As I’m kicking off the next iteration of the Forrester Wave™ for vulnerability risk management in the coming weeks, I’ve been fielding a lot of questions about what I’m going to be focusing on and why. Traditional vulnerability management solutions date back 30 years and are a critical element of an infrastructure hardening process, but digital transformation has relegated them as no longer sufficient. Because of this, I’m focusing this upcoming Wave on vendors that are actively developing products to solve today’s problems and hope that, by sharing this vision, I can help drive the market a little closer to where we need to be.

Complexity Begets The Need For Vulnerability “Risk” Management

With our digital transformation has come complexity. There are simply too many devices and too many applications that we’re responsible for maintaining in our infrastructure for us to also maintain a meaningful asset inventory, much less keep everything patched and up to date. I’ve heard this problem described in reminiscences of past lives in which there was the one person responsible for keeping track of all the assets who was basically the crown jewel of the IT organization — and if that person ever left, it would be impossible to replace that knowledge. At a certain point, the “genius” of our IT organization was no longer able to keep track of everything, and we’ve been treading water ever since. This clearly isn’t the entire story, but to quote Tyrion Lannister, “people need a good story,” and this one is effective at helping people understand that complexity has outpaced our ability to manage our environments the way we used to.

Complexity required better asset management and prioritization of remediation workloads, because many organizations become overwhelmed to the point of having to figure out what actually has to get done; this is the foundation of the vulnerability risk management space.

We’re Distributed Beyond Control And Need Attack Surface Monitoring For Visibility

The next stage of our digital transformation is a product of cloud and SaaS vendors that have made it so easy for someone to stand up their own rogue instance of something and start sending company road maps and other intellectual property up to someone else’s rented server. Your environment is so distributed now that your attack surface isn’t even limited to your own controllable infrastructure. This is a different problem than just shadow IT; it’s about people doing things with data that are not discoverable by scanning our own subnets and will never show up in an asset inventory list.[i]

Our data is distributed beyond the effectiveness of our GRC processes, requiring that we look to offensive-style reconnaissance of the entire internet to understand where our assets reside and what an attacker is going to see. Attack surface monitoring is also becoming critical for identifying evasive malware campaigns such as Magecart, which I personally find to be one of the more interesting things going on right now based on who is getting hit and how long the dwell time is.

[i] You haven’t lived until you’ve found company data indexed by Google and sitting on a third-party web developer’s public MongoDB instance.