The Attack Surface You Didn’t Consider: Security Tools

Steve Lodin, VP, Information Security of Sallie Mae and Sanaz Yashar, CEO of Zafran took the theater stage at Gartner Security & Risk Management Summit to discuss the evolution of vulnerability management and the critical role of exposure management in modern defense strategies.  

Drawing from decades of hands-on experience in both offensive and defensive security, they provide insights to why traditional vulnerability management is no longer sufficient in today’s threat environment. 

This article explores how organizations may view new software or tools as assisting their overall efforts. However, using too many tools adds complexity, and those tools can become the new attack surfaces. 

The Problem with Traditional Vulnerability Management 

Vulnerabilities remain the top attack vector in modern networks. 

“I remember when we were in offensive roles, NSA-type stuff, it could take a year to exploit a single zero-day,” recalls Sanaz. Now, attackers equipped with AI tools can uncover zero-days in hours.  

Despite this acceleration, most organizations still rely on outdated tools to manage thousands of vulnerabilities. “We’ve worked with enterprises that have 14 to 20 spreadsheets tracking vulnerabilities,” says Yashar.  

Are More Security Tools Helping or Hurting? 

With today’s enterprises using between 60 to 80 security tools, the assumption might be that more tools equal better security. But often the opposite is true. 

“More tools mean more complexity, and complexity is the enemy of security,” warns Yashar. “If your tools aren’t configured correctly or don’t talk to each other, they can become new attack surfaces themselves.” 

The SolarWinds breach is a case in point. “SolarWinds was an inventory tool, a security tool. But it became a backdoor. Even if you have best-in-class products, misconfiguration or lack of integration can be catastrophic,” Steve Lodin adds. 

CVSS vs. Real Risk: The Misleading Metrics 

The industry still largely relies on the Common Vulnerability Scoring System (CVSS) to determine risk. But both Yashar and Lodin challenge its relevance. 

“Hackers don’t care about CVSS scores. They care about what works,” Yashar says. “We’ve seen countless incidents where ‘medium’ vulnerabilities were actively exploited, while ‘critical’ ones weren’t.” 

She continued, “We reviewed the last 10 years of exploited vulnerabilities in a major enterprise client. Most were rated as medium. Prioritizing based solely on CVSS misses the real threats.”  Echoing a recent Gartner Report,  We’re Not Patching Our Way Out of Vulnerability Exposure  (G00810627, Saunderson, Lawson, Schneider, 24 February 2025), it's evident that CVSS Medium severity vulnerabilities are exploited more frequently than High and Critical vulnerabilities combined. Showing the importance of moving beyond severity scores alone when assessing risk and instead focusing on real-world exploitability and contextual factors within your environment. 

The Future: From Reactive to Proactive 

Yashar and Lodin stressed the need to shift from reactive patching to proactive defense strategies. 

“There are two ways to reduce risk,” Yashar says. “One is bulk remediation, what’s at the top of the risk list. The other is proactive threat hunting, identifying misconfigurations, exposed load balancers, or lateral movement paths before they’re exploited.” 

“Security today isn’t just about blocking threats,” Lodin concludes. “It’s about knowing which risks matter, which don’t, and using the tools and context to make smart decisions fast.” 

Determining applicable risk requires more than just identifying theoretical vulnerabilities, it demands real-time context. Runtime insight, when combined with an understanding of internet reachability, whether the vulnerable component is exposed to external networks, adds critical perspective to the risk calculation. 

In addition to runtime and network context, integrating threat intelligence and understanding the efficacy of existing security defenses is critical. Threat intelligence provides visibility into which vulnerabilities are actively being exploited in the wild, which adversaries are targeting them, and how sophisticated those campaigns are.

This intelligence, coupled with an honest assessment of how well current mitigations (like endpoint protection, intrusion detection, and application controls) are performing, helps determine the actual level of exposure and urgency. A vulnerability with known exploits, active exposure, and weak defenses should be prioritized far above a theoretically severe issue that is well-contained or mitigated.

Only by combining these factors, runtime activity, reachability, threat intelligence, and mitigation status, can organizations accurately assess and respond to the real-world risk landscape. 

Taking Action

 As attack surfaces grow and tools multiply, organizations need clarity, context, and control to stay ahead. 

If your security strategy still revolves around CVSS scores and spreadsheet tracking, it’s time to evolve your approach.