For years now, CISOs have known that they operate in a when-not-if threat landscape. The daunting task of policing all possible inroads while retaining business agility is one that all security professionals face. What to do? Where to begin? For those of you stuck in such a loop, one of the soundest first steps you can take is to address vulnerability management.
In its 2020 Data Breach Investigations Report, Verizon tracked more than 4,200 incidents and 185 confirmed data exfiltrations across Europe, the Middle East and Africa (EMEA). Region wide, it found that the exploitation of vulnerabilities continues to represent a trifling proportion of incidents and breaches. This is easily explained by looking at the main motives for campaigns. According to Verizon’s researchers, 70 percent of attacks are financially motivated, so bad actors are more likely to target low-hanging fruit. It therefore follows that effective patching is one of the best ways to protect your digital estate.
One of the enduring roadblocks to robust to vulnerability management, detection and response (VMDR) is the evolution of internal IT ecosystems, particularly as this relates to the coming and going of new devices (each with its own micro-ecosystem of apps and vulnerabilities). This architectural flux has recently been greatly exacerbated by the advent of a global public-health crisis. COVID-19 has forced governments across the region to enforce lockdowns for our protection. As early as March, GCC-based recruitment portal Gulf Talent, reported that one third of the region’s private enterprises were planning remote-working practices.
Such approaches are admirable and necessary. But they do escalate complexity when it comes to vulnerability management. If only it were as simple as periodically surveying corporate servers, desktops, laptops and operating systems. But now, with employees’ unvetted home devices coming into play, security teams must go much further. Cloud services must be monitored. Software containers must be monitored. IoT devices must be monitored. Staying ahead of the vulnerability curve is that much more difficult than pre-crisis. And, as I am sure we are all now aware, when the crisis abates, returning to the centralised-office model is not an option. The cost benefits of holding on to our new normal means that VMDR must also evolve.
Mo’ platforms, mo’ problems
One of the biggest challenges we face in the new normal is the rise of the software container, which hosts all the components needed for an application to run. The benefit is clear: lightweight hosting eases deployment of new services, delivering greater agility to the IT function. But updating these siloed software environments carries its own issues, as the process of updating them is different to that of traditional servers or virtual machines. This places additional resourcing demands on already-beleaguered security teams. Meanwhile, cloud services evolve unpredictably. When taken together with the complexity of container updates, we find ourselves in need of a new approach.
And while we are contemplating how to address the escalation of containerisation and Web-service consumption brought about by remote working, let us not forget about the home-based devices themselves, which need to be brought into the corporate fold somehow.
A way forward
Keeping a clear head and planning for all these demands is not easy. But an ideal starting point is to enhance visibility into every nook and cranny of the technology stack. Each platform and asset must be properly registered, from endpoints and servers to more ephemeral devices and container deployments. Then it will be possible to deploy monitoring methods as required: passive network scanning, device agents and container scanning, for example.
Once all your assets are being properly tracked, continuous vulnerability scanning becomes possible, and you can update as soon as a change elsewhere makes it necessary. For some assets, this will be a frequent occurrence; for others, such as operational technology or industrial control systems, it will be only occasional.
Your visibility will allow you to prioritise updates so that you do not waste time on vulnerabilities that are less attractive to a potential attacker. Now your VMDR regimen is starting to take shape, you can use actionable data to direct information to the most appropriate individuals within your organisation, so they can act accordingly. You can even embed your vulnerability intelligence into other processes, such as software development.
As you build your new vulnerability-management paradigm, it is important to integrate it into the workflow of all relevant teams, not just security. Apart from the issue of efficacy, this will increase buy-in from everyone. This is especially true of software developers, who can become more independent, rather than having to rely on ad hoc inputs from security teams.
A future secured
As you can see, this fresh approach requires some deep change in workflows – we are replacing static, as-ordered surveys with a fluid, proactive model that calls for entirely new metrics to track success. In this regard, Time to Remediate (TTR) is extremely useful. It tracks the quality of response, whether you are applying patches or implementing more complex fixes across multiple applications. For apps that are resistant to remediation, it might be best to monitor compensating controls and how regularly they are tested and updated. As with any complex system, dashboards and other high-end visualisations can be useful when determining the effectiveness of any team action. Done properly, these views can also guide, and report on, performance improvements.
For effective VMDR, it is vital to capitalise on performance information and keep moving forward. The job is never done. The finish line will always outpace you. According to the US National Vulnerability Database, in 2018, known software vulnerabilities stood at 18,153. In 2019 it was 18,938 and heading inexorably towards 20,000. Manual tracking of these flaws is an impossibility for any team, and yet the security of our digital estates relies upon doing just that.
To deliver on this, we must move beyond traditional vulnerability management to more advanced remediation models. Better insight breeds better response.