Exposure Management: The Key to More Effective Security?

Cybersecurity is difficult to get right even if you’re an individual with only a handful of devices to worry about. When you’re running a business of even a modest size, the number of endpoints, network connections, remote data repositories and authenticated users you need to keep on top of rises almost exponentially. And if your company is growing – either by adding staff and locations or acquiring and absorbing rivals – the complexity of the security challenge just keeps on increasing.

None of which will be news to anyone who’s spent more than a few minutes thinking about cybersecurity halfway seriously. But it is telling that these realisations remain at the kernel of many of the problems seasoned cybersecurity leaders wrestle with on a daily basis. During a spirited roundtable conversation in Edinburgh, hosted by exposure-management specialists Rapid7 and involving a high-level selection of members of the RANT cybersecurity community, discussion kept cycling back to how best to map, picture and understand not just vulnerabilities, but attacks, attackers and their methodologies.

Beyond the basics

“We have 11,000 global customers and over three million endpoints,” Ellis Fincham, head of Rapid7’s XDR (extended detection and response) practice, explained during his opening remarks. Across that huge customer space, he reckons, some 80% of incidents arise from known vulnerabilities. The company compiles such data as it attempts to help its customers to learn from attacks and prevent future attempts using the same vectors from succeeding. But security leaders were quick to point out that these headline statistics, while potentially encouraging, may not be as helpful as they at first appear.

“That’s a bit dangerous,” one CISO said. “It’s a bit like saying 80% of all attacks can be dealt with by just doing the basics. But it isn’t easy in large, complex organisations to do those basics – to patch, to scan.”

“If you do all the hygiene, all the problems go away – but doing the hygiene’s not that easy,” another speaker agreed. “It’s that whole cycle of: What have I got? Will it break if I patch it? Will it never get patched again because we broke it?”

“Another part of the challenge is you’ve got legacy tech that people don’t want to get rid of and that can be hard to patch,” another security leader said. “And all the new stuff they’re excited about, they can’t be bothered to patch.” Patch management, they argued – appropriately enough, given the discussion’s location, is “like painting the Forth Bridge.”

Ups and downs

Talk turned to patch automation, which, attendees seemed to agree, can help – but only within limits.

“It works for certain things,” one CIO said. “You have to take a risk-based approach. There are areas where, perhaps, the tech is quite stable – we do automated patching on that stuff. But we’ve got other tools where we patch, and every time we install a patch we have an outage. Then there’s other technologies you just can’t patch.”

Organisations need to learn to evaluate different risks, attendees suggested. Automated patching can help your security and IT teams devote more time to other jobs. But the business will have to accept occasional down time on various systems when patching goes wrong, or when it takes longer than is ideal to complete. “Manual or automated doesn’t matter if you take down the whole organisation,” one speaker pointed out.

Any down time at all will be a tough proposition to sell in a lot of organisations.

“You try standing in front of the sales director and tell him there’s a risk he can’t sell things this Saturday,” said one speaker with experience in a large retail organisation. One business they were aware of stopped all patching activity between September and February, because the business decided that the risks associated with a breach were lower than the risk of losing sales over the vital Christmas period. The decision to suspend patching was based on quantified data, and reviewed regularly, but still caused great disquiet among the company’s security teams.

Taking responsibility

Others reported similar situations developing, and cautioned the need to have a written record of all decisions taken – and by whom. Accepting risk is one thing; accepting the responsibility for that risk can be quite another.

“In my business, the impact of decisions like these is felt by me and my IT colleagues,” one senior security manager said, explaining that they will be critical of senior management when they feel it’s necessary. “If the business owner chooses to be reckless, they’ll get a hard conversation.”

“Your CEO has to be behind you,” agreed another. However, they warned, “the CEO is normally behind selling more stuff.”

“My CIO is against being hacked, because he doesn’t get paid,” another said, rather wryly. “Workstations get patched; servers do too, as frequently as they can be. It causes chaos, but the business just has to suck it up.”

“A technology manager I used to work with said it was simple,” another speaker recalled. “Either you give me downtime to patch – or you experience downtime because we don’t. The difference is all about predictability.”

Once more unto the breach

Inevitably, it is usually only after breaches and other incidents that businesses decide that they need to address these problems. Measuring and quantifying risk and impacts is difficult, with – again – different priorities in different businesses resulting in no wide agreement about what metrics to collect, or how best to analyse them. “In financial services you’re measured in one way; in retail it’ll be completely different,” one security leader, with experience in both sectors, said.

Managing the exposure to risk is, ultimately, tied directly to obtaining and maintaining a detailed awareness of what your cyber estate looks like, what assets you have, where your crown-jewels data reside, and how these different virtual and physical locations are tied together. Doing this in the context of a growing business can seem close to impossible.

“We made 50 acquisitions in 10 years,” one attendee said, barely suppressing a sigh. “We’ve grown so big we don’t know where anything is, so we can’t take action. It’s only through incidents that we’re discovering where things are and what we have.”

“It’s an architectural question,” another speaker suggested. “You’re trying to limit your blast radius. You’re trying to restrict where an attacker can go. If you don’t capture all the assets, you’re only capturing some of the assets an attacker can affect.”

“I don’t think anyone’s ever got a proper list,” another said. “All you can do is the best you can.”

“You’ve all said that not one thing will ever give you the right answer,” Fincham said in his summing up. “We take as many sources as you’ve got, and give you an aggregate. That helps have conversations post-breach: ‘Here’s what you need to do to kick the attackers out, and here’s what you need to do to stop them getting back in.’ The people who do this well – the people who take an interest in risk – they’re the people I like to work with. You’re all up against a huge amount of problems. How you get your businesses to take it seriously is going to have a big impact. If that’s something we can help with, come and have a chat with us.”

About Rapid7

Rapid7, Inc. (NASDAQ: RPD) is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 11,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.