability corresponds to a critical asset (based on function, location, and risk to the business). In fact, they are likely spread across assets with a low, medium, and critical impact on the business. But without context, all you can do is chase down every critical vulnerability as fast as possible. That may mean getting to an asset, such as a developer’s laptop faster than a server running critical business banking applications. Delays and risks are only compounded as new vulnerabilities pop up. Moreover, even when you manage to avoid incidents, it’s a never-ending and very costly, and frustrating, cycle that is full of visibility gaps.
Armis Asset Vulnerability Management (AVM) eliminates cumbersome manual tasks, visibility gaps, and guesswork so your team can focus on what matters most to vulnerability management. Our context and risk-based approach enables your team to quickly identify and remediate the vulnerabilities that attackers are most likely to exploit in order of importance to the business.
AVM is an add-on module to the Armis Asset Intelligence Platform, an agentless asset security and management platform that provides multi-dimensional views of 100% of traditional and unmanaged connected assets. Unlike traditional scanners that simply identify assets by type and assign CVE scores, Armis goes much deeper. It distinguishes between specific uses of the same type of asset. For example, a tablet used to run a production line versus one used to check in visitors in the lobby. Armis can also tell you the OS and firmware versions, owner, physical location, and more for every asset. AVM is designed to work alongside your existing vulnerability scanners and can be deployed in minutes, requiring no changes to the way you currently scan your assets.
To help ensure that you are focusing on the remediation of the most critical risks to the business in order of priority, Armis relies on several unique capabilities. First, it continuously maps connections and communications between assets and services, learning the relationships and dependencies between, and the importance of, assets across your environment. Beyond understanding relationships between assets, Armis also evaluates asset behavior and adds that to the risk calculation. To detect behavior anomalies, Armis leverages the Collective Asset Intelligence Engine—the industry’s first collective engine that tracks and analyzes attributes of over 2 Billion assets worldwide.
Most importantly, AVM performs this multidimensional analysis on all of your assets continuously, providing you with up-to-date views of your attack surface and evolving vulnerabilities. Given how fast cyber threats are moving, real-time awareness of vulnerabilities, threats, and exploit attempts is now a necessity–not a nice-to-have.
Overall, the comprehensive asset intelligence and insights provided by Armis give your team a single, authoritative source of the truth for organizational assets, risks, and vulnerabilities. That means every time a new high severity vulnerability/CVE is published, your vulnerability analysts can cut to the chase and quickly determine the total risk it poses to the business based on all the impacted assets. Then, based on risk levels to the business, you can define which assets should be remediated first (if possible), quarantined, or maybe even taken offline.
AVM also provides full end-to-end vulnerability lifecycle management to assist and track remediation efforts. Moreover, leadership can use AVM to track the organizational effectiveness of the vulnerability strategy and make data-driven decisions on the state of the attack surface, ultimately helping establish a more strategic and streamlined approach to vulnerability management.
Want to see AVM in action? Join us for a 1-hr technical deep-dive webinar on Identifying vulnerable critical assets that put you at risk.
Date: Wednesday, July 13, 2022
Time: 09:00 AM Pacific Daylight Time
Visit Armis Security Research to learn more about asset vulnerabilities.
Sign up to receive the latest news