The processing crisis at the National Vulnerability Database (NVD) has thrown the problem of relying upon vulnerability management as a primary means of defence into stark relief.

The database of common vulnerability exploits (CVEs) is widely used for security monitoring, patching and risk management, but VulnCheck analysis reveals 93 percent of vulnerabilities, and 82 percent of proof of concept exploits, were not analysed by NIST in Q1 and Q2.

The backlog has had serious implications, leaving organisations flying blind, unable to quantify risk or to meet compliance requirements. While NIST has now brought in a third party to help with processing, the backlog is not expected to be cleared until the end of September: but this may well be little more than a sticking plaster on the problem, as the number of CVEs has been steadily rising year on year.

In fact, the Cyber Threat Index 2024 predicts a 25 percent rise this year equivalent to 34,888 or 2,900 CVEs per month.

Vulnerability vs exposure

However, the preoccupation with CVEs may be misguided. The State of Exposure Management Report 2024 found the average organisation has 15,000 exposures, of which CVEs make up just one percent, prompting the question why is the security sector still so focused on vulnerabilities rather than exposure?

Vulnerability management is predominantly concerned with mitigating risk across endpoints, servers and network devices and conducts point in time assessments and periodic scans so is not real-time. In contrast, exposure management is far more wide reaching and in tune with modern infrastructure, monitoring identities, credentials, and permissions, misconfiguration, and security controls.

Yet it’s precisely this panoramic scope that can make organisations reticent about moving from vulnerability to exposure management. The sheer number of points covered can be daunting and then there’s the issue of making it workable. Security teams flag issues to IT for remediation but without qualifying these issues in terms of their impact, both departments become frustrated, so prioritisation is key.

Which pose a threat?

Close to two thirds of exposures are dead ends, so it’s important to determine where exposures pose a threat and to identify the choke points where they can be targeted for maximum protection.

Continuous Threat Exposure Management (CTEM), a term coined by Gartner, promises to help deal with these issues via a methodical five-step programme which tailors exposure management to the business.
The first stage, scoping, establishes the attack surface and identifies the high value or critical assets that need to be protected. It is followed by discovery whereby exposures are mapped across the estate.

Prioritisation then ranks those exposures in terms of how easy it is to access and exploit them and the severity of the impact were they to be realised.

Validation then focuses on the attack paths and the action needed to counter threats. The final stage is mobilisation and it’s only here where the IT team will be called upon to act, significantly reducing their workload. CTEM is also a continuous cyclical process, ensuring the organisation continues to look for and qualify threat exposure on an ongoing basis.

Why CTEM is more efficient

CTEM focuses not just on the threat, but also the attack path, and this can make a huge difference in quantifying threats.

The State of Exposure Management report found a direct correlation between the number of hops made by an attacker and the risk to critical assets which rose from 62 percent from one hop to 80 percent with four. What’s more, attacks which then progressed from on-premise to the cloud were able to compromise critical in-cloud assets 93% of the time.

Where attack paths meet can also help focus remediation efforts, giving the maximum protection for the minimum effort. These choke points may only be traversed by a few exposures but are crucial because they can have a devastating impact.

The same report found that while only 1.5 percent of exposures might congregate at a choke point, 20 percent of those will have the ability to access ten percent or more of those critical assets. Of course, it’s also vital to address exposures that may not pose an immediate threat but these can be dealt with on a routine basis, such as via scheduled upgrades.

CTEM therefore makes exposure management both more achievable and less laborious. It needn’t be built from scratch, but can draw upon existing investment in external attack surface management, cyber asset management, attack path management, digital risk protection, and vulnerability assessment and management.  Yet ultimately it moves threat mitigation on because it provides a proactive approach.

CVEs are of course important but addressing them places the organisation in a reactive stance, increasing the likelihood of a threat being realised.

In contrast, Gartner anticipates that those that adopt a CTEM approach will be three times less likely to suffer a breach by 2026. So perhaps the NVD backlog will be the hiatus needed to refocus efforts on the attack surface and in so doing could create the impetus needed to kickstart CTEM.

Brian Martin director of product management, Integrity360