It’s all too easy to dismiss vulnerability management as an exercise in automated scanning. But vulnerability scanning on its own is like your physician using a standard checklist of symptoms to examine you, then making out a prescription based purely on the ticks and crosses of the results.
You can see what a hazard that could be to health. It could lead to useless or harmful medication, or mean failure to spot deeper or more serious problems. You would probably reject such a perfunctory assessment of your health or illness. Yet in a business IT context, many enterprises consider vulnerability scanners operating on a similar ticks and crosses basis to be all the vulnerability management and response they need.
That doesn’t mean that automated scanning is bad. 95 percent of attacks are on known vulnerabilities (weak configurations) and not on zero day or APT type of attacks. Frequent scanning and prioritisation help weed out these vulnerabilities.
On the contrary, virus scanners that are run regularly and frequently can help by ploughing through and flagging the 90 percent of vulnerabilities that are caused by out of date software, factory default configurations not being changed, unsuitable user privilege levels, and other banal issues. That’s already a huge help.
In larger enterprises, there may be millions of vulnerabilities to be resolved. There are often more security holes to plug than there are resources to plug them. So, somebody or something is going to have to decide which vulnerabilities to prioritise.
Human beings typically can’t handle decision making with huge numbers of vulnerabilities. On the other hand, machine learning and AI expert systems can help pick out the key security holes to address. They can also create playbooks with step by step instructions for IT teams to follow, leveraging the power of IT and network management software to apply multiple solutions in multiple places.
When it comes to making meaningful assessments of overall risk however, humans have the most to offer. They are also aware of needs that would make no sense to vulnerability management programs predicated entirely on “find it and fix it”. For example, a software development team might need to deliberately prevent the installation of anti-virus programs on their systems. Why? Because the extra load might skew results in the testing of the applications being developed.
Ultimately therefore, the best vulnerability management and response program is a trifecta of scanning, smart systems, and human expertise, all organised into robust processes and feedback loops. This combination helps businesses achieve satisfactory cyber security consistently while keeping pace with changing cyber threats.
If enterprises do not have all these resources in-house, they can bring them in as a service from a suitable vulnerability management and response service provider. This enables faster prioritisation, as the provider constantly analyses intelligence from global threat feeds and active threats exploiting vulnerabilities in other environments. Our own service called MDR-VM helps enterprises intelligently manage vulnerabilities with a combination of AI and human experts. In fact, in terms of cost-effectiveness, up-to-date skillsets, and scalability, it often makes more sense to use such a service provider anyway.
In doing so, enterprises can then move towards “left of hack”, meaning to a situation where more incidents and breaches are prevented, instead of remaining “right of hack” and having to cope after attacker have struck. This is like having a smart physician to keep you well instead of having to cure you after you fell ill. And whether you measure the benefit in terms of peace of mind, risks averted, or hardship avoided, such cyber “well-being” is what every business should be aiming for.