For enterprise IT Teams, software vulnerabilities are an unavoidable fact of life. New ones are found all the time and older ones are still being exploited. It’s a “drinking-from-the-firehose” situation that can no longer be ignored. As we work with companies to refresh their vulnerability management programs, here are five common mistakes we see security teams make, along with some tips on how to avoid them.
Focusing only on the latest headlines
All too often, a spectacular breach or a particular type of threat dominates the day’s news. Naturally, executives will want to know if the company is prepared for whatever exploit is in the news and security leaders should be able to answer them. However, companies should focus their remediation efforts on vulnerabilities that pose a clear and immediate threat to their network, no matter how much attention high profile exploits receive.
Of course, security teams need to be aware of the threats that are in the headlines. However, their ability to distinguish and explain the differences between relevant and irrelevant threats to other stakeholders -- in layman's terms -- will help create the buy-in needed to set the right priorities and implement an effective vulnerability management strategy.
Not Automating Remediation Enough
Another way companies shoot themselves in the foot is by not automating vulnerability remediation enough. In the past, even large companies were able to manage their own remediation efforts manually. But trends such as the rise of SaaS and digital transformation efforts have led companies to the use of a host of third-party tools and software, introducing new vulnerabilities into their IT environments. Accelerated, DevOps-driven software development cycles have also contributed to the skyrocketing number of vulnerabilities. Over 30,000 new vulnerabilities have been discovered in the past two years alone -- way too many for any team, of any size to handle manually.
Nowadays, automating has become key to overcoming these challenges. It allows businesses to work as quickly, consistently, and accurately as possible, and scale their processes. For companies running complex and interrelated applications on the network, the well-designed automation can effectively put an end to mundane, inefficient, manual vulnerability response processes, while preventing downtime and inevitable human errors. It’s absolutely essential for remediating to scale. The technology and expertise are out there - companies just need to pull the trigger.
Friction Between DevOps and Security Teams Causes Remediation Gaps
There seems to be an inherent tension between Ops/DevOps (a.k.a. those who “move fast and break things”) and Security (those who say “safety first!”) teams, but effective communication coupled with sound management skills can overcome this gap.
For that to happen, vulnerability management needs to be approached as a business issue with shared goals and accountability between DevOps, IT and Security teams, turning security into a company-wide goal. Also, companies must find a way to bridge the natural communication gap between all teams involved. Security teams must phrase their requirements in terms that make sense for everyone involved with implementing solutions - it’s not enough to simply give a list of CVEs to IT personnel and ask them to remediate. Companies also need to understand and create quantitative benchmarks that align with the company’s needs and processes. For example, rather than tracking the total number of vulnerabilities remediated in a month, measure the risk posture of the most critical business-groups in the environment.
Too Many Network Blind Spots
Having a complete list of your network’s assets and understanding how they interact with other entities in the environment is an essential part of any vulnerability remediation program. Unfortunately, today’s networks have distributed and varied architectures, so compiling a complete inventory can become extremely complicated.
Good asset management goes a long way in helping overcome common vulnerability remediation challenges. For example, a security team finds a vulnerability and decides to patch through Chef. With mismanaged assets, it may seem like “everything” was patched, when in fact, an unknown number of assets weren’t.
Given the sheer amount of vulnerabilities, security teams need to implement a prioritization methodology that keeps them targeting the most critical items. Many companies use CVSS scores to prioritize remediation decisions with the general rule that all vulnerabilities marked “critical” are to be remediated first. In theory, that makes perfect sense, but CVSS scores (and similar indicators of technical risk) on their own lack of context. Risk-based vulnerability management takes multiple factors into account. In addition to the technical severity of the vulnerability, this approach takes into account the different business functions that a vulnerable asset serves, and thus the impact its exploit would have on the company; its configurations and security posture, as well as external threats that may have an effect on the risk that a given vulnerability poses.
At the end of the day, the best approach to vulnerability remediation is as simple as it is radical: prioritize vulnerabilities based on the threat that they pose to your company’s systems. In other words, a “medium” scored threat that’s being exploited in the wild may be more important to patch than a “critical” threat with no known exploits. In fact, cybercriminals may be more likely to choose a lower-ranked vulnerability with a known exploit, precisely because they know that critical vulnerabilities are usually the ones fixed first.
Keeping your company safe is a full-time job. Focusing on the right threats, increasing your network’s visibility, and automating wherever possible are important first steps in improving your company’s vulnerability management process.
So...what are you waiting for?
Tal Morgenstern, Chief Product Officer, Vulcan Cyber