
There are no fixes, only mitigations: Minimising exposure in a world of risk
Vulnerability and exposure management have never been easy. But are they about to become impossible? When Anthropic released details of its awesomely powered Mythos model back in April, CISOs recoiled in horror. Now they’ve had time to digest what comes next, are they any more hopeful?
A lively RANT roundtable hosted by Check Point proved that there will be no easy path forward. But with a relentless focus on visibility, context and remediation, there may be an opportunity to level the playing field with adversaries.
Check Point Head of Product, Ophir Bleiberg, summed up the core challenge nicely.
“How do you minimise the time from exposure to mitigation, because you can’t patch everything? We’ve come to realise it’s not a purely technical problem, it’s an organisational problem. Everyone has a different goal and visibility.”
That provoked a combination of exasperation and fatalism from the assembled crowd of cybersecurity leaders. Many agreed that siloed, incomplete data and uncoordinated SOC, vulnerability and infrastructure teams are making the problem worse than it needs to be.
“Mythos will create even more noise,” one despaired. “How do we understand the true attack paths that will hit us? How do we stop them getting to the crown jewels, because we can’t patch in time?”
The CMDB as friend and foe
Most agreed that visibility is the critical first step: understanding what assets there are in the enterprise in the first place. But none had any success stories to share.
“Vulnerability management or external attack surface management is increasingly difficult because of the way most organisations work these days,” said one CISO. “The [true attack surface] will always be unknown because everyone is concentrating just on what they know. How do you contextualise all that information to help you prioritise?”
Another agreed, adding that BYOD is making the problem worse – particularly devices owned by executives.
The CMDB should be a single source of truth for assets in the enterprise, and an ally in the fight against vulnerability exploitation. But there was heated debate over whether it’s fit for purpose in most organisations. One security leader argued that it’s impossible for the CMDB to ever truly reflect the full complement of IT assets in the enterprise. Another fired back that companies like RunZero can fingerprint every device in an organisation, so it is theoretically possible to identify “what they are, where they are and what they’re doing.”
However, the CMDB can also be a source of weakness if hackers go after it, suggested another attendee, who leads red team exercises at his organisation. “We all want a CMDB we can rely on, but we also need to look at it as an Achilles heel,” he warned.
You own it. No, you own it
Disagreements over who owns which asset and which risks to prioritise also contribute to inertia over vulnerability management, attendees argued. Many laid the blame on their peers. “I’ve never met a CISO whose idea of what’s critical is aligned to what the business thinks is critical,” said one.
“We’re just not good at translating the potential impact of small things on the business,” said another. “An exposure management tool could help us to articulate and translate that risk.”
Another blamed the business users who buy kit, often without IT’s approval, and expect the security team to take care of it. “Some people look after their systems like their own children, but some don’t. And people tend to move around, which also creates issues,” he argued.
IT is often left picking up the pieces left by careless users, another shared. Systems are put into production “riddled with vulnerabilities” which can’t be patched because taking them offline would cause “risk to life”. So the whole thing “becomes a SOC problem”, he argued.
“There is a good process which people can follow. But we have an operational tempo of ‘get it done’. So we have to react to that,” he explained. “That’s how networks become messy. They’re added to over the years. You just have to adapt. I tell people attackers will always get through.”
Mind the remediation gap
The evening eventually came full circle, with guest speaker Rob Black asking the assembled crew to share their remediation tips. Not many had practical advice – hinting at the intractability of the challenge. “There are no fixes, only mitigations,” despaired one.
“If I can’t find a device owner, I go to the CIO and tell him to either empower me to turn it off or explain that he has to accept the risk,” explained another CISO. “When you do that people get very uncomfortable very quickly. So you need the right policy and governance in place first.”
However, he was immediately shot down by another attendee. “CIOs want to move fast so they’re never going to support you,” he argued. “They don’t want to wait around for security.”
One CISO suggested that many of his peers are “going about this the wrong way” in trying to protect everything. “Get to know your core systems,” he advised. “It’s not easy, but if you focus on these, it becomes an easier problem to solve than ‘let’s protect everything.’”
Another agreed. “We’re never going to win against Mythos. Things will continue to get worse,” he argued. “We need to accept we can’t protect everything, and prioritise and segment. Put controls around it. Accept the risk will not be zero. But never go into a conversation with the board saying you’ve solved the problem, because you haven’t. Have a conversation about risk appetite.”
A third attendee pointed to resilience as the best approach. “It’s not a technology problem it’s an influence problem. We have to look at the most important business services and have a way to recover quickly if they go down,” he said.
It was down to Check Point’s Bleiberg to sum up a memorable evening.
“In the short-term, Mythos will create hell. But in the long term I’m more optimistic,” he said. “Mythos will level the playing field. The number of CVEs will do down. Technology is making it easier for the right people to collaborate in the right way.”