Case Study: Using Continuous Threat Exposure Management to Address Zero-Day Vulnerabilities

Case Overview

• Despite efforts to improve, preventative security mechanisms, such as patching, remain challenging. The ever-increasing volumes of threat exposure faced by organizations and the complexity, ownership and availability of remedies limit an organization’s ability to apply basic principles universally. There are too many issues to resolve and a variety of contributing operational factors that influence decision making when deploying patches.
• The breadth of coverage of the Log4J and Spring4Shell zero-day vulnerabilities in the media heightened awareness of its existence and made it a topic of interest among senior leaders in the business. However, this interest was not related to any risk-based context specific to the company. Actions were taken to resolve issues, but with no analysis of the genuine risk to the business or the likelihood of an impact.

• The organization scoped the extent of the issue and limited potential impacts by carrying out actions such as routinely restricting user access to resources as part of a standard security hygiene regime. This ensured that only a limited number of user accounts could exploit specific vulnerabilities, such as Log4J.
• NYSIF maintained a steady state of awareness of existing security weaknesses and ensured timely updates, proper configuration and patches. This provided a solid baseline from which to understand the priority of risks associated with Log4J, thus enabling the organization to effectively schedule work to remediate exposure.
• By validating the effectiveness of controls and monitoring through continuous intrusion and behavioral monitoring, NYSIF ensured that any illegitimate activity would be logged and alerted upon. This provided clarity on the extent to which a vulnerability exploit had been attempted, which of those attempts had been successful and which had justified the investment in security tooling.
• NYSIF requested that internal teams, vendors and partners mobilize to validate actions taken in regards to high-impact vulnerabilities. The organization gathered attestations to establish an compliance evidence base for systems over which the security teams have no direct control.

• A continuous threat exposure management (CTEM) approach enabled NYSIF to identify, address and resolve identified threats, without being compromised. The organization should be able to repeat the same processes to address any potential threats that may arise in the future.
• Structure and repeatability ensure that future results will be measurable and comparable, and that the security teams will be able to improve the speed of response to significant issues and report successes to the management chain effectively.

Problem