top of page

Moving Beyond 'Scan and Patch' for Continuous Exposure Management

We sat down with Howard Goodman, Technical Director at Skybox Security, to delve into the pressing issues of cybersecurity in an era of escalating digital threats. Goodman sheds light on the implications of the increasing number of Common Vulnerabilities and Exposures (CVEs), offers insights into evolving best practices in the industry, and more.

Skybox Security

How does the increasing number of CVEs (Common Vulnerabilities and Exposures) reported each year reflect on the overall state of software development and cybersecurity?

The increasing number of Common Vulnerabilities and Exposures (CVEs) reported each year reflects several key aspects of the overall state of software development and cybersecurity. Firstly, it underscores the growing complexity of modern software systems. As software becomes more intricate and interconnected, the potential attack surface also expands, leading to the discovery of more vulnerabilities. This trend indicates that developers are continually pushing the boundaries of what software can achieve, but it also means that they must grapple with an increasingly challenging task of securing these complex systems.

Additionally, the rise in CVEs highlights the increased scrutiny and awareness of cybersecurity issues. As cybersecurity threats become more prevalent and sophisticated, organizations and security researchers are more vigilant in identifying and reporting vulnerabilities. This heightened awareness is a positive development as it encourages a proactive approach to security, emphasizing the importance of finding and addressing vulnerabilities before they can be exploited by malicious actors.

In light of the continuous rise in CVEs, what are some strategies and best practices that organizations can adopt to effectively mitigate the risks associated with software vulnerabilities, especially when immediate patching may not always be feasible?

In the face of the continuous rise in CVEs and the challenges associated with immediate patching, organizations can adopt several strategies and best practices to effectively mitigate the risks associated with software vulnerabilities. Organizations should prioritize a proactive and comprehensive vulnerability management program. This involves regularly scanning and assessing their software and systems for vulnerabilities using automated tools and manual testing. By having a clear understanding of their vulnerability landscape, organizations can prioritize their efforts and allocate resources to address the most critical issues.

Organizations should also implement robust security controls such as intrusion detection systems, firewalls, and network segmentation to limit the exposure of vulnerable systems. Network segmentation, in particular, isolates critical systems from less secure parts of the network, reducing the attack surface and the potential impact of vulnerabilities.

Another important strategy is to establish a well-defined incident response plan. This plan should outline the steps to take when a vulnerability is discovered, including how to assess the risk, implement temporary mitigations, and communicate the issue both internally and externally. Having a well-prepared response significantly reduces the time it takes to address vulnerabilities effectively.

What are the key challenges and limitations associated with the traditional approach of "scan and patch" in managing cybersecurity threats? 

The traditional "scan and patch" approach in managing cybersecurity threats presents several key challenges and limitations. Among these challenges is the issue of timing, as the process of scanning for vulnerabilities, identifying them, and subsequently applying patches can be time-consuming. In the fast-paced world of cybersecurity, the gap between vulnerability discovery and exploitation can be very short, leaving organizations vulnerable during this window of exposure.

Another challenge is patch compatibility. Applying patches sometimes leads to unforeseen compatibility issues with existing software or systems, causing disruptions in critical operations. Organizations must carefully test patches before deployment, which further extends the time to remediation. Large organizations often have diverse and interconnected systems, making it challenging to identify all vulnerable assets accurately. The sheer volume of patches that need to be managed can be overwhelming and ensuring that every system is adequately patched can be a daunting task, which is why prioritization based on the risk to the organization is so important.

Resource constraints are another limitation. Smaller organizations may lack the personnel and infrastructure needed to conduct thorough scans and apply patches promptly. They may also struggle with limited budgets for cybersecurity, which can hinder their ability to invest in advanced scanning tools and automated patch management systems.

How might AI contribute to improving the security of software development processes and the reduction of vulnerabilities in code? Are there any potential limitations or risks associated with relying on AI for this purpose?

AI holds significant promise in enhancing the security of software development processes and reducing vulnerabilities in code. AI-powered tools and techniques continuously analyze code to identify potential vulnerabilities, helping developers catch and remediate issues early in the development lifecycle. 

AI also plays a crucial role in threat detection and response by monitoring network traffic and system behavior for anomalous patterns, helping to identify potential attacks or exploitation attempts promptly. This proactive approach helps organizations detect and respond to threats before they escalate, enhancing overall security.

However, it's essential to recognize potential limitations and risks associated with relying solely on AI for cybersecurity. One limitation is the possibility of false positives and false negatives in vulnerability detection. AI systems might flag non-issues as vulnerabilities or miss genuine threats due to the complexity of code and evolving attack techniques. This necessitates human oversight and validation to avoid wasting resources on false alarms or overlooking actual vulnerabilities.

What can organizations do to move beyond scan and patch and adopt a more holistic view of their attack surface and security vulnerabilities?

Through the implementation of a continuous threat exposure management program, organizations complement their periodic scanning routines with intelligence harnessed from a comprehensive understanding of their susceptible assets within the infrastructure. This intelligence is further enriched by insights obtained from threat feeds.

By adopting this methodology, organizations proactively prioritize their response efforts by identifying and addressing the most critical vulnerabilities first. This risk-based prioritization enables more frequent assessments for emerging threats, effectively bridging the gap between scheduled scans. Moreover, it allows for timely mitigation strategies without causing undue disruptions to daily operations. 

This approach also represents a shift away from the restrictive "scan and patch" mindset, allowing organizations to proactively and continuously monitor their complete digital landscape in real-time. By perpetually evaluating their attack surface and vulnerabilities, organizations can maintain a proactive stance against emerging threats, efficiently allocate resources for remediation, and ultimately fortify their overall cybersecurity posture.


bottom of page