Government agencies are facing a dynamic threat landscape, while security teams find themselves bogged down with incongruous infrastructure, unwisely divided functions, and constraints on budget allocations.
Federal, state, and local agencies all generally adhere to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CF). We’ve recently seen attacks against Guadalupe County, Texas; Fremont County, Colorado; and the Newport, Rhode Island, City Hall. These attacks indicate that an urgent need exists for government agencies to develop a more proactive and risk-based approach to cybersecurity than is provided through the CF alone.
Organizations invest significant resources in security technology based on the NIST CF, and those that have completed the checklist often assume they are safe—yet this often leads to leaders overlooking exploitable gaps.
Compliance frameworks are designed to assist organizations in better understanding and managing potential network and data risks, giving organizations a starting point. They were never meant to be the end-all, beat-all answer to security. Complying with these frameworks still potentially leaves gaps in the armor; they should only be one facet of a security strategy.
By way of example: the focus of NIST 800-41 is on security controls and firewalls at a network’s perimeter as well as zone-to-zone access, but what about the full spectrum of security measures needed for user identity or container security?
The lack of visibility into siloed, disparate environments across organizations has made applying compliance and vulnerability management increasingly difficult—and vulnerable to human error.
Thousands, to tens of thousands, of vulnerability alerts can come through to organizations each year, from internal and external sources. Reactive strategies centered on scanning and patching have become untenable. This means that traditional approaches based on solely considering compliance frameworks will often fail to catch modern threats.
The evolving threat landscape requires proactive, risk-based strategies beyond NIST Cybersecurity Framework compliance, using a comprehensive vulnerability management strategy. This will enable organizations to locate, classify, and manage every kind of risk across the organization’s attack surface.
Though proactive planning is multi-faceted, three critical components are necessary for a successful approach:
Exposure Analysis: Identifying exposed vulnerabilities and correlating data helps organizations determine if a system is vulnerable to attack. A key component is path analysis—which assesses the attack vectors that could be used to access systems. Through obtaining a firm grasp on the possible ways attackers may infiltrate an environment, security teams can more easily take steps to protect their assets.
Risk scoring: Proper vulnerability prioritization must take into account a broad range of risk factors. Organizations need to identify and prioritize vulnerabilities according to which assets hold the highest risk and vulnerabilities. Then they can prioritize remediation efforts by focusing on the vulnerabilities within their environment that could be most harmful to their operations if the threats are realized. Exploitability data regarding vulnerabilities and malware is also important for vulnerability prioritization. In addition to the exploitation information from the CVSS scores, intelligence around which vulnerabilities are being targeted—and which are resulting in the greatest exploitation and intrusion—should also feed into risk-based prioritization.
Visualization: This subcomponent of the overall approach involves creating a visual representation of the organization’s entire attack surface. This helps security teams gain complete visibility into all assets and zero in on how best to reduce exposure.
The fragmented nature of modern network environments—with the use of cloud-based solutions, hybrid solutions, locally hosted solutions, remote work solutions, and so on--creates new and various types and levels of risk. Organizations will need to adopt a proactive, risk-based approach to triage vulnerabilities. An approach that looks beyond simple NIST framework compliance is more likely to reduce the number of breaches compared with the traditional approach. Using a modern, proactive, risk-based approach, organizations will not only maintain compliance, they will also effectively defend themselves against threats.