A 360-degree view of cybersecurity for peace of mind
Exposure management helps businesses reckon with threats beyond simple vulnerabilities
Phishing? Ransomware? Distributed denial of service? What is the worst kind of attack a company can suffer? Brian Martin, director or product management at cyber security specialists Integrity360, said that in today’s threat landscape the real question was more how can you manage the possible threats.
“We see the most important thing people can do now as moving toward exposure management,” he said.
Company name: Integrity360
Year founded: 2005
Number of staff: 500, including over 300 cyber security professionals
“Yes, you do need to make sure all your systems are patched and up to date, and it’s true that that's a constant race. But the thing is that vulnerabilities are only one kind of exposure; there are all sorts of other kinds of exposure,” he said.
Other kinds of exposure that need to be accounted for include misconfiguration of systems, for example, or poorly thought-out access controls and permissions.
“Quite often breaches happen because someone has misconfigured a system: over 95 per cent of breaches in the cloud are due to user misconfiguration,” he said.
“Another is identities and permissions: people may have excessive permissions or simply be added to groups. Cached credentials are also a real problem,” he said.
If there is an overarching theme to exposure management, then, it is that it takes account not only of the technology, but also the human factors involved in security. After all, technology is really only half of the picture.
“The human side is another exposure, and realistically should be part of an exposition management programme as people can be fooled with phishing or social engineering,” he said.
Attacks that target humans as the weak link are something we can expect to grow, too, particularly as artificial intelligence (AI) is added to criminals’ toolboxes.
“With the advent of AI, a lot of info can be gathered about people and [more] realistic approaches made.
Ultimately, exposure management is a process that means flipping the script on cybersecurity, Martin said.
It’s increasingly becoming a conversation and a way of thinking, but that said, most organisations are doing it in a bit of a piecemeal manner
Rather than saying ‘I've got a vulnerability management programme and I'll do training and education’, it all needs to be looked at holistically,” Martin said.
The most progressive companies have already started to do so, he said: “It’s increasingly becoming a conversation and a way of thinking, but that said, most organisations are doing it in a bit of a piecemeal manner,” he said.
Of course, the context for this is a global talent shortage in cyber security, not to mention spiralling cost and complexity for those businesses that seek to manage it internally.
“Most organisations just can't cope with it, the sheer depth and breadth of knowledge that is required for security. It's not that they are trying to outsource the worry, but they are looking for help,” Martin said.
However, IT departments in businesses do need to communicate the importance of security including the idea of exposure management, even if it is handled by a service provider or partner.
“I think education and awareness matter, also. Organisations tend to have set up their structures and silos: different people and different groups have different responsibilities. It needs support from the top to get to exposure management,” said Martin.
Notably, analysts such as Gartner certainly think exposure management is the next step, he said.
“If you look at the Gartner Hype Cycle for security operations, if you look at what's coming down the track, most of it is about exposure management”.
This is an important shift, Martin said, as it recognises the real nature of the threat businesses are faced with.
“There has been a huge focus, in recent years, on detection and response. Now it seems the focus is shifting to making sure that these exposures aren’t there or at least are drastically reduced,” he said.