Intelligent CISO Issue 34 | Page 69

decrypting myths
of exploitation for their organisation and get to work with fixing these first .
As we ’ ve seen , while keeping up-to-date with security news is a great way of staying abreast with how the threat landscape is evolving , a vulnerability doesn ’ t need to be new or buzzworthy to pose a serious threat to the enterprise .
All too often , headlines can serve to distract security teams from remediating quickly and efficiently those risks that haven ’ t made it into the hall of fame . What organisations need to remember is that the most important factor to consider is where a vulnerability sits within their ecosystem .
Stephen Roostan , VP EMEA at Kenna Security
an invaluable resource for security teams and attackers alike . Attackers use it to find an exploit that will help compromise a known vulnerability within a target system .
Until a vulnerability appears in the Exploit Database , it remains less likely to emerge as a significant broad-based threat for organisations . However , as soon as a vulnerability appears , organisations will need to take action fast to remediate it .
Distinguishing between hype and risk
Today ’ s enterprise security teams have tens of thousands of vulnerabilities to remediate . The reality is that most vulnerabilities are likely to be exploited within 40 – 60 days , yet it can take security teams up to 120 days to put remediation in place . So the pressure is on for security teams to identify those vulnerabilities that pose the biggest risk
For example , a high-risk vulnerability sitting in a lowrisk environment poses less of a threat than a mediumrisk vulnerability in a highlyaccessible environment . Ultimately , visibility and context are everything . Media headlines and ranking on the Common Vulnerabilities Scoring System ( CVSS ) database can have little bearing . What matters is the risk that the vulnerability poses on the individual organisation .
At the end of the day , effective vulnerability management requires a risk-based approach to prioritising remediation efforts , so that the right vulnerabilities are addressed at the right time . That means streamlining and accelerating efforts by evaluating a vulnerability ’ s most critical aspects to figure out how much danger a vulnerability really poses . In this way , the limited time and resources of the security team can best be focused on addressing those vulnerabilities that actually pose the most risk to the organisation . u www . intelligentciso . com
69