Over $450 billion is spent annually on cybersecurity, and that figure is expected to increase to an incredible $1 trillion by 2031. How much of that is spent on prevention, and how much on cure?
When attackers look to strike, they target the things that work: vulnerabilities and misconfigurations. All the AI in the world isn’t going to change those hacker fundamentals, and so far, it hasn’t.
But with so much focus on sophisticated new techniques, we as security practitioners often overlook the fundamentals. The very measures that prevent most data breaches: cracking down on those vulnerabilities and misconfigurations.
Where Most Threats Come From
If there were a cyber naughty list, vulnerabilities and misconfigurations would be repeat offenders. They are so simple to fix, yet they persist as the biggest problems in cybersecurity.
It’s amazing, considering how much coverage things like advanced malware and AI-driven threats get. The thing is, even these sophisticated exploits need an entry point. And as an industry, we’re still leaving the door wide open.
Here’s some industry evidence as support:
Misconfigurations were one of the top two security risks cited by cloud security professionals in a recent industry survey.
Exploitation of vulnerabilities as the critical path for breaches rose 180% YoY.
Misconfigurations and other errors account for over one in ten breaches according to the most recent Verizon Data Breach Investigations Report.
“Attacks using zero-day vulnerabilities were the most time-consuming to contain” last year, notes IBM.
Over 21% of incidents involved exploited vulnerabilities, according to ENISA, with a median time-to-exploit window of less than 24 hours in many cases.
While we look high, cybercriminals have never forgotten the value of looking low. They try the door handles before breaking-and-entering, and things like misconfigurations and unpatched vulnerabilities are always left “unlocked.” We need to tighten that up, and that starts with being proactive about the little things.
Cyber Hygiene: It's Just Two Parts
Fixing the problem is simple. We hear a lot of talk about shifting to a proactive security mindset (rather than a reactive one). This means getting ahead of threats by seeing them a mile off, instead of waiting for them to show up at your door.
Misconfigurations and Vulnerabilities: It’s About Prevention
Here’s a hot tip: it’s a lot more efficient to do things right the first time (configurations) and catch threats early on (vulnerabilities) than it is to even catch the first signs of compromise in the earliest stages of attack. In the first scenario, that attack might never happen. In the second, it’s already underway.
This prevention-first, cyber hygiene mindset is what really plugs a barrage of downstream attacks at the source. Cyber hygiene gives off a “nice but not necessary” feel, like it’s something SOCs could do if only they had the time, but they’re busy working on other (I.e., important) things like threat hunting.
The newsflash: doubling down on misconfigurations and vulnerabilities will drastically reduce the workload in threat hunting and chasing. Not all instances can be stopped, but by plugging these two gaps, you’d be surprised how many can be.
The Analogy of Mother Sauces
It’s like the concept of mother sauces in cooking: once you establish these two most basic cybersecurity fundamentals (your mother sauce), you can add in advanced technologies from there (your spices) to add to an already solid dish. Do it the other way around, and you get something that tastes good but is always trying to make up for the fact that it wasn’t done right.
Keeping It Simple
Here’s another one. These two cyber hygiene heavy hitters are like salt and pepper for your security stack: they complement each other and together form the essential cybersecurity foundation.
Vulnerability management is about making sure you don't have known flaws, known bugs, or known critical issues that could allow someone to attack your system. It’s closing those doors.
Security configuration is about making sure that your system is adequately hardened. It’s nailing your furniture to the floor and putting the money in the safe, so nothing goes anywhere. One step further, security configuration management is like cataloguing where all your valuables are stored, so if a door is opened in the wrong room, you’ll be notified.
The concept is simple when you take it down to the kind of protection we can envision for our homes every day. The principles are the same. You don’t want to trust a single line of defense. You don’t want just locks and no inner smoke alarms. You want multi-layer protection (dare I say, defense-in-depth?) and these two elements are the most essential place to start.
Then, you can add on whatever Home Alone-level defensive bells and whistles you choose. And with AI out there, we’re living in an era where these, too, and more necessary than nice.
Don't Overcomplicate the Process
Vulnerability management means finding flaws, prioritizing them by impact to the business, and fixing those first.
If you’re keen to know what’s going on, double up with offensive security on the backend to really get the jump on attackers with a proactive one-two punch. Now you can find vulnerabilities and beyond, really limiting the path towards making any sort of attack a reality.
When it comes to configuration management, it’s: how are your devices configured? How are they set up compared with core standards like the CIS critical security controls and PCI DSS?
Do my hosts meet the CIS benchmark standards, and have I applied all necessary configuration settings? Do I meet everything for PCI DSS compliance? Are those configurations perpetuated in an automated way for ongoing protection?
The Old-School Way to Optimize Security Investments: It Still Works
You’d be surprised how far these simple checklists can go in terms of security. Applying them will eliminate a world of hurt on the backend because attackers start by probing low-level oversights.
The proof is in the pudding: multiple studies have confirmed that aligning with CIS standards inoculates you against 85% of the threats out there. You want to talk SOC efficiency? Let’s talk about that.
As teams face SOC overwhelm, doing these two things will give them the most bang for their security buck.
Outrunning the Cat vs. Locking the Doors
I’m a fan of analogies, so let the analogies continue. Cybersecurity is, at its roots, about winning the game of cat and mouse. We can train the proverbial mouse to run faster and faster, meaning investing in better and more sophisticated tools, and this is important.
But without doing the simple things like always patching vulnerabilities and always ensuring doors are locked on configurations, those advanced tool stacks are going to be far less efficient. It’s like letting a cat into your house and hoping you can outrun it because you didn’t have time to check the doors and windows before it came.
Reduce the work of alert triage, attack path analysis, and chasing data through the cloud and beyond by doing more to not let it get out of your sight in the first place. The answer? Observing the basics of cybersecurity hygiene: vulnerability management and eliminating misconfigurations.
