Latest news with #ValiCyber
Forbes
08-08-2025
- Forbes
How Virtual Patching Helps Protect Hypervisors Against Exploits
Austin Gadient is CTO & cofounder of Vali Cyber. Vali's product ZeroLock protects hypervisors and Linux systems from cyber attacks. As cybersecurity leaders work to stay ahead of evolving threats, one challenge continues to expose a gap in enterprise risk posture: the delayed adoption of patches for known hypervisor vulnerabilities. Take VMware ESXi, for example. Despite the availability of patches for high-impact vulnerabilities (CVE-2025-22224, 22225 and 22226), a significant number of systems remain unpatched months later. These flaws allow attackers to escalate from virtual machines to the hypervisor, placing entire workloads, data sets and business services at risk. The situation is not uncommon. As organizations scale virtual environments and consolidate workloads, their ability to patch quickly and consistently has not kept pace. Patching schedules often conflict with uptime requirements. Risk acceptance around infrastructure-level threats remains high. And many endpoint security tools do not monitor hypervisors directly, leaving blind spots at one of the most critical layers in modern IT environments. In this context, virtual patching has emerged as a strategic safeguard that offers real-time protection when immediate patching isn't possible. The Hidden Cost Of Delayed Patching Patching hypervisors isn't just a technical task, but it's a business risk decision. These systems run critical workloads and taking them offline—even briefly—can impact everything from customer-facing applications to internal operations. In many environments, patching is delayed not out of negligence, but out of necessity: • Downtime Risk: Taking a hypervisor offline can disrupt dozens, or hundreds, of virtual machines. • Operational Fragility: If a patch introduces instability or fails, recovery is complex and time-consuming and introduces a window for exploitation. Attackers target unpatched virtualization layers because they offer high impact with low visibility. The result is a widening gap between known vulnerabilities and the ability to remediate them safely—one that has real implications for compliance, continuity and executive accountability. A Widening Threat Landscape In virtualized environments, the cost of delayed patching is amplified. A single vulnerability at the hypervisor level can compromise every virtual machine it supports—introducing the potential for lateral movement, data exfiltration and operational shutdown. Recent industry research underscores the scale of the challenge: • There was a 180% increase in vulnerability exploitation as an initial attack vector between 2022 and 2023. • 60% of organizations experienced a virtualization security incident last year, and 75% admit they have more VMs than they can effectively secure, opening the door for attackers to laterally move onto the hypervisor. • 85% of organizations don't follow a regular patching schedule; 47% cite downtime as the main blocker. These figures reveal a growing misalignment between threat velocity and organizational capacity to patch in time. Virtual patching helps close this gap—protecting systems during the high-risk window between disclosure and deployment. Virtual Patching: A Practical And Strategic Solution Virtual patching allows organizations to mitigate risk at runtime—without applying code-level changes or taking systems offline. Key use cases include: • Zero-Day Defense: Protecting systems before vendor patches are released. • Legacy Support: Securing environments that are no longer actively maintained. • Operational Continuity: Maintaining uptime in regulated or 24/7 environments. These capabilities are enabled through behavior-based detection and exploit prevention techniques that intercept attack behavior, even when the vulnerability itself remains. Why Virtual Patching Matters To Security And Risk Leaders For CISOs, CIOs and risk committees, virtual patching isn't just about technical coverage—it's about improving control maturity, audit readiness and business resilience. Key benefits include: • Real-time protection for known and unknown threats—even before patching. • Support for compliance mandates (HIPAA, NIST, ISO) that expect timely risk mitigation. • Evidence of due diligence, particularly when traditional patching timelines can't be met. • Minimal business disruption, with deployment that doesn't require system downtime. This strategy doesn't replace conventional patching—it complements it. For many enterprises, it offers a critical middle path between leaving systems exposed and taking workloads offline. Getting Started With Virtual Patching As organizations continue to virtualize, the hypervisor becomes a more attractive and impactful target. Protecting this layer is not just a technical necessity but also a business priority. Virtual patching provides a way to safeguard operations, maintain compliance and respond to threats with speed. It reflects a broader shift toward layered, adaptive defense—especially critical in environments where timing can be the difference between resilience and breach. Implementing virtual patching successfully starts with understanding what it takes operationally. Here are some important steps to effectively introduce virtual patching: • Baseline your environment. Organizations need to know what workloads are running, where their hypervisors are located and what's exposed. Many environments may still lack a consolidated asset inventory or live risk map of their virtual infrastructure, making it hard to prioritize protection. • Assign ownership. Virtual patching touches security, infrastructure and sometimes application teams. Without clear cross-functional accountability, policies may be inconsistently applied or ignored altogether. Even when a third-party vendor is involved, internal teams still need to define coverage, manage rule updates and ensure the solution stays aligned with changing risks. • Tune your rules. Virtual patching often works by intercepting exploit behavior at runtime, but the rules need to be tailored. That means understanding typical behaviors versus malicious ones, especially in complex or high-availability environments. A misconfigured rule can cause disruptions or false positives that erode trust in the process. • Integrate with existing workflows. Virtual patching is most effective when its alerts are fed into the existing security stack (like SIEMs, SOAR platforms and incident response workflows), so exploit attempts can be correlated with other events, prioritized correctly and acted on in real time. • Require service level agreements (SLAs) from virtual patching providers. Virtual patching is only useful if a virtual patch that addresses a specific CVE can be provided shortly after the vulnerability is disclosed. It is reasonable to demand that providers live up to a timeline that correlates with issue severity. Ultimately, virtual patching is a control that requires alignment across people, processes and technology. But for organizations with large-scale virtual infrastructure, it's also a necessary evolution that bridges the gap between ideal patching timelines and real-world constraints. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
02-07-2025
- Business
- Forbes
Hypervisor Ransomware: Why The C-Suite Can't Ignore MITRE ATT&CK V17
Austin Gadient is CTO & cofounder of Vali Cyber. Vali's product ZeroLock protects hypervisors and Linux systems from cyber attacks. A significant shift in cybersecurity guidance has emerged—one that leadership should have on their radar. MITRE ATT&CK v17 now formally includes VMware ESXi security, marking the first time hypervisors have been given dedicated attention in this influential framework. This update reframes hypervisor protection as not just a technical responsibility but a business-critical issue. For organizations relying on virtualized infrastructure, hypervisor ransomware protection is now directly tied to operational resilience, regulatory compliance and executive accountability. Why The Hypervisor Demands Executive Attention ESXi hypervisors form the core of many enterprise infrastructures, orchestrating virtual machines that power critical applications and house sensitive data. Yet hypervisor security has long been underprioritized—assumed to be out of reach for attackers or implicitly covered by other controls. That assumption no longer holds. MITRE ATT&CK v17 confirms what frontline security teams have seen for years: ESXi is under active attack. With the addition of a dedicated matrix for ESXi-specific tactics, the framework maps how adversaries gain access, move laterally and execute payloads directly at the hypervisor layer. For businesses, this marks a shift: hypervisor vulnerabilities now represent a tangible, auditable risk—one that demands immediate attention and clear mitigation. From Framework To Liability: What Executives Need To Know While MITRE ATT&CK isn't a regulatory framework, it has become the de facto blueprint for understanding and defending against modern threats. It guides how security teams prioritize controls, how auditors assess risk and how regulators evaluate preparedness. If your organization can't demonstrate awareness and mitigation of hypervisor security risks, it may be interpreted by auditors or regulators as a lapse in due diligence, particularly following a breach. Key business risks include: • Operational Downtime: A single compromised hypervisor can disable entire workloads. • Audit Gaps: Expect increased scrutiny around virtualization and hypervisor controls. • Response Delays: Many teams lack defined playbooks for hypervisor incident response. • Regulatory Pressure: Unaddressed ESXi vulnerabilities may be classified as preventable. Overlooking the hypervisor layer doesn't just introduce technical risk—it exposes the business to disruption, scrutiny and potential liability at the leadership level. A Strategic Approach To Hypervisor Security Addressing hypervisor ransomware prevention requires a shift in mindset. Just as endpoint and cloud security have evolved, hypervisor security best practices must now be established and operationalized. Executive leadership should work closely with security teams to ensure that the hypervisor layer is no longer treated as an architectural blind spot. Here are foundational steps organizations should take: • Implement access controls such as multi-factor authentication and role-based access to protect administrative interfaces. • Establish lockdown policies to restrict hypervisor-level command execution. • Deploy virtual patching to mitigate risk from unpatched or zero-day ESXi vulnerabilities. • Employ runtime security on the hypervisor to monitor for behavioral anomalies. • Map defenses to MITRE ATT&CK to strengthen security posture and facilitate audits. These measures not only reduce the risk of a successful attack but also demonstrate that your organization takes hypervisor threats seriously—and that leadership recognizes the shared responsibility across security, infrastructure and governance teams. Final Thoughts: What's Next The inclusion of ESXi in MITRE ATT&CK v17 has formally introduced the hypervisor into the risk conversation. For executive leadership, this is the time to challenge outdated assumptions, identify architectural blind spots and develop hypervisor security into the core of your cybersecurity strategy. Overlooking the hypervisor is no longer a technical omission but a strategic vulnerability. As ransomware tactics evolve, the associated risks are no longer theoretical. They are real, measurable and capable of inflicting significant operational and reputational damage. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
