Real-time vulnerability alerts are an essential tool in any organisation's cybersecurity. They provide timely information about potential threats and vulnerabilities and enable organisations to respond swiftly and effectively to emerging threats. This enables organisations to maintain a strong cyber security posture, reducing risks, and minimising potential damage from attacks.
When vulnerabilities are detected in real-time, action can be taken immediately to patch or mitigate them, reducing the window of opportunity for attackers. This proactive approach helps reduce the attack surface and the risk of successful attacks.
Organisations need to continuously monitor these alerts, as they contribute to an organisation's overall security posture. By staying informed about vulnerabilities, organisations can make informed decisions about risk management and prioritise security efforts effectively.
However this is easier said than done. Monitoring vulnerabilities, especially in real-time, has a number of challenges that can prove too difficult to overcome for many organisations.
1. The signal in the noise
The sheer number of vulnerabilities is a lot to handle for most organisations. In larger organisations, entire teams are deployed to deal with the amount of chatter in the aim of finding the signal and actioning a remediation. Most organisations are running thousands of different software from desktop software to the firmware on the routers so automation is essential to filter what is relevant.
2. Delays and timeliness
Many cyber security / vulnerability alert services and organisations rely on NVD to get their alerts. While NVD is the gold standard when it comes to vulnerabilities, there are delays from the point of time when the vendor has publicly published a vulnerability to the time when NVD has analysed the vulnerability so it can be matched and alerted.
Delayed fixes increase the chance for attackers to exploit the vulnerability. Once compromised, a computer system or network can be used as a launchpad for further attacks. Stopping the initial attack quickly can prevent it from becoming a gateway for more extensive breaches.
3. Abundance of sources
While NVD is a great source of vulnerability information, it is not enough to have a complete view of the threat landscape. Organisations must be vigilant and be monitoring information from a variety of sources such as cybersecurity news outlets, vendor bulletins and even social media.
4. Skill gap
The expertise needed to effectively interpret vulnerability information and separate false positives from legitimate threats can be scarce, requiring a well-trained cybersecurity team that many organisations lack.
A team of cybersecurity analysts monitoring vulnerabilities can be prohibitive and, even for organisations with the budget, have their time eroded by sifting through noise is a huge waste of resources.
The cost of leaving software unpatched from known vulnerabilities, however, is even more prohibitive.
In March, 2021, the Chinese state-sponsored hacking group, Hafnium, exploited four zero-day vulnerabilities within the Microsoft Exchange server. It's estimated that 250,000 servers worldwide fell victim to the attacks.
It was also a zero-day that led to the sale of 5.4 million Twitter user account profiles. In January, 2022, Twitter unearthed and patched a zero-day. However it was too late. A threat actor had used the same zero-day the previous December to compile the profiles and sell them to interested parties for $30,000.
This year, yet another zero-day - in MOVEit Transfer software - brought about the largest hack of 2023 so far, with more than 1,000 organisations and 60 million individuals affected. Cl0p, the Russia-linked ransomware group behind the attack, is estimated to have made (so far) as much as $100 million.
The question becomes, not should organisations monitor real-time cybersecurity alerts, but how? There are three key areas to consider:
Speed: are the threats delivered as soon as humanly possible?
Comprehensiveness: does the information have enough detail to make necessary decisions such as remedy and risk?
Accuracy: are the alerts mostly relevant and are there any threats that didn't match?
Any solution will be making trade-offs in one or more of those key areas and it's important for the organisation to decide which is an acceptable risk and why. Perhaps speed is not as necessary if most systems aren't accessible online, or accuracy is not as important if the organisation can handle sifting through more noise as to not miss something vital. Ultimately maximising all key areas will come at a cost.
The simplest and cheapest way to get started is to sign up for free cybersecurity alerts from a national vulnerability advisory. For example, the Australian Government offers an alert service. However these won't be comprehensive, fast or accurate to an organisation's specific software, as these alerts are of a one-size-fits-all model.
More advanced products, like SecAlerts, which allow organisations real-time vulnerability alerts for only the software they use and provide timely, detailed information to action remediation, are available on the market.
Real-time vulnerability alerts are table stakes for any organisation's security posture. They enable swift remediation, lower the window of opportunity for attacks and, in many regulatory standards, are a hard requirement e.g. PCI DSS Requirement 6.1.
The key is finding the right solution that can give the best balance of speed, comprehensiveness and accuracy noting that compromising on any one of those is taking on added risk. While this means an added cost to an organisation, it pales in comparison to the cost of a breach.