The Zero Day Clock is now at 1.0d TTE (Time-to-Exploit), meaning vulnerabilities are getting exploited within 1 day on average. 50% of vulnerabilities are exploited within 17 hours.
Source: https://zerodayclock.com/
That's a crazy time for cybersecurity! On one hand we have TTE approaching zero, and on the other hand we are actively throttling dependency updates in our software due to the increased risk of supply-chain attacks (or as PyPI puts it: we are no longer drinking from the firehose)
So we have three problems:
- We need to patch CVEs faster, and unlike attackers: moving fast is risky. One wrong patch or one wrong live-patching can lead to downtime or can lock out legitimate users. Unlike attackers: we have something to lose, and we have processes that we need to follow.
- We need to slow down updates due to increased risk of supply-chain attacks
- And at the same time, the volume of new CVEs is increasing alarmingly
This is an interesting dilemma. This is something that traditional processes cannot handle efficiently and requires increased automation.
Rather than panic, we can treat TTE approaching zero as an opportunity. You need to build solid defenses: zero trust, defense in depth, WAF, API Gateways, and defensive programming should be a must, and not a nice-to-have. Defensive programming is especially powerful. Take Log4Shell: how could you have prevented it from being exploited in your application?
With these defenses in place, you are on the right side of the TTE curve, the next CVE won't become a disaster and it will be an opportunity: fast exploits are fast feedback. The speed allow you to quickly verify where your defenses are working well, and where they need to be reinforced.
This is the new reality for defenders. TTE is shrinking, but with the right defenses, it becomes a tool, not just a threat.
Fast exploits = opportunity to validate defenses
Top comments (0)