A vulnerability has been exposed. Attackers will need only seven days to weaponize it. Your secret to averting cyber attacks?
Powerful, proactive endpoint hardening that remediates zero-day vulnerabilities within 24 hours and critical vulnerabilities within 72 hours.
INCREASING THE VELOCITY OF YOUR CYBER DEFENSE
Patch management, configuration drift, software deployment — these challenges bleed organizations of resources, take mind-numbing amounts of time to handle, and distract IT leaders from the strategy and innovation they should be focusing on.
These factors (particularly patch management) are among the biggest sources of risk a company faces.
When adversaries need just seven days to weaponize a vulnerability, the clock effectively starts the moment the vulnerability is disclosed.
Now more than ever, IT organizations need to consider how to increase the velocity and agility of their operations to manage these risks.
22k vulnerabilities disclosed per year
7 days on average to weaponize
102 days on average to deploy critical patches
The correct response to these challenges is cyber hygiene, with an emphasis on endpoint hardening. The Center for Internet Security (CIS) defines cyber hygiene as a set of baseline practices that preemptively protect organizations from cyber threats. Cyber hygiene has to cover every device in your ecosystem, whether it’s on-premises or remote, so the implementation can be more difficult than the theory.
To help, CIS has provided an authoritative set of controls to assist organizations with evaluating and planning their cyber hygiene. This gives us all a clear set of guidelines, though the specific tools for putting these concepts into place are up to companies to source.
IN THIS GUIDE
Automox has stepped in with a new Endpoint Hardening Maturity Matrix, which helps companies understand their path to be able to act faster than their adversaries. It is a natural complement to Automox’s endpoint hardening cyber hygiene platform, which addresses several of the most important CIS Controls® and gives organizations a complete, cloud-native solution.
We also introduce new guidance on the velocity required for organizations to proactively harden their systems — what we refer to as a 24/72 threshold to harden your corporate endpoints once a vulnerability is disclosed. This clearly defines what SecOps and IT organizations should be working toward.
Throughout, our principles integrate the best practices offered by the CIS (and others), as well as our own firsthand data and client experiences.
6 in 10 security practitioners lack context on the business impacts of a breach.
44% of cybersecurity professionals are not confident that their organization can avoid a breach.
More than 2/3 of security teams admit taking a month or more to fix known software vulnerabilities.
74% of companies feel that they can’t patch fast enough because they lack the staff resources.
By the end, you’ll see your way to impactful cyber hygiene, with the emphasis on endpoint hardening, and you’ll have the necessary tools in front of you to implement it.
RETHINKING IT VELOCITY
How fast do you really need to move? Data shows that adversaries weaponize vulnerabilities within seven days ― typically, that is roughly 15 times faster than organizations are acting.
Clearly, to achieve a sustainable cyber hygiene posture, organizations need to focus on the velocity of their endpoint hardening. Speed is essential to a proactive stance.
Bottom line: Zero-day vulnerabilities need to be patched within 24 hours and all other critical vulnerabilities within 72 hours. This is the 24/72 endpoint hardening threshold. Outside this threshold, hardening increasingly becomes a reactive exercise with little to no pre-incursion value.
THE ALL-OUT DRAG RACE OF ZERO-DAYS
Zero-day incursions are the statistical exception rather than the rule, since they account for less than one-tenth of 1% of the 20,000-plus vulnerabilities that we see accumulating year over year. But when they do occur, the response window is 24 hours from the time of disclosure.
This 24-hour threshold for zero-day vulnerabilities is the new norm for establishing a true, all-encompassing cyber hygiene practice.
WHY ARE WE TALKING ABOUT THIS NOW?
Today, the rise of patch management and related challenges coincides with many companies’ broader adoption of digital transformation plans. This is both an opportunity and a problem. On one hand, many companies are (rightly) disposed to adopting cloud-native solutions, automating legacy processes, and rethinking their IT ecosystems; on the other, they are often so strapped for resources during this time of transition that cyber hygiene gets pushed down to a secondary priority ― until it comes back to haunt them.
This is why Automox talks so much about how cyber hygiene makes you a smaller, faster target: You don’t have to invest in so much cumbersome armor, which lightens your security load. In our experience, organizations can sidestep up to 80–90% of cyber threats with good cyber hygiene ― allowing them to focus on the strategy and transformations that will help their business thrive.
BENEFITS ON TOP OF BENEFITS
Important organizational benefits ― beyond security ― come along with good cyber hygiene. First of all, it creates automation and labor savings that can drive efficiency and free up precious internal resources.
The labor needed to manage Automox’s solution, for example, is on average one-fifth the labor needed to manage existing security models.
Your organization will likely see drastic staff and operational efficiencies, depending on how you’re currently organized. Then there are the outright cost savings, which can be surprising. We don’t need to tell you what you can do with thousands of extra dollars every month.
INTRODUCING THE CENTER FOR INTERNET SECURITY CYBER HYGIENE CONTROLS
In any context of technological change, one challenge is identifying a dependable set of standards to judge your progress and tools.
1. Inventory and control of hardware assets
Our take: A company’s endpoints, servers, and other hardware assets are where attackers establish initial footholds. This makes it crucial for companies to track and update their assets and control network access as needed. Endpoints that are not permanently attached to the network (such as BYOD and remote workers) are especially vulnerable, since they’re often out of sight and typically fall behind with scheduled patching and updating tasks.
2. Inventory and control of software assets
Our take: Companies need to know that only authorized and properly installed software is running on their machines (real and virtual). This is harder than it seems, and the rapid versioning of many applications and other tools makes it difficult to stay compliant, protected, and optimized.
Unwanted or outdated third-party software is, of course, a primary point of exposure to attackers who exploit the resulting vulnerabilities. Any cyber hygiene framework must inventory desired software installations, such as productivity tools and databases, as well as infiltrations of undesired types to capture a full ecosystem view.
3. Continuous vulnerability management
Our take: It’s no longer enough to rely solely on human interventions to keep pace with the scale and velocity of remediating patches, configurations, etc., required to effectively reduce an organization’s exploitable attack surface. Adversaries are usually faster than their targets and will seize on publicized security vulnerabilities before most companies can remedy them. In fact, the average time to weaponize a newly disclosed critical vulnerability is seven days, while the average organization takes 102 days to remediate. Organizations simply can’t scale their efforts fast enough if they rely entirely on human memory and follow-through.
4. Controlled use of administrative privileges
Our take: Admin rights are the keys to the kingdom, and they are a primary method for attackers to spread laterally inside a target. The more an organization can enforce a least privilege strategy (providing only those privileges needed for users to do their jobs), the less likely they are to fall victim to malicious software or social engineering tactics. If administrative privileges and use practices are loosely controlled, a company’s most critical data, applications, and security functions are exposed because attackers have a ready-made (and often publicly identifiable) group of targets. Companies should audit their use of admin rights and reset those rights at regular intervals.
5. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
Our take: Patches, updates, and configurations are only useful to the extent that they are evenly applied across devices, software, and the rest of a company’s infrastructure. Furthermore, the default settings for business hardware and software usually prioritize ease of use ― not security. Consequently, there is work involved on a company’s part to ensure proper settings and configuration. It usually isn’t enough to expect individual users to manage this on their own, and configuration drift remains a critical ― often unseen ― vulnerability for many teams.
6. Maintenance, monitoring, and analysis of audit logs
Our take: Logging and analysis are the means through which companies can discover threats or breaches. If you’re not seeing what’s going on, you’re certainly not fixing it. Many auditing practices exist mostly for obligatory compliance reasons and are infrequently analyzed for security insights or warnings. This is usually a human labor issue. Given the work involved and the traditional lack of automation opportunities, most companies cut these processes short.
Achieving the 24/72 Endpoint Hardening Threshold With Automox
THE AUTOMOX SOLUTION
Automox is a cloud-native cyber hygiene platform that enables organizations to reduce their exploitable attack surface, proactively eliminating the vulnerabilities that adversaries target most.
Delivered as a modern cloud service with cross-platform support, Automox provides foundational system hardening by automating the enforcement of critical patches, software updates, security configurations, and custom scripting across diverse endpoint environments. It enables both IT and SecOps teams to better anticipate and respond to threats by dramatically reducing the time and effort it takes to harden their endpoints.