Like many of you, I’ve just gotten back from Black Hat USA 2017. Black Hat was the best conference I’ve ever attended—the energy, the level of interest was unlike anything I’ve ever experienced. I spent three solid days talking with security staff of all levels, and they are wrestling with two distinct buckets of problems:
Vulnerabilities: This includes thousands of alerts a day generated by a host of cyber defense solutions designed to tell you all the patching, plugins, and other issues in your environment. The Verizon 2017 DBIR helps us understand that a ‘normal’ organization only completes 61% of its patching processes. Misconfigurations, exposed user credentials, and other vulnerabilities all serve to expand the attack surface and make the job of defending harder.
Threats: Symantec claims that 1,000,000 new versions of malware are released every day. While many of these are slightly modified versions of what is already out there, whether it’s 1,000,000 or 100, it is too many for any security organization to reasonably understand and plan for. Beyond malware, the serious threats like social engineering and fileless malware further complicate the threat landscape by using harmless OS services and utilities to compromise a system
In theory, security teams should have an immediate fix for every vulnerability, and they should have an antidote to every single threat. This is not possible. But here’s why it’s also not necessary: First, not every vulnerability represents a danger to your systems. You may have other controls in place that mitigate the vulnerability. Second, not every threat can do damage to your environment—if you aren’t running XP machines, WannaCry is benign. So if 100% coverage of all vulnerabilities and threats isn’t necessary, what IS necessary?
Introducing “Exploitabilities.” At Nehemiah Security, we are defining this as the intersection of a vulnerability and a threat.
In the physical world, we can equate this to an open office window. Yes, someone could come in through an open office window and steal office supplies. However, if you are on the 17th floor of the building, that changes things. To manage this vulnerability, one only needs to be concerned about a threat that can reach that high. A CISO’s ability to filter vulnerabilities and focus only on those that are exploitable by specific threats makes the to-do list more manageable and actionable. Exploitabilities cut through the noise and focus your organization on your most pressing security issues (plus the word is worth 27 points in Scrabble!)
The savvy security operator is now wondering, “How can I filter my vulnerabilities and threats down to exploitabilities?” This has been a focus area for Nehemiah Security. With AtomicEye RQ, we can create a virtualized emulation of your environment—one that constructs a virtualized, high-fidelity replica of how your production systems operate. RQ unleashes a comprehensive, exhaustive series of malware attacks on this core emulation using real malware allowed to run to completion. Then we analyze the resulting cyber damage. Each instance of damage represents an exploitability—a real vulnerability in your system that was really breached by a real piece of malware resulting in real damage. No hypotheticals here.
When working with our clients, we really enjoy the moment when we are able to light up their cloned environment with their exploitabilities. This generates a constantly evolving, actionable data set that CISOs can use to prioritize their investments in cybersecurity to make their company and data more secure. AtomicEye RQ enables organizations to overlay business risk models on top of the IT architecture, providing a clearer picture of the dependencies between the two.
We are introducing exploitabilities and promoting it in the industry to help security leaders simplify and focus on the things that matter to them. Right click on the word and add it to your dictionary because you will hear more about it. We are also introducing AtomicEye RQ as a way to help security organizations put this concept into action. Contact us today to learn more.