Reported CVEs have increased by a whopping 30% this year. The success of a threat actors’ CVE-based attacks isn’t always dependent on leveraging a zero day. Many individuals and organizations don’t respond to published CVEs in an expedited fashion. That’s why security leaders have also seen a 10% rise in the exploitation of old vulnerabilities — hackers don’t need to rush when outdated and insufficient processes give them the opportunity to take their time!

Take the example of Fortinet. 86,000 Fortinet instances remained vulnerable to a critical flaw (CVE-2024-23113), and attackers started exploiting it after it had flown under the radar for almost nine months.

There is only so much a security team can do to be proactive in these situations; they don’t operate in a bubble, and immediately patching production systems without proper testing comes with its own risks. Bandwidth can be limited, threats are constant, and it may feel like you’re always putting out fires. However, there is potential to optimize a response in the face of emerging threats and vulnerabilities. If security leaders can better maximize their time, processes and procedures then they can be more resilient.

Damage to the nth degree

Security teams understand the criticality of patching their devices and systems. Instead, what can often be inadvertently deprioritized or overlooked is the defensibility of the connected ecosystem.

Do you know how many of your partners, suppliers, and vendors connected to your business have taken the necessary steps to safeguard themselves, and have done so in a way that aligns with your risk tolerance? Most companies don’t have high confidence in their answers. Which is why organizations often see this “mad dash” to collect emergency third-party assessments when new threats emerge.

It is also why security leaders see widespread chaos after an incident. Take this year’s CrowdStrike incident, which caused massive outages with Microsoft Windows; flights were canceled, medical procedures were halted, and financial transactions were delayed. The global impact was similar following Log4j where widespread exploitation and hacks impacted payroll processing and higher education systems.

These incidents can cost companies billions of dollars due to operational impacts, ransomware payments, litigation fees, recovery efforts, and more.

Cybercriminals are exploiting CVEs because there has been a greater volume of reported CVEs year-over-year, it’s proven to be successful, and has significant implications across the software supply chain — creating notoriety for these groups as well as more opportunity for financial gain and opportunistic hacks. There is so much pressure placed on not only security teams, but also those within procurement and compliance.

While security teams are trying to contain any damage internally, they also must work with the rest of their third-party risk management stakeholders to identify vendors that require immediate attention in response to an emerging threat. Rapid response within the interconnected ecosystem is critical, and it’s important for teams to enact a more streamlined process.

Critical components for managing threats 

Here are the critical steps for managing threats:

1. Increase visibility into emerging threats. Knowledge is power. You can’t “fix” what you don’t know, so make sure to have the proper resources and technology to know when threats arise. Monitoring resources like CISA’s Known Exploited Vulnerabilities (KEV) catalog or NIST’s National Vulnerability Database (NVD) is a great place to start. Getting near real time alerts for vulnerabilities of interest will help reduce noise and give accurate information on the nature and severity of evolving risks.
2. Know who is susceptible. Sending out bulk assessments to all vendors isn’t effective, or a great use of valuable resources. Security leaders want to avoid chasing down assessments and analyzing responses from vendors who have little to no access to data or systems, or may not be utilizing the software. This is where security leaders can apply proactive measures. There are a variety of different feeds and sources organizations can tap into to gain better understanding of which software a given third-party is using. Before an incident even occurs, security leaders should have their third-party ecosystem tiered out from least critical (perhaps a maintenance supplier) to most critical (like a cloud provider) inherent risk, which will allow them to know who they should be assessing when a threat is uncovered. This is where security leaders need to have a satisfactory risk management process in place.
3. Assess. Organizations are now at a place where they can send out assessments to targeted list of critical or impacted vendors. Cut down on the noise and make sure vendors are given an assessment that is specific to the threat and doesn’t request information they already have. Security leaders want to be able to make it easy for the third-party to complete, and also more efficient for their team to review, score and act.
4. Don’t forget to communicate! Communication, and transparency, is key, especially during high stakes scenarios when there’s many eyes on a program. Senior leaders, customers and partners will want to know that the security team is taking the necessary steps to contain the incident. Communicating the status of any efforts and disseminating reports that showcase progress will keep everyone’s mind at ease.

Rapid response isn’t as rapid as security leaders would like it to be, taking valuable days, weeks or even months to be able to respond to critical activity. If security leaders speed up and streamline their processes, they’ll be able to increase resiliency and ultimately give a little bit more time back into important schedules.