Improving security results – where can you make the most difference?

Security has always been important for companies, but as the costs associated with data breaches continue to go up, it has become critical for management teams and boards.

According to PwC, just over a quarter (27 percent) of all companies suffered a data breach that cost them between $1million and $20million in the last three years.

So how can we improve security operations and better guard against threats? In analysing threat data for 2022, we can see three main areas: improving patching to reduce software vulnerabilities, reducing misconfigurations around cloud and web applications, and preventing the long tail of attacks by Initial Access Brokers (IABs).

Patching and automation

Software vulnerabilities are at the heart of potential security issues. Flaws in software products can be exploited to break open systems, steal data or load ransomware, so patching these issues quickly is essential. Yet many companies find it hard to manage these updates efficiently.

From a cyber hygiene perspective, implementing a timescale to deploy patches can help you track how well you are doing over time. But this can be difficult to stick to amongst all the demands on your team. According to the Department for Science, Innovation and Technology cyber breaches research, the percentage of companies that had a policy to apply software security updates within 14 days dropped from 43 percent in 2021, to 31 percent in 2023. This was mainly due to changes in small and mid-size businesses, as larger enterprises remained at the same level. However, this should be concerning.

In our Qualys Threat Research Unit (TRU) anonymised research data for 2022, we found that the average time to remediate software vulnerabilities that had been targeted and weaponised was within 30.6 days, and that those issues were only patched an average of 57.7 percent of the time. On average, attackers were able to weaponise those vulnerabilities in 19.5 days, which means that attackers have 11.1 days of exploitation opportunities before organisations get their patches in place. We can see that some organisations speed up their patching activities once a vulnerability gets weaponised, but this reactive approach puts a lot more pressure on security teams. Instead, look at how you can predict which vulnerabilities could be weaponised and that would affect you, then prioritise them for patching as early as possible to prevent any risks.

Automation can also make a huge difference. Automated patch deployment is 36 percent faster than manual patching, while those updates were deployed 45 percent more often. Automated patching has an average remediation time of 25.5 days compared to manual remediation of 39.8 days. Looking at the patching rate for issues that could be automated was 72.5 percent compared to 49.8 percent for those that could only be deployed manually.

Web applications, cloud and misconfigurations

Misconfigurations in systems can also lead to potential security gaps. These can occur in your endpoints and servers, but they can also be found in your cloud infrastructure and your web applications as well. As these issues can be widespread, it’s important to look out and track them.

In our anonymised data for 2022, we looked at 370,000 customer web applications and found that there were more than 25 million security issues in those services. The biggest category for this was what the Open Web Application Security Project defines as misconfigurations in their Top Ten list. These misconfigurations largely involve not implementing the right controls to protect web applications, such as not changing default permissions or passwords. Another type of misconfiguration can be applications that share too much information, such as detailed stack traces for errors.

Misconfigurations can also occur in cloud infrastructure, where services are not implemented to follow security best practices or use preventative measures.  For example, AWS S3 is a commonly used cloud storage service that hosts data, and it has been responsible for data breaches in the past where access control and security was not applied correctly. Today, around one percent of S3 buckets are publicly available, which is a huge improvement. Yet only 40 percent of organisations are currently using preventative controls to prevent files from being accessed publicly, which makes it easier for files held in S3 to be made available by mistake.

The lesson here is not just to look at the specific setting, but instead at the overall process that this setting is linked to. By using the available benchmarks and the processes that they cover, you can improve your overall security over time.

This same approach can be applied to on-premise IT infrastructure. There are common security issues that can crop up on internal IT assets, such as enabling installation with elevated privileges, allowing Remote Desktop Services access for local and guest accounts through to access control and password management settings.

Scanning for these kinds of issues can prevent attacks that combine multiple tactics and techniques, such as an attacker using guessed or stolen passwords to log into an exposed Remote Desktop Protocol (RDP) machine and elevate their privileges. Looking for these issues is the first step to preventing attacks, followed by enforcing best practices on access control, password length, and the number of log-in attempts before locking an account.

Guarding against IABs

These process changes can also help guard against attacks by Initial Access Brokers, or IABs. These groups look for routes into company devices and networks, and they then sell these holes on to others or look at deploying ransomware. IABs typically target less common software packages that take longer to get patched. To some extent, this shows that security teams are doing a good job of preventing attacks, as attackers have to look further afield in order to find potential targets.

Typically, IABs have three approaches. The first is to target perimeter devices at their intended target, such as firewalls and web applications, and look to find a way in or exploit vulnerabilities for unpatched systems. Alternatively, they may try to use valid credentials to get direct access to the environment based on stolen accounts or by using brute force and password dictionary attacks. Lastly, they may employ phishing attacks that direct users to a compromised site that will download malware and provide that initial access. Once the IAB has achieved a foothold in the network, they can try to move laterally in the network and find valuable data or systems to attack.

For security teams, understanding IAB attack patterns can help to prioritise issues and potential routes into the organisation for more attention. For example, IABs did not target Windows or Chrome for their attacks – instead the most common vulnerabilities used by IABs were in perimeter devices and other work applications. The remediation timelines for these applications and devices have a mean time to remediation of 45.5 days, which is nearly three times longer than for Windows and Chrome (17.4 days). The patch rates are also lower, patched at a rate of 68.3 percent compared to 82.9 percent for Windows and Chrome.

It’s impossible to prevent IAB attacks by taking out those public facing devices or web applications. They have to exist in order to support business processes and user work. Instead, you should get an attacker’s eye view of your own network and then reduce your attack surface as possible. By continuously tracking any changes in your environment, looking out for new or unknown assets, and rapidly patching any critical issues that are found, you can stay ahead of any IABs looking at your network. When you are in control of your infrastructure and able to fix problems efficiently, your attackers have to switch their tactics, techniques, and procedures to more challenging attack paths. When this happens, they tend to make more mistakes, create more noise, and generate more detection opportunities. This helps you stay one step ahead.

About the Author

Paul Baird is Chief Technical Security Officer at Qualys. Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

Featured image: ©Michael Traitov