Ivanti Blog: Posts by

Understanding Risk Appetite – a Critical Component of Exposure Management

Mon, 10 Feb 2025 14:44:03 Z

Risk is inherent in any business. It’s how an organization understands and manages it that makes all the difference.

From operational challenges to market volatility, regulatory changes and technological advancements, companies face a spectrum of uncertainties that could either generate growth or lead to losses.

To effectively manage them, a business needs to set out a framework that helps it determine just how much risk it’s willing to accept in pursuit of its objectives. This is where the concept of "risk appetite" comes into play.

But to define its risk appetite, a company has to see and understand all the risks it faces. And for security teams that are laying the groundwork for their exposure management strategy, defining their organization’s risk appetite is a critical step.

What is risk appetite?

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives. Defining it sets boundaries for the organization regarding what risks it will take and to what degree. A high risk appetite means being open to accepting greater risks for possibly higher rewards, while a low risk appetite means the organization prefers reducing risk as much as possible.

Consider a tech startup that wants to invest in cutting-edge research and development. It may adopt a higher risk appetite to achieve disruptive, breakthrough innovations, knowing that the potential rewards are worth the uncertainty. Conversely, a large, well-established corporation might have a lower risk appetite, focusing on steady growth while avoiding projects that could significantly harm its market position or reputation.

Risk appetite is both quantitative and qualitative

Risk appetite is never static; it’s a dynamic measure that should be adjusted based on factors such as industry, company size and health, strategic objectives, regulatory requirements and the overall market environment.

Nor is it just about the numbers: risk appetite is a blend of both quantitative and qualitative factors.

On one hand, a business may have measurable elements like how much loss it’s willing to tolerate, its debt ratios and what kind of return on investment (ROI) it’s shooting for. It may also have subjective aspects to consider, such as the potential effect on company reputation, ethical considerations and how well its decisions align with its core values.

Why is it important to define risk appetite?

Nearly any organization that wants to succeed has to take calculated risks. But without a clear understanding of its risk appetite, it can wander into inconsistent, reactive or overly cautious decision-making. That can lead to missed opportunities or business losses. Here's why defining risk appetite is essential:

To align strategy and risk management

Having a clearly defined risk appetite provides a strategic framework that aligns risk management practices with overall business goals. When an enterprise knows how much risk it is willing to accept, it can pursue opportunities that match its risk appetite while avoiding others that might expose it to undue risk.

To improve decision-making

Defining risk appetite allows leaders and managers to make informed decisions by clearly understanding what constitutes an acceptable risk. It also sets expectations for both risk-taking and risk-avoidance behaviors across the organization, helping managers evaluate risk/reward trade-offs in different scenarios.

To build stakeholder confidence

A clearly defined risk appetite reassures investors, regulators, employees and other stakeholders that the organization prioritizes risk management. It also demonstrates a methodical, trustworthy approach to balancing risk against reward, further shoring up stakeholder confidence.

To promote consistency

When everyone in an organization “gets the memo” on how much risk is permissible, that helps them make consistent decisions because they all understand what's an acceptable gamble. This means there’s less chance of working at cross-purposes or even pulling in opposite directions. For instance, a legal department might put the brakes on a marketing team’s Big Idea if they don’t share the same notion of acceptable risk.

To support effective risk monitoring

When companies define their risk appetite, they can set up systems to monitor risk levels across the entire enterprise, from finance to operations. Thus, they’re able to spot potential issues early and ensure activities stay within the boundaries of what’s seen as safe — or at least acceptable. Setting and monitoring key risk indicators (KRIs) provides early warnings if somebody is coming too close to those boundaries.

How does a company define its risk appetite?

Typically, an organization does this by drafting a risk appetite statement (RAS). The first parts of an RAS lay out the company’s strategic objectives and the risks involved.

A company might want to become the leading software provider in their industry. They should list the strategic objectives that are vital to reaching that goal and also list the risks associated with them. For instance, Ivanti is in the business of delivering cloud-based IT services and security management solutions. That means it’s incumbent on us that our risk appetite statement catalogs all the risks involved in that line of business and explains how we’ll manage them.

Here’s an example of how one section of a risk appetite statement might look for a software provider:

General Risk Appetite

[Company XYZ] adopts a balanced approach to risk, recognizing that not all risks are equal and that some level of risk is necessary to achieve our strategic goals.

Innovation Risk We have a high risk appetite for investing in advanced technologies and innovative solutions that differentiate our products in the competitive landscape. We understand this requires accepting a degree of uncertainty in R&D and product development.

Operational Risk We maintain a low to moderate risk appetite. While striving for operational excellence, we prioritize initiatives that improve efficiency and service quality without compromising our delivery standards.

Security Risk We have an extremely low risk appetite for security threats and breaches. Our commitment to network security and data protection is paramount, and we invest substantially in safeguarding our systems and our clients’ data.

Compliance Risk We have a low risk appetite for non-compliance with legal and regulatory requirements. Ensuring adherence to relevant laws, standards and best practices in all operational areas is critical.

General Risk Appetite [Company XYZ] adopts a balanced approach to risk, recognizing that not all risks are equal and that some level of risk is necessary to achieve our strategic goals.
Innovation Risk	We have a high risk appetite for investing in advanced technologies and innovative solutions that differentiate our products in the competitive landscape. We understand this requires accepting a degree of uncertainty in R&D and product development.
Operational Risk	We maintain a low to moderate risk appetite. While striving for operational excellence, we prioritize initiatives that improve efficiency and service quality without compromising our delivery standards.
Security Risk	We have an extremely low risk appetite for security threats and breaches. Our commitment to network security and data protection is paramount, and we invest substantially in safeguarding our systems and our clients’ data.
Compliance Risk	We have a low risk appetite for non-compliance with legal and regulatory requirements. Ensuring adherence to relevant laws, standards and best practices in all operational areas is critical.

The RAS should define the risks that would have the greatest impact on the organization, not everyday risks that are simply part of doing business. It ought to account for multiple risk scenarios; for instance, a specific strategy may entail supply chain risk, such as the effects of being locked into a vendor or the dangers of regulatory exposure if a supplier mishandles customer data.

It should also define the amount of financial risk a company is willing to take on. If its objectives include offering a new product or service, there's always a chance of failure in the marketplace.

Components of risk appetite

These are key factors that have to be considered in defining risk appetite:

Risk capacity

This refers to the maximum amount of risk that an organization can bear. Financial resources, operational capabilities and regulatory constraints decide this. And risk capacity differs from risk appetite: an organization may have the capacity to take on a certain level of risk but might choose not to, based on its risk appetite.

Risk tolerance

Whereas risk capacity is about how much risk an organization can withstand, risk tolerance is an acceptable deviation from its target. It may even set different tolerances for different areas. For example, an organization might be good with taking a chance on a new product, but risk-avoidant about managing customer data.

Risk thresholds

We’ve mentioned risk monitoring and KRIs above, as they’re used to keep a company from crossing risk thresholds — the “red lines” that represent too much risk. Crossing a risk threshold might require a change in plans, increased safety measures or even a complete halt to what they’re doing.

Related: Ivanti Research Report: Aligning Perspectives: Cyber Risk Management in the C-Suite

Why is risk appetite important in exposure management?

Once upon a time, mitigating digital risk was much simpler than it is today. That’s because most large organizations’ attack surfaces have vastly expanded over time. The addition of more devices and applications, used by employees in more places, have transformed the workplace and expanded the digital threat landscape.

It’s one reason why Ivanti research found that more than half of IT professionals are not very confident they can prevent a damaging security incident in the next 12 months. More than one in three even say they’re less prepared to detect threats and respond to incidents than they were a year ago.

Traditional vulnerability management has long been focused on reactively remediating software and hardware vulnerabilities and other CVEs, but usually only applies intermittent scans. But today’s cyberthreat scenario demands a new approach.

Modern exposure management is focused on continually, proactively finding and remediating risks and vulnerabilities across the entire digital attack surface. That’s whether they arise from exposed IT assets, unsecured endpoints and applications, cloud-based resources or other vectors. What makes exposure management and risk appetite so intertwined?

Assessing exposure according to acceptable risk levels: Exposure management involves quantifying the risk levels associated with different exposures. By defining acceptable risk, organizations can compare the possible impact of different risks with their risk appetite.
Deploying resources based on risk: Organizations must prioritize which exposures pose the greatest threat to their strategies – an assessment they can only make with a clear understanding of their risk appetite. That prioritization lets them concentrate resources on mitigating the most critical ones, often with the help of an advanced RBVM tool.
Adjusting risk appetite: As a business environment changes or new risks emerge, risk appetite may need to be adjusted. The data and insights organizations uncover as part of their exposure management practice help them make informed decisions around such adjustments.
Ensuring compliance: Many industries have regulatory requirements related to risk management, which in turn influence an organization’s risk appetite. Exposure management involves identifying and addressing risks that could cause non-compliance.

Related: Ivanti Research Report: Attack Surface Management

Looking at security risk through the lens of exposure management

A notable difference between exposure management and other security practices is that exposure management includes not just prioritizing remediation of the risks that pose the most risk to the organization, but actively defining which risks fall within an organization’s risk tolerance. For example, an e-commerce company may be willing to accept heightened security risks in order to keep their site functional on Black Friday – the tradeoff is worth it to them.

Instead of viewing every potential risk as a crisis that needs instant remediation, organizations need to prioritize them based on business needs. In this framework, most risk isn’t bad: it’s about how you react to it, control it and mitigate it to bring it to an acceptable level.

The Five Ws (and H) of Exposure Management

Wed, 22 Jan 2025 17:10:20 Z

The Five Ws and H — who, what, when, where, why and how — have long been used as a checklist in journalism to make sure a story covers every piece of essential information. The same concept is employed here to make sure all the essential information about exposure management is covered in this post.

Read on for a better understanding of exposure management (the Five Ws) and actionable guidance for implementing it (the H).

Who

Who invented exposure management?

The term “exposure management” has been used in various contexts for decades, though it’s unknown when it was first used within the context of cybersecurity. That being said, exposure management is an evolution of vulnerability management, so it’s not an entirely new concept within the cybersecurity space but rather a reimagining of a preexisting practice.

Exposure management started gaining popularity in the cybersecurity space in 2022 as analyst firms began publishing research reports on the topic and vendors began releasing exposure management products and services.

Who benefits from exposure management?

Exposure management benefits a range of internal stakeholders — I recommend reading on if you fit any of the following profiles:

Role	Relevant Responsibility	Benefit
Security architect	Develop secure systems and networks	Improved understanding of risk posed to systems and networks
Vulnerability risk management (VRM)	Identify exposures and prioritize for remediation	Improved efficiency and accuracy of prioritization process
SOC / security analyst	Detect and respond to cyber attacks	Lower volume of incidents requiring reactive response
IT operations	Remediate exposures prioritized by VRM	Lower volume of exposures requiring remediation
Development	Make code changes to resolve exposures in software	Lower volume of exposures requiring resolution
Chief information security officer (CISO)	Oversee infosec program that protects systems and data	Stronger security posture better protects systems and data
Chief information officer (CIO)	Own management, implementation and usability of IT	Less downtime leads to improved digital employee experience
C-suite	Ensure day-to-day operations align with long-term strategies	Better equipped to make decisions regarding risk
Board of directors	Protect interests of shareholders and stakeholders	Fewer attacks means less damage to reputation and revenue
Business unit (BU) leader	Lead a specific division towards its goals	Decreased downtime of BU’s critical systems and services
Public relations (PR)	Reverse negative communication and perception around a crisis	Fewer PR crises stemming from cyber attacks
Chief financial officer (CFO) / finance organization	Maintain the fiscal health of the organization	Less unanticipated costs for cyber attack response and recovery
Compliance team	Ensure adherence to regulations and avoidance of missteps that could harm the organization	Lower odds of violating regulations or experiencing other harm thanks to fewer breaches

External stakeholders also benefit when exposure management results in improved security postures for organizations. For example, customers are at lower risk of having their personally identifiable information (PII) compromised in a data breach and shareholders are less likely to see stock prices dip due to a brand’s reputation being damaged by a cyber attack.

Who “owns” exposure management?

This may seem illogical, or even controversial, but it’s the C-suite that owns exposure management. While Security owns day-to-day exposure management operations, those operations are executed at the direction of the executive team — as noted above, they’re the ones determining the organization’s risk appetite. The numbers support this stance. 86% of security professionals we surveyed said that cybersecurity is a topic discussed at the board level.

Such a stance may have been blasphemous in the past, as most C-suite members lack the knowledge necessary to make cybersecurity decisions. But by focusing on exposure management, organizations can use quantifiable data to assess risks, reducing reliance on subjective judgment. This means that decisions regarding cybersecurity priorities and responses can be based on measurable risk factors, such as the likelihood of a threat and its potential impact.

Further, by linking cybersecurity operations directly to risk posture, exposure management offers a greater opportunity for aligning these operations with the overall business strategy. Under this approach, cybersecurity is no longer just a technical requirement but a strategic enabler that supports broader business objectives.

What

What is exposure management?

Exposure management is a proactive cybersecurity practice that enables organizations to maintain their exposures at a level that aligns with their risk appetite. It is, in essence, an evolution of vulnerability management that addresses the shortcomings of traditional vulnerability management practices.

Exposure management practices are commonly guided by continuous threat exposure management (CTEM) programs.

Refer to Ivanti’s Exposure Management glossary page for a more thorough answer to this question.

What is continuous threat exposure management (CTEM)?

Continuous threat exposure management — or CTEM — is defined in the 2023 Gartner® Implement a Continuous Threat Exposure Management (CTEM) Program report as follows:

“Continuous Threat Exposure Management (CTEM) program is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.

At any stage of maturity, a CTEM cycle must include five steps to be completed: scoping, discovery, prioritization, validation and mobilization.”¹

What are the components of exposure management?

In its current form, exposure management effectively combines capabilities from these existing categories:

Attack surface management (ASM), e.g., external attack surface management (EASM) and cyber asset attack surface management (CAASM).
Risk-based vulnerability management (RBVM).
Validation, e.g., breach and attack simulation (BAS), continuous automated red teaming (CART) and penetration testing as a service (PTaaS).

Expect to see purpose-built exposure management products and platforms as the exposure management market matures.

What is risk appetite?

Risk appetite is the level of cyber risk an organization is prepared to accept in pursuit of its business objectives, such as increased agility, innovation or performance. To determine its risk appetite, an organization must weigh the cost of maintaining a certain security posture against the benefit of doing so. Setting risk appetite is a business decision, though one that must include input from Security.

Refer to Understanding Risk Appetite – a Critical Component of Exposure Management for an in-depth description of risk appetite.

Where

Where should exposure management be implemented?

Exposure management practices should be implemented at all organizations that rely on technology that’s accessible from the internet or other external pathways.

Exposure management is especially important for organizations that are beholden to laws and/or other regulations regarding the safe handling of personal data. Examples include the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

Organizations likely to have lots of unknown devices connecting to the network and other unknown internet-facing assets in their environment are also optimal candidates for exposure management. Unknown assets often proliferate as a result of bring your own device (BYOD) policies and mergers and acquisitions.

When

When should I implement exposure management?

According to a Gartner press release, “By 2026, Gartner predicts that organizations prioritizing their security investments based on a CTEM program will realize a two-thirds reduction in breaches.”²We believe that’s a compelling reason to begin implementing exposure management as soon as possible. It’s also good news at a time when organizations’ attack surfaces are rapidly expanding, putting them at higher risk of attack.

More good news: any organization practicing vulnerability management has already laid the foundation upon which they can build an exposure management practice. Read on for actionable advice on how to do so.

Why

Why implement exposure management?

Many organizations have an incomplete understanding of their cyber risk due to limited views of the assets and exposures in their environments. Lots of effort is exerted in attempts to lower risk by remediating exposures, but the ROI on that effort is often low due to shortcomings associated with traditional vulnerability management methods.

Such organizations thus remain at elevated risk of experiencing cyber attacks that take advantage of un-remediated exposures and can negatively impact their operations, image and revenue. Exposure management solves this problem by empowering those organizations to maintain their exposures in alignment with their risk appetite.

The following is an overview of the shortcomings of traditional vulnerability management that exposure management addresses:

Shortcoming #1: Organizations look only at a narrow sliver of their continuously expanding attack surfaces.

Many organizations only closely monitor and manage their traditional perimeter — endpoints and servers — from a cybersecurity standpoint.

Why it’s a problem: Full attack surface visibility is needed to properly protect against all potential threats.

Modern attack surfaces have expanded beyond the traditional perimeter to include mobile devices, applications, websites, certificates/domains and more. Each of these components introduces added risk to an organization that must be accounted for.

Shortcoming #2: The number of cybersecurity exposures organizations face continues to grow at an unmanageable rate.

There are hundreds of thousands of existing Common Vulnerabilities and Exposures (CVEs) and dozens — sometimes hundreds — more are published to the National Vulnerability Database (NVD) every day. And while CVEs are often the only type of exposure organizations account for, they face many others, such as misconfiguration of assets and security controls.

Why it’s a problem: Remediating all exposures is operationally infeasible, leaving organizations stuck in reactive mode.

Organizations are overwhelmed by the constant onslaught of exposures turning up in their environments. They can’t fix every exposure as that would require critical systems to be offline far too often — not to mention many exposures don’t have known fixes.

This forces them into firefighting mode, always trying to unbury themselves from endless exposures or overcome ongoing security incidents instead of working proactively to improve their security posture.

Shortcoming #3: Remediation activities are prioritized based strictly on the severity of vulnerabilities.

The Common Vulnerability Scoring System (CVSS) v3.1 is among the most popular methods for prioritizing vulnerabilities for remediation. CVSS assigns vulnerabilities with scores from zero to 10 based on their severity — zero being the least critical and 10 being the most.

Unfortunately, those scores don't account for real-world threat context — meaning organizations employing CVSS are misguided if their intent in doing so is to reduce risk.

Why it’s a problem: Remediation decisions are based on the makeup of vulnerabilities instead of a given organization’s risk appetite and the potential impact a given vulnerability may pose to their business.

Organizations that use CVSS are basing decisions on vulnerabilities’ characteristics without accounting for their own. For starters, since CVSS scores don’t accurately reflect risk, organizations can’t use CVSS to determine if a given vulnerability exceeds their individual risk appetite.

Further, CVSS doesn’t enable organizations to determine how a vulnerability might impact their business — certainly a crucial consideration when determining whether that vulnerability needs to be remediated.

How

How do I implement exposure management?

This bears repeating one more time: exposure management is an evolution of vulnerability management. Most organizations thus already have the foundation for its exposure management practice in place.

But how do you advance from vulnerability management to exposure management? Here are six best practices to guide the process:

Best practice #1: Widen your attack surface aperture

Evolving to exposure management requires widening your attack surface aperture to include non-patchable attack surfaces. While you’ll always need to account for traditional devices and applications, nowadays, you also need to account for all systems, applications and subscriptions, including those not owned by IT or even managed by the business.

Examples include everything from third-party applications and services — such as SaaS, supply chain dependencies and online code repositories — to corporate social media accounts and leaked data. To gain this visibility, you’ll need to implement digital risk protection services (DRPS) and external attack surface management (EASM) solutions in addition to any existing cybersecurity asset management (CSAM) tools.

Best practice #2: Reframe remediation

If you expand your exposure management program to include non-patchable attack surfaces, you’ll also need to expand it to include means for managing your exposure through ways other than patching.

There are many routes to resolution for threat exposures, ranging from accepting and managing the risk by increasing monitoring, through to mitigation and resolutions that, in addition to patching, may mean implementing a policy change or redeveloping an application.

Remember, there's often more than one fix to an issue, and your team will often need to collaborate closely with other teams to implement those fixes, including infrastructure and operations teams and enterprise architecture functions. In some cases, your team may need to acquire new skills and understanding to execute fixes that fall under Security’s umbrella.

Best practice #3: Reprioritize

As mentioned under “Why implement exposure management?” above, using CVSS to prioritize exposures for remediation omits risk from the prioritization process. That can be remedied through the use of risk-based vulnerability management (RBVM) solutions.

Here’s how such solutions improve exposure management, using the graphic above as a reference:

There are 330,000+ known vulnerabilities.
Fortunately, you don’t need to remediate every vulnerability in your environment. The number that are tied to ransomware is low, and even less are trending/active exploits.
RBVM solutions provide risk-based scoring and views to help you focus remediation efforts on that small number of vulnerabilities that pose a significant risk.

Ultimately, a risk-based approach ensures you don’t waste time and effort mitigating or remediating any of the hundreds of thousands of exposures that pose no real danger to your organization, and that the effort you do expend actually goes toward improving your security posture.

Best practice #4: Build a bridge to the business side

With traditional vulnerability management, the “business side” typically only learns a patch is coming when they receive a notification telling them their PC needs to restart to finish installing updates — such is not the case with exposure management.

For starters, their input is required to determine the business impact of exposures and your organization’s risk appetite. You’ll need to continually work with the revenue-generating functions of the organization to determine what systems and solutions have a high impact on their priorities so that exposures that threaten those systems and solutions can be prioritized accordingly.

This is the type of work that earns Security a seat at the business table — work that shows Security exists to enable the business. Of course, teams on the business side may not be thrilled with the prospect of taking on extra work for something that has never been their responsibility, but there are ways to earn their buy-in:

CISOs need to lead the outreach effort — their position within the organization will make it easier for them to open the necessary doors.
Once you’re in the door, work with senior leadership to develop metrics that will enable them to make effective exposure management decisions without having to be security specialists.
Ensure you keep all the departments you interact with informed on the various options that exist for resolving issues that may impact them. You may need to put in extra time here to shed Security’s reputation for being overly restrictive.
Make it clear to them that the business will simply have to accept large amounts of unknown and unquantified risk if a poorly governed exposure management program fails to accurately scope, discover, prioritize and validate issues, thereby leading to a lack of visibility into threat exposure.

Best practice #5: Validate, validate, validate

Traditional vulnerability management is guided by prioritization, while exposure management couples prioritization with validation. Validation is necessary since prioritization alone leaves a large volume of issues to resolve.

In the context of exposure management, validation involves:

Assessing how potential attackers can exploit an identified exposure.
Estimating the highest potential impact of potential attack paths.
Identifying how monitoring and control systems might react in the event of an attack.

Validation can be conducted via a mixture of manual and technological methods, including:

Penetration testing conducted by automated tools, internal teams or contract pen testing as a service (PTaaS).
Red team exercises.
Breach and attack simulation (BAS).
Attack path analysis.

Best practice #6: Crawl, walk, run

Last but not least, the final best practice for evolving to exposure management is: don’t attempt to do it overnight. Use your vulnerability management practice as your starting point and expand from there by adopting the other best practices covered here as your bandwidth and budget allow.

Gartner. D’Hoinne, J., Schneider, M., Shoard, P. (2022, July 21). Implement a Continuous Threat Exposure Management (CTEM) Program. https://www.gartner.com/document/4016760.
Gartner Press Release. Gartner Identifies the Top Cybersecurity Trends for 2024. (2024, February 22). https://www.gartner.com/en/newsroom/press-releases/2024-02-22-gartner-identifies-top-cybersecurity-trends-for-2024.

8 Attack Surface Reduction Best Practices for Organizations

Tue, 20 Jun 2023 14:32:34 Z

Increases in attack surface size lead to increased cybersecurity risk. Thus, logically, decreases in attack surface size lead to decreased cybersecurity risk.

While some attack surface management solutions offer remediation capabilities that aid in this effort, remediation is reactive. As with all things related to security and risk management, being proactive is preferred.

The good news is that ASM solutions aren't the only weapons security teams have in the attack surface fight. There are many steps an organization can take to lessen the exposure of its IT environment and preempt cyberattacks.

How do I reduce my organization’s attack surface?

Unfortunately for everyone but malicious actors, there’s no eliminating your entire attack surface, but the following best practice security controls detailed in this post will help you significantly shrink it:

Reduce complexity
Adopt a zero trust strategy for logical and physical access control
Evolve to risk-based vulnerability management
Implement network segmentation and microsegmentation
Strengthen software and asset configurations
Enforce policy compliance
Train all employees on cybersecurity policies and best practices
Improve digital employee experience (DEX)

As noted in our attack surface glossary entry, different attack vectors can technically fall under multiple types of attack surfaces — digital, physical and/or human. Similarly, many of the best practices in this post can help you reduce multiple types of attack surfaces.

For that reason, we have included an attack surface reduction checklist along with each best practice that signifies which type(s) of attack surface a particular best practice primarily addresses.

#1: Reduce complexity

Digital attack surface	Physical attack surface	Human attack surface
X	X

Reduce your cybersecurity attack surface by reducing complexity. Seems obvious, right? And it is. However, many companies have long failed at this seemingly simple step. Not because it’s not obvious, but because it hasn’t always been easy to do.

Research from Randori and ESG reveals seven in 10 organizations were compromised by an unknown, unmanaged or poorly managed internet-facing asset over the past year. Cyber asset attack surface management (CAASM) solutions enable such organizations to identify all their assets — including those that are unauthorized and unmanaged — so they can be secured, managed or even removed from the enterprise network.

Any unused or unnecessary assets, from endpoint devices to network infrastructure, should also be removed from the network and properly discarded.

The code that makes up your software applications is another area where complexity contributes to the size of your attack surface. Work with your development team to identify where opportunities exist to minimize the amount of executed code exposed to malicious actors, which will thereby also reduce your attack surface.

#2: Adopt a zero trust strategy for logical and physical access control

Digital attack surface	Physical attack surface	Human attack surface
X	X

The National Institute of Standards and Technology (NIST) defines zero trust as follows:

“A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

In other words, for every access request, “never trust, always verify.”

Learn how Ivanti can help you adopt the NIST CSF in The NIST Cybersecurity Framework (CSF): Mapping Ivanti’s Solutions to CSF Controls

Organizations taking a zero trust approach to logical access control minimizes the attack surface — and likelihood of data breaches — by continuously verifying posture and compliance and providing least-privileged access.

And while zero trust isn't a product but a strategy, there are products that can help you implement a zero trust strategy. Chief among those products are those included in the secure access service edge (SASE) framework:

Software-defined wide area network (SD-WAN)
Secure web gateway (SWG)
Cloud access security broker (CASB)
Next-generation firewall (NGFW)
Zero trust network access (ZTNA)

And though it’s not typically viewed in this manner, a zero trust strategy can extend beyond logical access control to physical access control. When it comes to allowing anyone into secure areas of your facilities, remember to never trust, always verify. Mechanisms like access cards and biometrics can be used for this purpose.

#3: Evolve to risk-based vulnerability management

Digital attack surface	Physical attack surface	Human attack surface
X

First, the bad news: the US National Vulnerability Database (US NVD) contains over 160,000 scored vulnerabilities and dozens more are added every day. Now, the good news: a vast majority of vulnerabilities have never been exploited, which means they can’t be used to perpetrate a cyberattack, which means they aren't part of your attack surface.

In fact, a ransomware research report from Securin, Cyber Security Works (CSW), Ivanti and Cyware showed only 180 of those 160,000+ vulnerabilities were trending active exploits.

Comparison of total NVD vulnerabilities vs. those that endanger an organization

Only approximately 0.1% of all vulnerabilities in the US NVD are trending active exploits that pose an immediate risk to an organization

A legacy approach to vulnerability management reliant on stale and static risk scores from the Common Vulnerability Scoring System (CVSS) won’t accurately classify exploited vulnerabilities. And while the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (CISA KEV) Catalog is a step in the right direction, it's incomplete and doesn't account for the criticality of assets in an organization’s environment.

A true risk-based approach is needed. Risk-based vulnerability management (RBVM) — as its name suggests — is a cybersecurity strategy that prioritizes vulnerabilities for remediation based on the risk they pose to the organization.

Read The Ultimate Guide to Risk-Based Patch Management and discover how to evolve your remediation strategy to a risk-based approach.

RBVM tools ingest data from vulnerability scanners, penetration tests, threat intelligence tools and other security sources and use it to measure risk and prioritize remediation activities.

With the intelligence from their RBVM tool in hand, organizations can then go about reducing their attack surface by remediating the vulnerabilities that pose them the most risk. Most commonly, that involves patching exploited vulnerabilities on the infrastructure side and fixing vulnerable code in the application stack.

#4: Implement network segmentation and microsegmentation

Digital attack surface	Physical attack surface	Human attack surface
X

Once again, borrowing from the NIST glossary, network segmentation is defined as follows:

Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.

From this definition, you can see how segmenting can reduce your attack surface by blocking attackers from certain parts of your network. While traditional network segmentation stops those attackers from moving north-south at the network level, microsegmentation stops them from moving east-west at the workload level.

More specifically, microsegmentation goes beyond network segmentation and enforces policies on a more granular basis — for example, by application or device instead of by network.

For example, it can be used to implement restrictions so an IoT device can only communicate with its application server and no other IoT devices, or to prevent someone in one department from accessing any other department’s systems.

#5: Strengthen software and asset configurations

Digital attack surface	Physical attack surface	Human attack surface
X

Operating systems, applications and enterprise assets — such as servers and end user, network and IoT devices — typically come unconfigured or with default configurations that favor ease of deployment and use over security. According to CIS Critical Security Controls (CIS Controls) v8, the following can all be exploitable if left in their default state:

Basic controls
Open services and ports
Default accounts or passwords
Pre-configured Domain Name System (DNS) settings
Older (vulnerable) protocols
Pre-installation of unnecessary software

Clearly, such configurations increase the size of an attack surface. To remedy the situation, Control 4: Secure Configuration of Enterprise Assets and Software of CIS Controls v8 recommends developing and applying strong initial configurations, then continually managing and maintaining those configurations to avoid degrading security of software and assets.

Here are some free resources and tools your team can leverage to help with this effort:

CIS Benchmarks List – Configuration recommendations for over 25 vendor product families
NIST National Checklist Program (NCP) – Collection of checklists providing guidance on setting software security configurations
CIS-CAT Lite — Assessment tool that helps users implement secure configurations for a range of technologies

#6: Enforce policy compliance

Digital attack surface	Physical attack surface	Human attack surface
X	X

It’s no secret that endpoints are a major contributor to the size of most attack surfaces — especially in the age of Everywhere Work when more employees are working in hybrid and remote roles than ever before. Seven in 10 government employees now work virtually at least part of the time.

It’s hard enough getting employees to follow IT and security policies when they’re inside the office, let alone when 70% of them are spread all over the globe.

Unified endpoint management (UEM) tools ensure universal policy compliance by automatically enforcing policies. This fact should come as no surprise to IT and security professionals, many of whom consider UEM a commodity at this point. In fact, Gartner predicts that 90% of its clients will manage most of their estate with cloud-based UEM tools by just 2025.

Nonetheless, UEM is the best option for enforcing IT and security policy compliance, so I'd be remiss to omit it from this list.

Read The Ultimate Guide to Unified Endpoint Management and learn about the key business benefits and endpoint security use cases for modern UEM solutions.

Additionally, beyond compliance, modern UEM tools offer several other capabilities that can help you identify, manage and reduce your attack surface:

Have complete visibility into IT assets by discovering all devices on your network — a key ASM capability for organizations without a CAASM solution.
Provision devices with the appropriate software and access permissions, then automatically update that software as needed — no user interactions required.
Manage all types of devices across the entire lifecycle, from onboarding to retirement, to ensure they'reproperly discarded once no longer in use.
Automatically enforce device configurations (refer to #5: Strengthen software and asset configurations to learn more about the importance of this capability).
Support zero trust access and contextual authentication, vulnerability, policy, configuration and data management by integrating with identity, security and remote-access tools. For example, UEM and mobile threat defense (MTD) tools can integrate to enable you to enact risk-based policies to protect mobile devices from compromising the corporate network and its assets.

#7: Train all employees on cybersecurity policies and attack surface reduction best practices

Digital attack surface	Physical attack surface	Human attack surface
		X

Seventy-four percent of breaches analyzed for the 2023 Verizon Data Breaches Investigation Report (DBIR) involved a human element.

Thus, it should come as no surprise when you review the data from Ivanti’s 2023 Government Cybersecurity Status Report and see the percentages of employees around the world that don’t believe their actions have any impact on their organization’s ability to avert cyberattacks:

Do employees think their own actions matter?

Many employees don't believe their actions impact their organization's ability to stay safe from cyberattacks.

In the immortal words of Alexander Pope: “To err is human…” In cybersecurity terms: until AI officially takes over, humans will remain a significant part of your attack surface. And until then, human attack surfaces must be managed and reduced wherever possible.

Thus far, the best way to do that's proven to be cybersecurity training, both on general best practices and company-specific policies — and definitely don’t forget to include a social engineering module.

Many cybersecurity practitioners agree. When the question “In your experience, what security measure has been the most successful in preventing cyberattacks and data breaches?” was posed in Reddit's r/cybersecurity subreddit, many of the top comments referenced the need for user education:

Reddit / u/Forbesington

Reddit / u/slybythenighttothecape

Reddit / u/_DudeWhat

Reddit / u/onneseen

To once again borrow from CIS Controls v8, Control 14: Security Awareness and Skills Training encourages organizations to do the following: “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”

CIS — the Center for Internet Security — also recommends leveraging the following resources to help build a security awareness program:

Security and IT staff — not just those in non-technical roles — should also be receiving cybersecurity training relevant to their roles. In fact, according to the IT and security decision-makers surveyed by Randori and ESG for their 2022 report on The State of Attack Surface Management, providing security and IT staff with more ASM training would be the third most-effective way to improve ASM.

Ensuring partners, vendors and other third-party contractors take security training as well can also help contain your human attack surface.

#8: Improve digital employee experience (DEX)

Digital attack surface	Physical attack surface	Human attack surface
X		X

No matter how much cybersecurity training you provide employees, the more complex and convoluted security measures become, the more likely they are to bypass them. Sixty-nine percent of end users report struggling to navigate overly convoluted and complex security measures. Such dissatisfied users are prone to distribute data over unsecured channels, prevent the installation of security updates and deploy shadow IT.

That seems to leave IT leaders with an impossible choice: improve digital employee experience (DEX) at the cost of security or prioritize security over experience? The truth is, security and DEX are equally important to an organization’s success and resilience. In fact, according to research from Enterprise Management Associates (EMA), reducing security friction leads to far fewer breach events.

So what do you do? Ivanti’s 2022 Digital Employee Experience Report indicates IT leaders — with support from the C-suite — need to put their efforts toward providing a secure-by-design digital employee experience. While that once may have seemed like an impossible task, it’s now easier than ever thanks to an emerging market for DEX tools that help you measure and continuously improve employees’ technology experience.

Read the 2022 Digital Employee Experience Report to learn more about the role DEX plays in cybersecurity.

One area in which organizations can easily improve both security and employee experience is authentication. Annoying and inefficient to remember, enter and reset, passwords have long been the bane of end users.

On top of that, they’re extremely unsecure. Roughly half of the 4,291 data breaches not involving internal malicious activity analyzed for the 2023 Verizon DBIR were enabled through credentials — about four times the amount enabled by phishing — making them by far the most popular path into an organization’s IT estate.

Passwordless authentication software solves this problem. If you’d like to improve end user experience and reduce your attack surface in one fell swoop, deploy a passwordless authentication solution that uses FIDO2 authentication protocols. Both you and your users will rejoice when you can say goodbye to passwords written on Post-it Notes forever.

For more guidance on how to balance security with DEX, refer to the following resources:

Additional guidance from free resources

Ivanti’s suggested best practices for reducing your attack surface combine learnings from our firsthand experience plus secondhand knowledge gleaned from authoritative resources.

And while these best practices will indeed greatly diminish the size of your attack surface, there’s no shortage of other steps an organization could take to combat the ever-expanding size and complexity of modern attack surfaces.

Check out the following free resources — some of which were referenced above — for additional guidance on shrinking your attack surface:

Next steps

So, you’ve implemented all the best practices above and you’re wondering what’s next. As with all things cybersecurity, there’s no time for standing still. Attack surfaces require constant monitoring.

You never know when the next unmanaged BYOD device will connect to your network, the next vulnerability in your CRM software will be exploited or the next employee will forget their iPhone at the bar after a team happy hour.

On top of tracking existing attack vectors, you also need to stay informed about emerging ones. For example, the recent explosion of AI models is driving substantial attack surface growth, and it’s safe to say more technologies that open the door to your IT environment are on the horizon. Stay vigilant.

Extend Microsoft Intune with Risk-Based Third-Party Patch Publishing

Fri, 22 Apr 2022 16:53:38 Z

Data breaches and ransomware attacks are increasing exponentially. The number of data breaches reported per year has increased nearly 70% in the past five years. Eighty-five percent of IT decision makers report having suffered at least one ransomware attack over the same period. Organizations that fall victim to these breaches and attacks experience system downtime, damaged reputations, IP loss and other ill effects that lead to lost business. On top of that, they also face costs associated with detecting and responding to the breaches and attacks, notifying data subjects, data protection regulators and other third parties, and response activities after the breaches and attacks have been carried out, such as paying out compensation for victims and regulatory fines.

Also increasing over the past five years is the number of applications organizations deploy. Reports show the average number of applications deployed at organizations has increased 24% in that span, with much of that growth being fueled by the accelerated digital transformation of the Everywhere Workplace. It should therefore come as no surprise that third-party applications have become one of the most attractive attack vectors for cyber adversaries. Unfortunately, data breaches stemming from vulnerabilities in third-party applications are also among the most expensive and elusive, costing an average of $4.33M and taking an average of 286 days to identify and contain – meaning a breach occurring on January 1 would typically not be contained until October 13.

All this means organizations need to be diligent about updating their third-party applications, which can be challenging given the ever-increasing number of applications they must account for. Further complicating matters is the growing number of vulnerabilities to account for – an average of 61 are disclosed by the National Vulnerability Database (NVD) every day. On top of that, many IT teams find themselves struggling to retain talent and burdened with inadequate tooling. It’s no wonder that 71% of IT and security professionals find patching to be overly complex and time-consuming and 53% spend most of their time organizing and prioritizing vulnerabilities.

The good news is that organizations do not need to patch every vulnerability. In fact, only 4% of all Common Vulnerabilities and Exposures (CVEs) have been publicly exploited. The bad news is that identifying that 4% from the over 130,000 total vulnerabilities in the NVD is difficult for many organizations. Much of that difficulty is driven by deficiencies with traditional approaches to vulnerability prioritization and remediation that leave organizations exposed to a huge attack window:

Patching only critical vulnerabilities based on the Common Vulnerability Scoring System (CVSS) v3 would cause an organization to miss out on patching 73.61% of ransomware vulnerabilities – a major gap for the 71% of IT and security decision makers that use the CVSS to score and prioritize vulnerabilities.
Patching only new vulnerabilities is similarly insufficient, as 91% of current ransomware vulnerabilities were identified before 2021.
Patching vulnerabilities only after they have been disclosed in the NVD is also a problem, as there is average latency of 13.7 days between the time a vendor publishes a ransomware vulnerability and the time of NVD disclosure.

This situation can be even more problematic for the many organizations that use Microsoft Intune to deliver applications and updates to their devices. While Intune offers comprehensive patch management capabilities for Microsoft applications, it provides no native functionality for updating third-party applications. Intune customers thus must rely heavily on manual processes or standalone patch management tools to keep their third-party applications updated. While these tools automate many aspects of the patch management lifecycle, most do not integrate directly with Intune or help IT teams properly prioritize vulnerabilities for remediation.

Introducing Ivanti Neurons Patch for MEM

Organizations invested in Microsoft Intune clearly need a better way to prioritize and deploy updates for their third-party applications – one that will both increase their level of protection against data breaches and ransomware attacks and decrease the strain on their IT teams. Ivanti Neurons Patch for MEM (Microsoft Endpoint Manager) is the answer.

Extend Microsoft Intune with third-party patch publishing

Organizations can maximize the return on their Intune investment while protecting against threats that stem from vulnerabilities in third-party applications with Ivanti Neurons Patch for MEM. From Ivanti’s Neurons cloud platform, Ivanti Neurons Patch for MEM publishes pre-tested third-party application updates directly to Intune. This enables IT teams to deploy third-party application updates alongside their Microsoft OS and application updates within Intune as part of their existing application lifecycle management workflows.

Proactively protect against active exploits

Ivanti Neurons Patch for MEM provides intelligence on known exploits and threat-context for vulnerabilities – including ties to ransomware – enabling organizations to prioritize remediation based on adversarial risk. Additionally, Ivanti’s Vulnerability Risk Rating (VRR) better arms IT teams to take risk-based prioritized action than basic CVSS scoring by taking in the highest fidelity vulnerability and threat data plus human validation of exploits from penetration testing teams.

Avoid failed patch deployments

Pre-tested patches and patch reliability insights in Ivanti Neurons Patch for MEM help organizations save time and avoid failed patch deployments. Ivanti thoroughly tests each patch content package we create. Testing is conducted in an extensive virtual environment to ensure the packages work across a wide array of application versions and operating systems before they are released to the product.

In addition, patch reliability insights from crowdsourced social sentiment data and anonymized patch deployment telemetry enable IT teams to evaluate patches based on their reliability in real-world environments before deploying them.

Streamline patch management processes

By providing the option to automatically publish third-party application updates into Intune for deployment as they come available, Ivanti Neurons Patch for MEM saves users time and effort and enables them to conduct most of their patch management activities directly within Intune. The pre-tested application updates in the solution’s patch catalog coupled with patch reliability insights save organizations additional time by helping them achieve more reliable patching with fewer failures.

The threat intelligence in Ivanti Neurons Patch for MEM helps further streamline patch management processes. For starters, this intelligence improves operational efficiencies by enabling IT teams to effectively prioritize patch efforts so they focus only on what matters. Additionally, available exploit and malware insight helps facilitate data and risk conversations between security and IT operations teams to improve operational collaboration.

Continue transition to modern management

Gartner has estimated over 85% of organizations will embrace a cloud-first principle by 2025 and will be unable to fully execute their digital strategies without utilizing cloud-native architectures and technologies. As a cloud-native solution, Ivanti Neurons Patch for MEM enables Intune customers to migrate their patching workloads entirely to the cloud without any additional infrastructure. Intune and Ivanti Neurons Patch for MEM combine to create a cloud-only solution that requires no on-premises infrastructure on either the Microsoft or Ivanti side.

Ivanti Neurons Patch for MEM also enables Ivanti Patch for MEM customers to progress from on-premises third-party patch management to the cloud.

Ivanti resources

Check out the Ivanti Neurons Patch for MEM product page for more information on this cloud-native third-party patch management solution.

Evolve to a Risk-Based Vulnerability Remediation Strategy with a Cloud-Native Patch Management Solution – Now Available from Ivanti

Tue, 25 Jan 2022 13:00:06 Z

Ransomware attacks are increasing in frequency and severity every year. The impact to companies is devastating. These attacks typically lead to lost business for companies as they often cause increased customer turnover, system downtime, diminished reputation and other adverse side effects. On top of that, there are also costs associated with detecting and escalating a ransomware breach, notifying data subjects, data protection regulators and other third parties, and post-breach response activities, such as paying out compensation for victims and regulatory fines. Research puts the average total cost of a ransomware breach at $4.62 million – excluding the cost of the ransom.

Unfortunately, the situation is likely to get worse before it gets better. Reports show fewer than 20 arrests were made globally in connection with ransomware attacks in 2020, despite the fact there were an estimated 25,000 attacks of impact in the same year – a ratio that is hardly a deterrent for would-be ransomware actors. In addition, the barriers to entry to becoming a ransomware actor are eroding as well. Ransomware as a service (RaaS) enables just about anyone to get in on the action – no security knowledge or coding expertise required.

Furthermore, research from Ivanti shows the number of Common Vulnerabilities and Exposures (CVEs) into networks nearly quadrupled in 2020 alone. And to top it all off, other research indicates ransomware attackers are increasingly targeting midmarket companies to avoid the media attention that comes from attacking large enterprises. It seems no one is safe, and there’s nowhere to hide.

Until ransomware attacks and other data breaches are a thing of the past – a day that may never come based on their current trajectory – organizations must take steps to protect against them. Patching to fix CVEs is one of the best things an organization can do to counter ransomware attacks. Unfortunately, research from Ivanti shows 71% of IT and security professionals find patching to be overly complex and time-consuming. That may be due to the overwhelming volume of vulnerabilities that exist.

There are well over 100,000 vulnerabilities listed in the US National Vulnerability Database (NVD). While only a small percentage of those vulnerabilities are tied to ransomware, and an even smaller percentage are trending/active exploits, identifying which ones pose the most risk to an organization can be tricky. A report from Ivanti shows that from 2018-2020, using CVSS v3 scoring, if an organization were to patch only critical vulnerabilities, its coverage against ransomware would only be about 35%.

Introducing Ivanti Neurons for Patch Management

To address the ever-increasing number of vulnerabilities and exploits with the limited resources they have, IT organizations need to evolve to a risk-based vulnerability remediation strategy. Ivanti Neurons for Patch Management enables them to do just that.

This cloud-native patch management solution provides actionable threat intelligence, patch reliability insight and device risk visibility that enables IT teams to prioritize and remediate the vulnerabilities that pose the most danger to their organization. By leveraging Ivanti Neurons for Patch Management to increase the efficiency and effectiveness of their patching efforts, organizations can better protect themselves from data breaches, ransomware and other threats that stem from software vulnerabilities.

The patch management capabilities in Ivanti Neurons for Patch Management enable this protection along with other benefits for companies seeking a cloud-native patch management solution.

Proactively patch against active exploits

Ivanti Neurons for Patch Management provides intelligence on known exploits and threat-context for vulnerabilities – including ties to ransomware – enabling organizations to prioritize remediation based on adversarial risk. Additionally, Ivanti’s Vulnerability Risk Rating (VRR) better arms IT teams to take risk-based prioritized action than CVSS scoring by taking in the highest fidelity vulnerability and threat data plus human validation of exploits from penetration testing teams.

Actionable intelligence on a CVE with ties to ransomware

Achieve faster SLAs with patch reliability and trending insight

Patch reliability insights from crowdsourced social sentiment data and anonymized patch deployment telemetry in Ivanti Neurons for Patch Management helps organizations save time and avoid failed patch deployments. This information enables IT teams to evaluate patches based on their reliability in real-world applications before deploying them. Additionally, service-level agreement (SLA) tracking, which provides visibility into devices nearing SLA, enables IT teams to take action on devices before they are out of compliance.

Actionable intelligence on a CVE with ties to ransomware

Transition from on-premises to cloud patch management

Gartner has estimated over 85% of organizations will embrace a cloud-first principle by 2025 and will be unable to fully execute their digital strategies without utilizing cloud-native architectures and technologies. While cloud migration is important, it can be complex, and most companies are not prepared to migrate critical on-premises applications overnight.

Ivanti Neurons for Patch Management is a cloud-native solution that allows organizations to transition from on-prem patch management to the cloud at their own pace instead of being forced to “rip and replace.” Such gradual transitions are enabled by the solution’s single pane of glass experience that provides visibility into the devices that it manages in the cloud alongside those managed via on-prem Ivanti patch management solutions.

A single pane of glass experience provides visibility into devices managed in the cloud and on-premises

Streamline patch management processes

By providing visibility into all the endpoints in an organization’s environment via a single pane of glass, Ivanti Neurons for Patch Management improves operational efficiencies by eliminating the need to jump between siloed patch management solutions. Advanced vulnerability insights and patch intelligence in the solution further improve operational efficiencies by enabling IT teams to effectively prioritize patch efforts so they focus only on what matters. Further, when it’s time to patch, autonomous Patch Configurations deployed to the Ivanti Neurons Agent on devices distribute thoroughly tested patches to thousands of machines in minutes.

Advanced vulnerability insights help prioritize patch efforts

Ivanti Resources

Check out the Ivanti Neurons for Patch Management product page and datasheet for more information on this cloud-native patch management solution. For a deeper dive on the solution, book a demo with one of Ivanti’s subject matter experts.