There is a sense of failure among security practitioners, believing that they cannot keep up with attacks, and this has created a sense of irrational fear.
Speaking at the Tenable Edge conference in London, Tenable CEO Amit Yoran said that this “learned helplessness” has led people to reassess their perception of risk. Rather than zero-days, which he said were often overhyped, he argued that two other things are actually more important to focus on: system hygiene and user challenges.
Acknowledging that user problems are harder to solve, Yoran focused on security hygiene, saying that “sophisticated adversaries take advantage of known vulnerabilities as 60% of breaches are caused by known vulnerabilities to which patches are available” but often not applied.
He said that in the last two years, the NSA “has not responded to a breach that involved a zero-day exploit” and this has led to irrational fears and news on what we are concerned about, when breaches are often “the result of bad hygiene and stuff we know about and can fix.”
Yoran said that knowing your level of risk is imperative, as boards and CEOs do not ask about sandboxing, exploiting files “and which form of AI or ML you’re using to detect logins,” but are asking simple questions such as “how vulnerable are we and what is our level of risk?”
He concluded: “Those are the questions business leaders are asking, and it is imperative for the future of vulnerability management as it is a system of record for the understanding of risk.”