Proactive Security 101: Discover, Prioritize, Remediate 

Forrester analyst Erik Nost predicted that proactive security would steal the show at RSA this year — and the prediction was right. While proactive security isn’t new in cybersecurity, it’s gaining traction as a concrete approach to shifting the mindset of security teams from reactively patching known vulnerabilities toward seeking out the unknown, prioritizing the most important efforts, and confirming remediation on an ongoing basis. Who wants to be seen as slow and reactive when you can be proactive and ready? 

Simultaneously, more and more vendors are latching on to the term to define a broad spectrum of solutions. Before it becomes a security industry buzzword, let’s take a critical look at what proactive security is, its core pillars and use cases, and how to get started building a proactive security strategy.

What is Proactive Security? 

Let’s level set with a shared definition. Forrester defines proactive security as:  

Proactive security improves overall defense by flipping the script on legacy security strategies and equipping teams with specific measures to take at each phase. Aligning with how our customers and the analyst community is approaching this space, here’s how we define the three core pillars of proactive security at NetSPI:  

• Discover
  This entails a thorough understanding of the assets and vulnerabilities within a company’s infrastructure. The discovery phase extends visibility to shadow IT and previously unknown company and third-party assets for a comprehensive scope of owned assets. This also includes discovery of issues that aren’t necessarily defined as “vulnerabilities,” including the discovery in detection gaps and response capabilities. 
• Prioritize
  This phase involves distilling these discoveries into actionable objectives. It requires leveraging tools that facilitate the assessment and validation of threats, weaknesses, and controls to aid in decision-making for where to invest time and resources. Determining what to remediate next is an ongoing challenge, as the task is never complete. To do this, teams can consider the likelihood of threats impacting assets along potential attack paths and prioritize vulnerabilities accordingly. By assessing the broader risk landscape and understanding which risks truly impact a business, teams can effectively prioritize their effort to secure what matters most.  
• Remediate
  Prioritization is key to effective remediation because vulnerability and posture management activities are never-ending; focus is critical. Proactive security programs will put clear remediation guidance in the proper engineering hands to aid and speed them up, followed by a validation assessment process to ensure the remediation actually works. 

These three pillars are not one-size-fits-all. Rather, security teams can start by evaluating their current position against each one of the pillars, and then break down their proactive security journey into manageable milestones.

Why Now? Challenges Driving Proactive Security Forward

The focus of many security programs today is still reactive, from the latest vulnerability in the news to inbound alerts in your detection stack — something happens and then security teams react. Putting proactive security into your organization means dedicating teams to support and focus on posture management, patch and vulnerability management, detection controls assessments and tuning, and red teaming. When executed correctly, each of these helps you get ahead of the problems, rather than respond to them. 

Expanding Attack Surface 

The attack surface is expanding at a rate we’ve never seen before. The constant addition of new assets makes ongoing asset identification difficult at best. Sixty-seven percent of organizations have seen their attack surfaces expand in the last two years¹. This has resulted in more vulnerabilities created at an increasing rate. Plus 69% of organizations have had an attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset, making this challenge an urgent one to address².

Identifying the Unknown 

IT and cybersecurity teams must fully understand their assets in order to protect them. After all, how can you protect the unknown? Identifying those assets, who’s using them, and who’s responsible for vulnerability remediation is a constant challenge. This is especially true because IT often doesn’t have visibility into assets created by employees, aka shadow IT. In fact, by 2027, 75% of employees will acquire, modify, or create technology outside of IT’s visibility³.

Fine Tuning Security Controls 

Security teams are buying more and more tools, yet NetSPI has found that up to 80% of common attack behaviors are missed by EDR, SIEM and MSSP out of the box solutions. This is in part because of the cybersecurity skills shortage, resulting in teams not having enough time to tune or manage their security stack to meet its full potential.

Reducing Noise and False Positives 

Even when risks are identified, there is often not enough time to investigate and there are too many false alarms. Security staff spend an average of 30 minutes for each actionable alert, and 32 minutes for each false positive⁴. This means teams are spending more time chasing false positives instead of the activities that pose a real risk. The cybersecurity industry needs a holistic way of tackling these challenges, positioning proactive security at center stage in this ongoing feat.

4 Questions to Get Started with Proactive Security 

Whether you’re starting your proactive security approach or looking to enhance current workflows, these foundational questions will uncover specific steps that can help. 

1. What assets do I have?
   Visibility is the first challenge companies are trying to solve for. This entails finding and creating an inventory for all assets — particularly externally facing ones, aka connected to the internet. However, the objective goes beyond finding all the assets, extending into understanding their context and any exposures. For example, who in the organization uses the asset? Is it something that should be decommissioned or still be active? And who is responsible for remediating the asset if it has an identified risk? 
2. How do I continuously monitor my assets and prioritize what I need to fix?
   Once security teams have identified all assets and understand the context and risk, then how do they continuously monitor these assets, as well as identify new ones that come online? This is the second challenge the industry is trying to solve for using proactive security. Then, how do they prioritize what to remediate? No list of remediations is ever completely done. So, how do teams understand where to focus?
   They need to think about which threats are likely to impact the assets within an attack path and which vulnerabilities will likely be exploited. Typically, teams do this in a reactive, instead of proactive, way. They prioritize “critical” vulnerabilities first without  understanding their environment, what risks truly impact their business, and most of the time without knowing if attackers are actually exploiting that particular type of vulnerability. They also should assess the strength of their security controls and their efficacy when making these considerations.
3. How do I validate my security controls?
   This challenge is particularly difficult because many companies do not prioritize putting the strength and efficacy of their security controls to the test, despite that being the hallmark of proactive security. Many realize this is important, yet companies spend more and more of their IT budget to acquire more security tools without maximizing what they currently have. Since these tools are shipped out of the box with a “one-size-fits-all” or a “least intrusive default” configuration despite the fact that every organization is different, this leaves the security team responsible to ensure these controls are tuned to match the risks that matter most to their company.
   Most security teams do not have enough time or resources to perform the control validation, however, let alone the work required to keep pace with the latest attack trends, understand where the greatest gaps in their security defense reside, maintain alignment with the MITRE ATT@CK framework, and enhance their controls accordingly.
4. How do I ensure my team can respond?
   The last challenge companies are trying to solve by using proactive security is to ensure their team can effectively respond to potential threats. It’s important for companies not only to put their security stack to the test, but also to ensure their team’s readiness. Prevention controls will fail. Proactive security means testing your team’s ability to respond when they do. Internal response teams are often pulled in several directions, handling the mundane background noise, and rarely responding to a major incident involving a highly skilled and motivated adversary with a foothold inside the organization. Keeping their perishable response skills sharp is paramount to staying proactive. 

Footnotes

1. https://securityintelligence.com/news/new-report-names-attack-surface-management-leaders/ ↩︎
2. ESG Research: CSO Online Article Look for Attack Surface Management to Go Mainstream in 2023 ↩︎
3.  Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024  ↩︎
4. ‘Alert Fatigue’ Can Lead To Missed Cyber Threats And Staff Retention/Recruitment Issues: Study ↩︎