Hadi Jaafarawi, Managing Director for the Middle East at Qualys explains how organizations can improve their security posture by focusing on five key areas
Trust. Every brand needs it, but not all have it. Any number of things can tarnish the market’s view of a business, but most boil down to broken promises — late deliveries, poorly described products, and mismanaged upgrades. And data breaches. Regulatory compliance aside, it is implicitly understood that any company holding customer data takes responsibility for its safety.
Now if only threat actors would play along and leave enterprises and their customers to conduct commerce in peace, the UAE, its Gulf neighbours, and everybody else across the region would be able to innovate without investing in more and more advanced cybersecurity. Regrettably, cybergangs are not on board. And so, every CXO must find ways of managing risk that can be effectively communicated down the corporate chain of command and turned into a playbook that everyone can understand.
Fortunately, I have data to share that will help. Qualys’ Threat Research Unit (TRU) examined trillions of anonymized data points across our customers’ technology environments and found the biggest risk areas for businesses. If your Security Operation Center (SOC) focuses on these areas, you will see an improvement in your security posture — less risk, smaller attack surface, and, most importantly, greater trust from your customers.
In 2022, 25,228 new vulnerabilities were added to the CVE (Common Vulnerabilities and Exposures) list, but only 93 were exploited by malware — about 0.37% or one in every 271 vulnerabilities. What matters here is not the raw numbers, but their context. If any of the vast majority of unexploited vulnerabilities would cause great harm to your individual business, then you should address it. Why wait for threat actors to make a move when you can get ahead of them? But in the main, it makes more sense to prioritize exploited vulnerabilities that (a) are present in your technology stack and (b) have a fix available.
In 2022, we saw the gap between attacker and defender agility. Cyber-cabals took an average of 19.5 days to leverage vulnerabilities, but the SOC took 30.6 days to patch them. That 11.1-day dwell time is more than enough for nefarious individuals to use technologies like AI to do, or at least lay the groundwork for, lasting damage. So, it is critical that security teams prioritize issues concerning unique risk to the organization.
The Arab Gulf region still faces a skills gap in the SOC. Smaller teams are well served by automation of humdrum tasks. Machine intelligence works around the clock, more quickly and more accurately. It never forgets to check for a patch and will not skip an important step for convenience or because it is overworked. Automated patching, therefore, leads to decreased dwell time. Qualys data showed patches that were viable for automatic deployment were implemented 45% more often and 36% faster than those that had to be done manually. The MTTR (mean time to remediation) for automated patches was 25.5 days compared with 39.8 days for manual patches.
Do not forget external risks
Many threat actors look for an entry point in devices or platforms accessible via the Internet. Of these routes, attackers consistently focus on three. The first is unpatched Internet-facing services. The second is poorly managed credentials policies such as default passwords that have yet to be updated or stolen or leaked credentials that have not been identified as such. The third is the now-classic spear-phishing campaign that targets employees with privileged access.
If you regularly read about cybersecurity, by now, the expert’s advice on “visibility” must be ringing in your ears. The attack surface is reduced through visibility, as is IT complexity. Mitigation times are slashed by being able to see what the attacker sees. The external attack surface is a busy sphere in today’s threat climate. You neglect it at your own risk.
Monitor Web apps
Web apps are honeypots to attackers because they often contain sensitive information that can be used for infiltration. Many of these apps contain such information even when they are not critical systems. As such, they can be overlooked by security teams. In our anonymized data, we scanned more than 200,000 publicly accessible Web applications. We found almost 65,000 occurrences of malware injection in client browsers, with goals ranging from the stealing of payment-card information and credentials to the mining of cryptocurrency and the redirecting of users to unsafe websites.
Web applications are a classic source of vulnerabilities and configuration errors. They must be adequately monitored, and their leaks plugged. The best way to ensure this is to require greater collaboration between DevOps teams and the SOC so that security is planned rather than patched.
Configure with care
An incorrectly configured system is as risk-riddled as one filled with software vulnerabilities. And unfortunately for the newly migrated region, cloud environments suffer the most from misconfiguration. Cloud services are subject to the shared-responsibility model, in which providers and customers each take care of security aspects.
Some good news here is that reinventing the wheel is unnecessary. Best practices for security already exist and are applicable throughout the IT lifecycle. The Center for Internet Security Benchmarks provides a strong way forward when addressing misconfigurations and offers advice spanning many different technology setups. Working through these points, security teams will soon find their environment is up to code.
Given the pressures from consumers, employees, and regulators, it is imperative that every regional enterprise moves towards a greater formalization of its security function. Trust is hard won but easily lost. But ultimately, it is better to struggle now to keep that which is precious than to drift along in the hope that threat actors overlook the holes in your battlements.