Vulnerability scanners aren’t enough to prevent ransomware attacks

National Cyber Security Centre CEO Lindy Cameron recently warned that “ransomware is the most immediate cyber security threat to UK businesses.”

Cyber security leaders must reflect on this, and ask themselves how best they can protect their business resiliency. To ensure success, leaders must ask the right questions to inform a strong cyber security strategy. “Which vulnerability scanner should I buy?” is the wrong question.

Vulnerability scanning is a fundamental component of many enterprise security strategies. But, scanners are purely reactive cyber security tools. As we see weekly in news headlines, traditional reactive cyber security strategies are falling short. Multi-million-dollar ransomware payments – along with successful attacks on healthcare, water, and energy supplies – are proof that the outdated scan-and-patch playbook needs to be evolved.

Digital transformation expands the attack surface

During the pandemic, many industries fast-tracked their digital initiatives. Unfortunately, an unintentional side effect of digital transformation was the wide-scale introduction of numerous new vulnerabilities due to the expanding attack surface. Regrettably, security was an afterthought, as companies were focused on successfully switching to remote work. Once the dust settled, a Skybox survey found that 73% of C-level executives were concerned that distributed workforces had introduced new vulnerabilities and increased exposures.

Already stretched thin by talent shortages, security teams suddenly faced more to protect: more access points to configure, more cloud technologies to secure, and more changes to validate properly. Meanwhile, they are drowning in security alerts. According to Dimensional Research, 93% of IT security stakeholders cannot address all security alerts the same day. In addition, cyber security teams are still being persistently bombarded with attacks and breaches – some of which are publicised, and some not.
There are three critical reasons why modern cyber security must expand beyond scan-and-patch solutions:

1. Snow blindness

Organisations are struggling to deal with the surge of new vulnerabilities. In the first half of 2021, 9,444 new vulnerabilities were reported by Skybox Research Lab, quite close to last year’s record-setting pace. However, given the raging snowstorm of vulnerabilities, CISOs can’t keep drowning their front-line defenders with worrying alerts.

2. Vulnerabilities hiding in plain sight

Discovering weaknesses hidden in smaller and even unknown assets is critical. Cyber criminals know that operational technology (OT) and Internet of Things (IoT) devices are hard to secure, so they focus on these as “easy” targets, as they lack mature cyber security controls. For example, Skybox research noted a 46% rise in new OT device vulnerabilities in the first half of 2021, compared with the same time last year. Additional Skybox research revealed 83% of respondents had experienced an OT breach over the past 36 months.

3. Remediation must happen as soon as any vulnerability is discovered

In an ideal world, remediation would happen as soon as any exposure is discovered. However, a recent CISA advisory warned that threat actors continue to target known vulnerabilities, many of which are years old, all with patches available.

Double-extortion ransomware: the new trend for businesses to prepare for

Chris Huggett, senior vice-president EMEA at Sungard Availability Services, discusses what to consider about double-extortion ransomware. Read here

Illuminate a new, proactive path forward for cyber security

Armed with advanced insights, CISOs can confidently prove to their boards that they have successfully remediated millions of malware exploits. There is no way scanners alone can provide that validation. Taking the following steps will protect organisations in today’s challenging cyber security climate:

  • Aggregate data beyond scanning. Incorporate data from configuration, patch, and asset management systems. Also include endpoint security tools, threat and intelligence feeds, and various other assets such as OT, cloud, and network devices.
  • Develop an interactive model of the entire OT, hybrid, and IT environment. Security teams need to have full visibility over the entire attack surface, or they cannot protect it. Their understanding must include whether devices are ‘hardened’ correctly and if access permissions they assume are in place match what is true in reality. If security professionals have configured the network correctly, that makes the lateral movement aspect of attack much more difficult.
  • Conduct advanced exposure analysis. Use threat intelligence to identify exploitable vulnerabilities. Then, correlate this data with an enterprise’s unique network configurations and security controls to determine if the system is potentially open to a cyber attack. This makes it possible to calculate perfect-storm threats that are exploited in the wild and aren’t protected by existing security controls.
  • Identify remediation options for environments that go beyond patching. Alternate fixes include adjusting configurations, enforcing appropriate policies, applying IPS signatures, implementing network segmentation and more. This is especially vital for OT networks that cannot effectively be protected using scanning and patching.

Work smarter, and make better security decisions

What causes breaches? Exposed vulnerabilities. Don’t try to patch everything – you’ll fail. Instead, focus on vulnerabilities that are actually exploited in the wild.

Vulnerability scanners can tell you that a vulnerability exists. However, scanners lack insights into the cyber kill chain. Tracing the steps of a major cyber attack is imperative, from a seemingly minor vulnerability exposure, to lateral movement, then finally the shutdown of networks and exfiltration of data. Today, it is possible to identify the most dangerous threats – instead of wasting resources trying to patch every vulnerability.

Written by Justin Berman, technical director at Skybox Security

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at