Dec 08, 2020
The way we identify, prioritize, and mitigate software vulnerabilities was built in reverse order. Why did it happen? How can we make things different?
Well, when it comes to software vulnerabilities, the problem is simple: there’s a vulnerable piece of code running somewhere in your organization. We need to find it and mitigate it.
There are 3 types of security vulnerabilities that build the organizational threat landscape:
The main purpose of vulnerability detection is to keep the cybersecurity and IT teams informed about their security posture and to fix problems as fast as possible.
Nowadays, the process of tracking and remediating vulnerabilities is divided between 3-4 different security measures and between the security and IT teams.
the industry standard is to have a network security tool that scans a given subnet for security issues. Those scans are performed in an on-demand manner and require the scanned assets to be online when it happens.
Network security tools are much easier to integrate than agents, for example, the more bold reason is that from the vendor side it's easier to sell and maintain something which doesn't sit on the end-user device or server. In times where the infrastructure is very simple - no WFH, only local networks, no cloud providers - a vulnerability scanner is a solid choice.
The team in charge - Security!
So we just fetched a huge list of vulnerabilities from our scanner. Now our CISO is completely depressed. Well done scanner! Prioritization tools, aka RBVM (Risk-Based Vulnerability Management), narrow down the number of handled vulnerabilities and removes stress from the never-ending battle between IT, who wants things to be quiet, and security, who wants things to be patched (and as an unwanted outcome, shakier). RBVM tools usually aggregate data from the scanner and some other sources to try and make sense of the vulnerability chaos.
In a perfect world, we probably wouldn't prioritize vulnerabilities. The holistic solution would be to patch and fix everything. Sadly, the current management tools and security controls are far from being effective, so the main reason to prioritize threats is to reduce (reduce, not eliminate) the tension between the security team and the IT team.
The team in charge - Security!
So, we scanned for vulnerabilities and prioritized them. Remediation time is here! Depending on the nature of the threat, the remediation paths can be either sending it back to the R&D team for review, changing firewall configuration, or upgrading software versions.
The team in charge - the team in charge of the last (traditional) part of the vulnerabilities lifecycle is surprisingly not the information security team but the IT!
As if the process is not messy enough, there's another management component to make it even messier! The last, and somehow most advanced, part of the vulnerability remediation hassle are the platforms that connect all of the products we previously discussed with connector APIs and "push the buttons" for you rather than managing three different dashboards.
The team in charge - Security & IT!
60% of the attacks involved unpatched vulnerabilities. Despite all of the spending, products, labor, and sweat, the vulnerability management processes still don't work. Malware, data breach, brand damage, and much more - they all start with the vulnerability that was pushed to line 11 when we decided to mitigate only the top 10. It's that user who forgets his VPN is open while he runs a vulnerable SMB with the wrong port open. It leads to many angry stakeholders, and the CEO to lose his job. As far as vulnerability tracking, the devil is in the detail.
The way we're discovering and mitigating software vulnerabilities was not built with the basic notion of, "I have a piece of vulnerable code running somewhere, and I'm going to mitigate it". It was built around two things:
1. Simple network architecture that was commonly used 10-15 years ago. With it, all the devices connect to an internal network; no cloud services, no remote devices, no COVID.
2. No innovation introduced as companies in this field became too profitable. Network vulnerability scanning companies generate $6.1B a year! Why move to a more robust, agent-based architecture when you have this magnificent money machine?
Like most of the fields in IT and security, the massive growth in SaaS services and the increased attack surface made it mandatory to add automation and AI to almost any business process. With 300 newly discovered vulnerabilities every week, startups that are looking to disrupt the vulnerability management process are on the rise. The change is imminent!
To conclude, the solutions to the challenges of automated vulnerability remediation are the following:
When you have 3-4 products that don't speak the same language, it's hard to understand the threat landscape and the mitigation paths. When it comes to vulnerability remediation, we need to remove management overhead as much as we can. And in that case, we need to have consolidation over orchestration.
In a fast-paced world where threats and the digital landscape are changing almost every second, on-demand scanning is no longer effective. We need a real-time, risk-based, and metric-based tool that will inform us about threats, tell us when and how they are mitigated, and help us understand the impact of different mitigation paths we should or shouldn't take.
The vulnerability discovery process in the public domain is completely reactive. One needs to discover a weakness, validate it with NVD, and only after a few months of grace for the vendor to release a fix does the customer become aware of it (aware doesn't mean he detected it on his assets). It's not enough to sharpen and automate the traditional vulnerability tracking process. We also need to explore ways to proactively look for vulnerabilities even before they become known to the world (we had a good webinar about it) and mitigate them on the spot, without waiting for the vendor's next version release (another interesting webinar). It's time for our security services and toolkits to get an update—not just the vulnerable software.
The boys join Paul for a rootin' tootin' good time!
A Step in the Right Direction – Binding Operation Directive 22-01Kent Weigle December 31, 2021
What is Configuration Management?Kent Weigle December 09, 2021
What is Automated Patching?Kent Weigle December 09, 2021
What is Risk-Based Vulnerability Management?Kent Weigle December 09, 2021
Vicarius Offers New Technology To Fix Log4j With No Vendor InvolvementEvan Kling December 20, 2021