As cyber threats continue to grow in complexity and frequency, vulnerability management requires more than just patching systems; it demands a dynamic, threat-adapted approach. As part of Cyber Rhino Threat Week (December 9-13, 2024) which aimed to inform, sharing threat intelligence insights and best practices with our customers, partners and industry ecosystem, we held a session that explored how integrating Threat Intelligence into Vulnerability Management can transform the way organizations prioritize and respond to risks.
Vulnerability management is a continuous, proactive process that keeps systems, networks, and enterprise applications safe from cyberattacks and data breaches. It is an important part of an overall security program. The panel discussion explored how vulnerability management has changed over the years and how in the past it simply involved patching servers and endpoints, which working in collaboration with the IT team is what drove the patching cadence. Today it is more complex with the Internet of Things (IoT), kiosks, mobile devices, display screens and more. There are many assets involved in the vulnerability management cycle that increase the attack surface potential for adversaries to gain access to an infrastructure. Now teams need to understand every asset connected to the network, they need to make sure they are up to date on firmware, and they understand when to patch, how to patch and whether this will cause any disruption to the business.
The role of vulnerability management teams is to disseminate all this information to system owners so they can understand why they need to patch and what to prioritize. But this is easier said than done with an enterprise comprising hundreds of thousands of employees across multiple geographic locations.
Breaking down silos
The discussion delved into the importance of breaking down silos between teams such as system information management teams, incident response teams and cyber threat intelligence teams and how there is a lack of data sharing across these silos. That’s often because there isn’t an automated way to get a bidirectional flow of information, and this is one area that a threat intelligence platform can help to address.
This is one of the reasons why a threat-adapted approach is so important. Such an approach analyzes behaviors and events in readiness to adapt to threats before they happen. An organization can continuously assess risk and provide appropriate enforcement using an adapted approach. However, if the team hasn’t operationalized their threat intelligence and it doesn’t have processes in place to bring everything together overlaying their vulnerability posture, then all the threat intelligence collected is wasted. One of the panelists likened this to having an external library card or an encyclopedia Britannica about all your threat actors that provides information but doesn’t activate a robust response. Teams need a way to contextualize and prioritize based on what threat actors are targeting and this process needs to be automated.
The key question is how you take that expensive library card and plug it into the vulnerability management program so that the team can easily and quickly prioritize information. They need context about what an asset does, what business value it delivers and how it functions to prioritize risk and make the CTI program relevant. All panelists agreed that if all you are doing is building a giant library without context and integration to drill down into what’s important to the organization then your CTI program simply becomes a cost center.
The importance of compensating controls
This is where it is important to work with teams, business and system owners and any other stakeholders to understand requirements and what’s important to them and what they need to action so they can proactively push and escalate. To achieve this, organizations must break down the silos working with all teams involved in security, such as the governance, risk and control teams, to understand where their concern lies and what technologies they are tracking. This is not just about understanding the organization’s cyber hygiene, it’s also about understanding the layers that an attacker would have to get through to exploit. Once this insight is gained, teams are enabled to work through requirements and align the CTI program for specific stakeholders.
Ultimately there is always the desire to patch, but it’s not always possible. This is where compensating controls are important: finding another way to protect the organization while preparing to get a patch. One panelist asked how you achieve this and whether it should be left up to the vulnerability management team, or can the CTI team assist in helping to make those all-important decisions?
All agreed that you must have both offense and defense teams working together. This means mapping out the attack path and gaining a better understanding of defense, which will provide a better understanding of offense as teams scout to look at what would be effective, going to the next layer to consider what might be vulnerable and whether there are mitigating controls in place to provide any additional prevention.
Teams need to move at the speed of business and act fast while doing this safely. To achieve this comes down to having a holistic program with a good knowledge of both offensive and defensive strategies.
A fusion of threat intelligence, risk and vulnerability management
The tools required for a threat adapted approach include an inventory of all assets, plus an understanding of the frequency of vulnerability scanning so that the team knows how frequently it can expect to get new information. Any data and external threat intelligence needs to be operationalized into the threat intelligence program.
Looking at the future of vulnerability management, the group discussed how CTI teams need to champion vulnerability teams, working together with bidirectional communication, presenting to stakeholders together. How vulnerability management needs to expand to the external attack surface, understanding cloud environments, analyzing configurations and misconfigurations and default credentials.
Ultimately, all agreed that there will be a fusing of threat intelligence, vulnerability management and risk – coordinating all three will be critical for cyber hygiene and planning, prioritizing, and mitigating threats.
