Security expert calls for a shift in vulnerability management
Vulnerabilities in network systems are not only increasing in volume, but also wreaking havoc across networks and resulting in substantial loss. Moreover these vulnerabilities are part of efforts to expose credentials, placing even more pressure on information security professionals.
Speaking at the 18 annual ITWeb Security Summit last week in Johannesburg, Oren Kaplan, senior director, MEA at Pentera, said while IS professionals can never prevent the presence or growth of vulnerabilities, they can change the way they view their cyber security environment and security validation.
Pentera specialises in automated security validation and its mission is to put an end to ‘the perpetual lag in cyberthreat detection, remediation, and mitigation’. The company, which was founded in 2015 in Israel, believes that security should be as real-world as the threat of attack, and that sporadic simulations leave companies at risk, even as they increase their cybersecurity spend. Its Automated Security Validation enables businesses to ascertain their level of security posture and competency.
Kaplan said validation lies at the core of exposure management in cyber security, especially in the ability to curb credential exposure including compromised passwords, usernames and other security protocols. “Credential exposure is on the rise … In 2021 there was 24 billion leaked credentials in circulation.”
No such thing as patch perfection
Kaplan said patch management is important and must be done, but does not represent a total solution. He added that there are cyber security vendors who promise patch perfection or the ability to patch any and all vulnerabilities. But, this is impossible.
“In 2022 there were 26 000 vulnerabilities… There is no way to be patch perfect and be able to patch every vulnerability.”
Kaplan stresses that throwing money at the problem doesn’t work.
“A Pentera study of three hundred CISOs found that 85% confirmed that budgets are growing… but cyber security spend compared to the cost of loss incurred through data breaches shows that no matter how much is spent, the loss is exponential… There has to be a change from this vulnerability-centric approach and the way we deal with vulnerabilities.”
Pentera’s advice to the market is to automate validation tests to defend against automated attacks, validate everything and test layers of security continuously and not with a siloed ad-hoc approach, but rather all layers together on a regular basis.