Vulnerability management is often compared to a game of Whack-a-Mole, with new vulnerabilities constantly popping up and no end in sight. What if there was a way to rig this Whack-a-Vulnerability game in your favor?
Whack-a-Mole: “A situation in which repeated efforts to resolve a problem are frustrated by the problem reappearing in a different form” – Macmillan Dictionary
There is something about playing the game of Whack-a-Mole that is inherently thrilling. As you test your reflexes, struggling to react at the speed of the moles as they pop up erratically through any of the five holes, the rush of adrenaline releases a surge of endorphins as you battle your mechanical foes.
Still, there is also something about this fast-paced arcade game that causes rapid fatigue. Maybe it is the requirement to stay constantly alert, maintaining your reflexive endurance as you wait for the next mole to reappear. Maybe it’s the futile nature of the task that you must repeat over and over again to no avail. Or, perhaps it’s simply physical exhaustion as your stamina is put to test, with your muscles aching under the pressure after just a few minutes of intense play.
It is because of these traits of the game that makes Whack-a-Mole such a great analogy for the tedious task of vulnerability management – a challenge many CISOs and security practitioners spend much time and money trying to solve.
Like the arcade game, the task of managing vulnerabilities is repetitive, frustrating, and seemingly never-ending, with new vulnerabilities popping up in new products and assets every day. Managing vulnerabilities is a mammoth challenge. To give you some context regarding the severity of this problem, more than 1,000 vulnerabilities (CVEs) are published on average every month. According to the latest statistics by Gartner, only 1 out of 16 CVEs will be exploited – a mere 6%. This means that, on average, there are only 60 CVEs that warrant our focus each month. The other 940 vulnerabilities, therefore, are just noise, distracting and hindering us from making effective and timely security decisions whilst draining much-needed time and resources despite their low priority.
As the vulnerabilities pop up in our systems, our game of Whack-a-Vulnerability begins. Just like the mole-whacking arcade game, our game is highly time-sensitive. Though no one will commend you for patching a specific vulnerability on time, failing to do so will likely carry serious consequences for your organization – after all, threat actors play a harder and more aggressive game than the mechanic arcade moles. Per Gartner’s statistics noted above, the small subset of CVEs that are actually exploited will probably be weaponized by threat actors within the first few days following their publication.
Within 24-48 hours after a vulnerability is published, the player in our Whack-a-Vulnerability game must determine if the CVE that just popped up is part of the 6% “severe” CVEs that need to be patched ASAP to prevent an imminent threat, or part of the other 94% that do not require immediate attention – at least for the time being.
This seems difficult enough, but our game isn’t over yet. In fact, it’s time to level up. Instead of defending only five holes, as in our arcade favorite, our Whack-a-Vulnerability player is faced with the challenge of protecting tens of thousands of “holes”, i.e. organizational products that may be exposed. It is easy to understand why, after just a few rounds, our player is already exhausted, their energy depleted from the incessant and repetitive task.
In actuality, however, unlike our Whack-a-Mole players who face the same expected challenge but at increasing speeds, in our game of vulnerability assessment and management, the battle is constantly evolving. The vulnerability landscape is not repetitive, but highly dynamic and unrelenting. Every hour, exploit codes are posted on code repositories such as Github or forums on the deep and dark web, easily accessible to malicious threat actors who can quickly integrate them into their arsenals. Cybercriminals collaborate and discuss vulnerable assets and preferred targets, sharing their tools, frameworks and kits for attack on the shadowy communities of the underground. Meanwhile, tech vendors attempt to fortify defenses against these incessant threats, notifying the industry of new patches and updates related to emerging vulnerabilities.
In a nutshell, in theory, every day our Whack-a-Vulnerability player must reevaluate the risks of each given vulnerability, assessing both newly disclosed CVEs as well as those that were evaluated yesterday. One hell of a Whack-a-Mole game!
Breaking the Rules of the Game
What if there was a way to rig the game in our favor? Imagine we had a machine, a black box, that could anticipate in advance where and when our mole would pop up. Let’s also say that this machine gave us an advanced warning, alerting us to prepare for the incident (or mole) before it pops up. It is safe to say that this would be a game-changer, transforming the Whack-a-Mole game beyond recognition with a single, silver-bullet.
Believe it or not, in the world of vulnerability assessment, this technology is already available to be integrated into vulnerability management cycles. This marks a huge leap forward in the world of AI and machine learning, empowering security vendors not only to collect data in real time from the cybercriminal underground, but to truly perceive the puzzle in its entirety, as a full and comprehensive intelligence picture.
At the helm of this leap forward is Cybersixgill. Using advanced, automated AI and ML-driven proprietary algorithms, Cybersixgill collects and analyses underground discourse from millions of posts and chats from the deep and dark web every day, matching each intel item with known vulnerabilities and exploits to provide an accurate and real-time assessment of the immediate risks of each vulnerability based on threat actors’ intent. This basically allows enterprises to confidently rank their vulnerabilities and prioritize patching decisions in order of urgency and in light of real-time threat intelligence, helping them determine if a CVE is one of the 6% that demands immediate attention, or another distraction amid the noise of the 94%.
With such a solution, CISOs and security practitioners gain a clear advantage, able to easily determine the expected risk posed by every vulnerability they have – any day, any time. This is a game-changer. With stakes this high, wouldn’t you like to rig the vulnerability game in your favor?