Security teams spend a lot of time chasing software vulnerabilities. The fact is, however, that their time would be better spent combating malware because the payoff is better: faster detection, response, and resolution of threats.
Here are six reasons why shifting focus away from vulnerability management and toward battling malware should be a top priority for application security (AppSec) teams.
[ See Webinar: Building a Better Malware Lab ]
1. Detect software threats faster
MJ Kaufmann, an author and instructor with O'Reilly Media, said malware mitigation programs are designed with quick detection and remediation in mind.
"Unlike vulnerability discovery programs that gather up data and present findings to be risk-prioritized and actioned on, malware mitigation finds the problem and resolves it in one go."
—MJ Kaufmann
Michael J. Mehlberg, CEO of Dark Sky Technology, said vulnerabilities often aren’t discovered for long periods of time after the deployment of a system or software application — if they're discovered at all. Furthermore, the reporting of a discovered vulnerability often has a lag time, meaning the reported vulnerability doesn’t show up in a public database for some period of time, he said.
"While it’s necessary to discover vulnerabilities to fortify systems and applications against future attacks, malware mitigation often leads to faster mean times to detection because it’s detecting and addressing more immediate threats."
—Michael J. Mehlberg
One way malware is detected is by identifying its command-and-control communication. That usually leads to faster detection for two reasons, said David Ratner, CEO of the Hyas Group.
"First, it isn't based on knowing what the exploits or CVEs themselves are. It is solely based on watching the telltale signs of a breach and seeing the digital exhaust, the beaconing behavior to command and control. Second, this detection is done in real time — at the time that the malware attempts to communicate."
—David Ratner
Malware mitigation can lead to faster detection of threats because it focuses on identifying active threats rather than potential vulnerabilities, said Guy Rosenthal, vice president for product at DoControl. Malware mitigation tools are designed to detect unusual behaviors and patterns that indicate a compromise, allowing security teams to respond more quickly, he said.
"Vulnerability discovery, on the other hand, involves identifying and patching potential weaknesses, which can be a more time-consuming and less immediate process."
—Guy Rosenthal
Because vulnerability discovery is much more focused on a preemptive defense that involves various assessments, and longer processes in identifying and remediating potential weaknesses, organizations aiming to quickly detect and respond to active threats should invest in malware mitigation solutions as a more effective strategy, said Andrew Obadiaru, vice president and CISO of Cobalt Labs.
However, Chris Olson, CEO of the Media Trust, said that security teams need to avoid thinking about vulnerability discovery and malware mitigation as unrelated domains. "Vulnerability discovery is one very important element of malware mitigation, but it's not the only one, and organizations should not depend on it as their sole method of threat detection," he said.
"Vulnerabilities can be hard to discover without context. There are a potentially infinite number of vulnerabilities in any given system, and we don't care about all of them. We care about the ones malicious actors are exploiting at any given time. Malware analysis is one of many tools we can use to gain that crucial context."
—Chris Olson
Malicious actors are often quicker to find vulnerabilities than defenders, and they will exploit those vulnerabilities faster than they can be fixed, Olson said. "Malware analysis provides indicators of compromise that can help defenders detect threats even if the underlying vulnerabilities have not been fully identified or patched yet."
2. Respond to software threats faster
Malware mitigation typically involves real-time monitoring and automated responses to suspicious activities, significantly speeding up the response time. When a malware attack is detected, predefined mitigation strategies, such as shutting down processes or quarantining machines, can be immediately deployed to isolate and neutralize the threat, DoControl's Rosenthal said. "In contrast, responding to vulnerabilities often requires a series of steps including patching, testing, and deployment, which can delay the overall response time."
Nick Hyatt, director of threat intelligence at Blackpoint Cyber, said malware mitigation is important and is part of a larger focus on "detection tradecraft, where security teams will often find more success than chasing vulnerabilities."
This focus on tradecraft, and specifically on post-exploitation detection, will provide more opportunities for stopping threat actors before they can do real damage, he said, noting that there were about 28,000 vulnerabilities in 2023 and that 2024 is on track to exceed that.
"Focusing exclusively on vulnerability mitigation is a fast track to burnout for many security teams. While patching is important, post-exploitation detection provides far more opportunities to catch adversaries. Malware mitigation is part of that."
—Nick Hyatt
3. Resolve software threats faster
Faster response leads to faster resolution and reduced damage from a threat, said O'Reilly's Kaufmann. "Malware mitigation is built to stop threats before they have a chance to launch their payloads, resolving them within moments after resolution," she said. "This is quite different from vulnerability detection software, which, after gathering findings, takes time for triage and remediation, leading to longer resolution times."
Rosenthal said the resolution of malware threats often involves immediate containment and eradication processes, such as quarantining affected systems, removing malicious code, and restoring data from backups. "These actions can be automated and executed swiftly," he said. "You can also use mitigating solutions such as email protection, SaaS security posture management, and cloud-native application protection platforms to prepare, detect, and protect the environment based on the malware's behaviors."
However, John Gallagher, vice president of Viakoo Labs, said quick resolution of threats may not be the best outcome in all environments. "For a laptop, malware mitigation may be very effective to halt its internet traffic and restrict its operations in order to stop a malware threat from spreading," he said.
"For an IoT or industrial control system, using those same mechanisms may stop the malware threat but also stop the operations of business-critical systems. In that case, methods other than malware mitigation would be more effective, such as vulnerability remediation."
—John Gallagher
4. Take on threats that don't traditionally target vulnerabilities
Malware can often slip through defenses and be embedded in "safe" files such as Word documents, spreadsheets, or PDF files, Kaufmann said. "When opened, the payload launches, not exploiting any known vulnerability but simply capitalizing on running with the executing user’s privileges. In the process, the malware may load rootkits, backdoors, ransomware, or keyloggers, allowing attackers to set up larger attacks without ever exploiting a vulnerability that could be detected. Malware analysis, though, can catch the malware before it ever causes damage," she said.
Dark Sky's Mehlberg said malware detection had other benefits as well.
"Malware detection might also catch an exploit to a zero-day vulnerability or identify code that employs evasion techniques, neither of which would be found in a traditional vulnerability database, but both of which could be detected using malware-mitigation techniques."
—Michael J. Mehlberg
Malware analysis can also foil one of the biggest threats to any organization's cybersecurity. The vast majority of security issues are human-based, said Blackpoint's Hyatt. Malware may be deployed in an environment without a vulnerability ever being exploited, particularly by getting employees to click on unfamiliar links. "By focusing on post-exploitation detection, including malware mitigation, security organizations will have more opportunities for identifying malicious behavior," he said.
5. Get your security team off the hamster wheel of 'find and fix'
Kaufmann noted that organizations often get lost in the big picture of their myriad vulnerabilities. "They focus on the CVSS score to drive their 'find-and-fix' mentality rather than targeting the biggest risks to their organization," she said.
"Malware can strike no matter how well patched an organization’s vulnerabilities are. It is often crafted to bypass defenses and can easily be launched by a simple user misstep. Malware mitigation is a necessity to augment any organization’s defenses."
—MJ Kaufmann
Cobalt Labs' Obadiaru said most organizations are more inclined to focus their efforts on find-and-fix because it's easier and in some cases, cheaper and much more direct compared to a malware mitigation strategy that involves the acquisition and implementation of a number of detective and preventive measures.
Hyatt said vulnerabilities make for great headlines on many news sites, which then get read by folks who aren't necessarily completely up to speed on the current security initiatives within their organizations.
"Concern for vulnerability chasing can take away cycles from security teams that have established response and patching schedules. Because of the visibility of vulnerabilities, they disproportionately are seen as a catch-all for solving security issues, rather than one piece of the puzzle."
—Nick Hyatt
Organizations have yet to solve the find-and-fix issue, said Saumitra Das, vice president of engineering at Qualys. "There are gaps in visibility, false positives, and myriad other issues," he said. "This means that there is less focus on the runtime security side because the basics are not done yet."
Mitigating malware in the supply chain, for example, need to have more focus, Das said.
"There is too much of a focus on compliance and posture and visualizing those on nice graphs. No matter how much compliance and posture is assessed, you still need to observe what's happening at runtime to look for malware and its behavioral artifacts. A car can only be assessed so much in a garage. You still need to monitor it while it’s on the road."
—Saumitra Das
At many organizations, the hamster wheel is powered more by fix than find, said the Media Trust's Olson. "We tend to see organizations adopting a reactive approach to cybersecurity more generally," he said. "They wait for attacks to happen, fix them after the fact, rinse and repeat."
"It's true they aren't engaging in malware analysis, but they aren't proactively searching for vulnerabilities either. It's certainly not an emphasis for many of the businesses I come into contact with on a daily basis. I'd like to see more organizations adopting a left-of-breach mindset for every aspect of threat detection."
—Chris Olson
Larry Maccherone, DevSecOps transformation architect at Contrast Security said the problem with find-and-fix is there isn't enough fixing being done. He cites the theory of constraints: "A big part of the intellectual foundation of DevOps, [it] tells us that improvements made anywhere besides the bottleneck in a process are waste." So you then must ask yourself, Where are the bottlenecks? "For all of cybersecurity, it’s in the application and API security domain compared to all the other cybersecurity domains, which actually get more investment."
Within the app and API security domain, the bottleneck is not in detecting vulnerabilities — it’s in resolving them, Maccherone said. "The way we do app and API security today is fundamentally broken in large part because it focuses on detection, leaving resolution to a later exercise that we don’t get to," he said.
"You are a thousand times better off if you found fewer things but you resolved everything you found within a day of detection. Take a depth-first approach, not a breadth-first approach.”
—Larry Maccherone
6. Reduce your dependency on common vulnerability lists
Security teams use common vulnerability lists to find known flaws in software and hardware. One of the most popular is the Common Vulnerabilities and Exposures (CVE) list. Another is the National Vulnerability Database (NVD), which, among other things, assigns a Common Vulnerability Scoring System (CVSS) score to each vulnerability, helping organizations prioritize and focus on the most critical vulnerabilities. The NVD, though, has fallen woefully behind in processing the vulnerabilities reported to it.
The NVD backlog has made it more challenging for tools that rely on up-to-date vulnerability data to mitigate threats effectively, O'Reilly's Kaufmann explained. Since April, the NVD has analyzed only about 6% of the threat data it has ingested. "This leaves thousands of threats in the wild but not being detected by vulnerability tools," she said.
"This gap in vulnerability optics means that organizations will often remain exposed, allowing threat actors a window to exploit known vulnerabilities. Because malware is often the payload delivered by threat actors through these vulnerabilities, malware mitigation is all the more important to shore up the defense."
—MJ Kaufmann
Obadiaru said malware mitigation becomes more important in situations where there are delays or backlogs in the NVD. "Organizations must compensate for these delays by enhancing their real-time threat detection and response capabilities," he said.
Mehlberg said waiting around for a vulnerability to be disclosed when malware can be detected and mitigated in a system makes no sense. "Organizations must detect and neutralize threats that exploit both known and unknown vulnerabilities, especially as a stop gap while waiting for new vulnerability disclosures to be reported."
However, Viakoo Labs' Gallagher maintained that much of the backlog at the NVD is for open-source vulnerabilities in IOT, OT, and ICS systems, where malware mitigation is less effective. "In that sense, there is some but marginal advantage for malware mitigation," he said.
Software threat risk management requires going beyond vulnerabilities
Effective malware mitigation enhances an organization's overall security posture by providing immediate insights into active threats and enabling rapid, automated responses, DoControl's Rosenthal said. "By incorporating machine learning and AI, these systems can continuously adapt to emerging threats, improving detection accuracy and response efficiency," he said.
"Combining malware mitigation with a thorough understanding of the threat landscape allows organizations to stay ahead of attackers and minimize the impact of potential breaches. This balanced approach is crucial for maintaining robust security in today's complex digital environment."
—Guy Rosenthal
Mehlberg said security teams can’t rely solely on vulnerability detection anymore. "We have to leverage tools to uncover malware, long before it’s integrated into systems and applications that get deployed, only to be exploited and cause legal, financial, and reputational harm."
"Vulnerability detection and mitigation is important, but there’s more to trusting a piece of software than just measuring how many vulnerabilities are in it. Looking at the overall trustworthiness of every package that makes its way into your systems is a necessity to reducing risk and meeting cybersecurity requirements."
—Michael J. Mehlberg
The biggest thing to remember is that security is not about any single solution — "but a collection of different solutions working together to build a defense," Kaufmann said.
"Malware analysis is a crucial layer of defense that augments any organization, large or small, no matter how advanced or developing their current security posture is."
—MJ Kaufmann
Keep learning
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.