Much like a democratic election, vulnerability remediation often finds its two main factions at odds. In politics there are two opposing parties. In the vulnerability management world, it’s two opposing teams – security and IT operations. Over time their relationship has grown adversarial as their respective domains – to secure the business and maintain technical availability and reliability – become increasingly intertwined.
While security teams are accountable for the overall cybersecurity posture of the organization, they can’t do vulnerability remediation without buy-in and help from the IT teams responsible for patch deployment and server configuration management. So, inevitably, the actual work of remediating vulnerabilities – often considered a dirty job – falls on IT operations teams. But for the good of the enterprise, it needs to get done.
For that to occur, security and IT teams must reach across cubicle walls and work together and collaborate in a way that leverages the expertise of both groups. Much like a divided Congress, if either side chooses to solely champion its own interests, vulnerability remediation won’t get done, and the entire organization suffers.
Combined strength in checks and balances
For infrastructure vulnerabilities, the typical vulnerability remediation workflow entrusts the security team to detect and prioritize vulnerabilities for remediation, who then hands the list to the IT team to patch or otherwise mitigate. However, because the two teams are rarely aligned, the remediation process becomes cumbersome and inefficient, prone to process gaps or blind spots, loose ends and communication breakdowns. This impedes their ability to address threats in a way that actually reduces risk to the business.
Security teams can overcome these obstacles by intentionally working to make the jobs of IT operators, DevOps and network engineers easier. For example, the security team shouldn’t stop after prioritizing vulnerabilities. They can easily “reach across the aisle” and offer context and guidance that could help the IT team save time and approach the fix strategically.
By integrating their areas of expertise—security’s knowledge of threat actors, vulnerabilities, and remedies with IT’s experience in managing the enterprise infrastructure—they can efficiently and effectively remediate vulnerabilities, with less risk of degraded performance or availability. While security can focus on recommended remedies and solutions for a given vulnerability, IT can gauge how it will impact infrastructure and users across the enterprise.
Strategic alignment leads to faster resolution
Crafting and implementing the best remediation strategy takes some hard work. Depending on the vulnerability, the remediation workflow can require multiple handoffs between security and various IT teams.
BootHole serves as a prime example of a complex vulnerability requiring cooperative efforts between IT and security. It attacks both Windows and Linux devices, allowing hackers to bypass security controls. The fix requires firmware and OS updates executed in a specific order and has proven challenging for IT teams to patch in enterprise settings. Because of its operational complexity, remediating BootHole requires true bipartisan support. To mitigate the attack and eliminate the risk it poses, security, DevOps, and IT teams must coordinate their actions to avoid compromising assets and disrupting the business.
In these situations, cross-team collaboration becomes very important. All the vulnerability scanning tools in the world are of little use if their data can’t be used in a meaningful way with the teams who need to take action. Remediation teams that work together to remedy the at-risk infrastructure with a patch, configuration change, compensating control, or workaround will achieve more successful remediation outcomes. By breaking down data and organizational silos, vulnerability management transforms into meaningful vulnerability remediation.
Crossing the aisle for the long-term greater good
The long-term health of the business depends on the remediation team’s ability to work together to mitigate threats quickly and proactively before an attack impacts business operations. By collaborating with IT ops, security can organize and direct a cross-functional remediation strike team and develop processes that streamlines remediation and mitigates vulnerabilities, at scale, before they’re found and exploited by an attacker.
But to do that, security teams must track the status of remediation campaigns across departments, learn from past mistakes, and share those lessons with remediation stakeholders on other teams. That way, security, DevOps, and IT operations teams can get to a place where they mitigate risk by preventing attacks, instead of chasing them.
When COVID-19 first hit the United States, Congress put together a bipartisan relief package that helped stabilize the economy and minimize impact on the population. Since then, the need for a second round of aid has stalled, as posturing and standoffs between the two political parties resulted in no action and no relief at a time when the country needed Congress to step up. In the last several days, there have been signs of progress, but we're not quite there yet.
Whether in the Capitol building or the server room, when competing factions lose sight of joint objectives, gridlock sets in, putting the greater good at risk. But if security teams are willing to reach across the aisle, and stay there until someone in IT grabs a hand, they can avoid the problems stemming from remediation-related gridlock.
And that’s a win for both sides.
Yaniv Bar-Dayan, co-founder and CEO, Vulcan Cyber