This vendor-written tech primer has been edited by Network World to eliminate
product promotion, but readers should note it will likely favor the submitter’s
approach.
Vulnerability risk management has re-introduced itself as a top challenge – and priority – for even the most savvy IT organizations. Despite the best detection technologies, organizations continue to get compromised on a daily basis. Vulnerability scanning provides visibility into potential land mines across the network, but often just results in data tracked in spreadsheets and independent remediation teams scrambling in different directions.
The recent Verizon Data Breach report showed that 99.9% of vulnerabilities exploited in attacks were compromised more than a year after being published. This clearly demonstrates the need to change from a “find” to “fix” mentality. Here are three key challenges to getting there:
* Vulnerability prioritization. Today, many organizations prioritize based on CVSS score and perform some level of asset importance classification within the process. However, this is still generating too much data for remediation teams to take targeted and informed action. In a larger organization, this process can result in tens of thousands – or even millions – of critical vulnerabilities detected. So the bigger question is – which vulnerabilities are actually critical?
Additional context is necessary get a true picture of actual risk across the IT environment. Organizations might consider additional factors in threat prioritization, such as the exploitability or value of an asset, the correlation between the vulnerability and the availability of public exploits, attacks and malware actively targeting the detected vulnerability, or the popularity of a vulnerability in social media conversations.
* Remediation process. The second and perhaps most profound challenge is in the remediation process itself. On average, organizations take 103 days to remediate a security vulnerability. In a landscape of zero-day exploits and the speed and agility at which malware developers operate, the window of opportunity is wide open for attackers.
The remediation challenge is most often rooted in the process itself. While there is no technology that can easily and economically solve the problem, there are ways to enable better management through automation that can improve the process and influence user behavior. In some cases, there are simple adjustments that can result in a huge impact. For example, a CISO at a large enterprise company recently stated that something as easy as being able to establish deadlines and automated reminder notifications when a deadline was approaching could vastly improve the communication process between Security and DevOps/SysAdmin teams.
In other words, synchronizing communication between internal teams through workflow automation can help accelerate the remediation process. From simple ticket and task management to notifications and patch deployment, the ability to track the remediation process within a single unified view can eliminate the need to navigate and update multiple systems and potentially result in significant time savings.
* Program governance. The adage, “You can’t manage it if you can’t measure it” is true when it comes to evaluating the success of a vulnerability risk management program. In general, information security programs are hard to measure compared to other operational functions such as sales and engineering. One can create hard metrics, but it is often difficult to translate those metrics into measurable business value.
There is no definitive answer for declaring success. For most organizations, this will likely vary depending on the regulatory nature of their industry and overall risk management strategy. However, IT and security teams demonstrate greater value when they can show the level of risk removed from critical systems.
Establishing the right metrics is the key to any successful governance program, but it also must have the flexibility to evolve with the changing threat landscape. In the case of vulnerability risk management, governance may start with establishing baseline metrics such as number of days to patch critical systems or average ticket aging. As the program evolves, new, and more specific, metrics can be introduced such as number of days from discovery to resolution (i.e., time when a patch is available to actual application).
Practitioners can start improving the process by making some simple changes. For example, most vulnerability assessment tools offer standard prioritization of risks based on CVSS score and asset classification. However, this approach is still generating too much data for remediation teams. Some organizations have started to perform advanced correlation with threat intelligence feeds and exploit databases. Yet, this process can be a full-time job in itself, and is too taxing on resources.
Technologies exist today to help ease this process through automation by enriching the results of vulnerability scan data with rich context beyond the CVSS score. Through correlation with external threat, exploit, malware, and social media feeds and the IT environment, a list of prioritized vulnerabilities is delivered based on the systems most likely to be targeted in a data breach. Automating this part of the process with existing technologies can help cut the time spent on prioritization from days to hours.
Today, vulnerability management has become as much about people and process as it is about technology, and this is where many programs are failing. The problem is not detection. Prioritization, remediation, and program governance have become the new precedence. It is no longer a question of if you will be hacked, but rather when, and most importantly, how. The inevitable breach has become a commonly accepted reality. Vulnerability risk management calls for a new approach that moves beyond a simple exercise in patch management to one focused on risk reduction and tolerable incident response.
Vulnerability risk management has re-introduced itself as a top challenge – and priority – for even the most savvy IT organizations. Despite the best detection technologies, organizations continue to get compromised on a daily basis. Vulnerability scanning provides visibility into potential land mines across the network, but often just results in data tracked in spreadsheets and independent remediation teams scrambling in different directions.
The recent Verizon Data Breach report showed that 99.9% of vulnerabilities exploited in attacks were compromised more than a year after being published. This clearly demonstrates the need to change from a “find” to “fix” mentality. Here are three key challenges to getting there:
* Vulnerability prioritization. Today, many organizations prioritize based on CVSS score and perform some level of asset importance classification within the process. However, this is still generating too much data for remediation teams to take targeted and informed action. In a larger organization, this process can result in tens of thousands – or even millions – of critical vulnerabilities detected. So the bigger question is – which vulnerabilities are actually critical?
Additional context is necessary get a true picture of actual risk across the IT environment. Organizations might consider additional factors in threat prioritization, such as the exploitability or value of an asset, the correlation between the vulnerability and the availability of public exploits, attacks and malware actively targeting the detected vulnerability, or the popularity of a vulnerability in social media conversations.
* Remediation process. The second and perhaps most profound challenge is in the remediation process itself. On average, organizations take 103 days to remediate a security vulnerability. In a landscape of zero-day exploits and the speed and agility at which malware developers operate, the window of opportunity is wide open for attackers.
The remediation challenge is most often rooted in the process itself. While there is no technology that can easily and economically solve the problem, there are ways to enable better management through automation that can improve the process and influence user behavior. In some cases, there are simple adjustments that can result in a huge impact. For example, a CISO at a large enterprise company recently stated that something as easy as being able to establish deadlines and automated reminder notifications when a deadline was approaching could vastly improve the communication process between Security and DevOps/SysAdmin teams.
In other words, synchronizing communication between internal teams through workflow automation can help accelerate the remediation process. From simple ticket and task management to notifications and patch deployment, the ability to track the remediation process within a single unified view can eliminate the need to navigate and update multiple systems and potentially result in significant time savings.
* Program governance. The adage, “You can’t manage it if you can’t measure it” is true when it comes to evaluating the success of a vulnerability risk management program. In general, information security programs are hard to measure compared to other operational functions such as sales and engineering. One can create hard metrics, but it is often difficult to translate those metrics into measurable business value.
There is no definitive answer for declaring success. For most organizations, this will likely vary depending on the regulatory nature of their industry and overall risk management strategy. However, IT and security teams demonstrate greater value when they can show the level of risk removed from critical systems.
Establishing the right metrics is the key to any successful governance program, but it also must have the flexibility to evolve with the changing threat landscape. In the case of vulnerability risk management, governance may start with establishing baseline metrics such as number of days to patch critical systems or average ticket aging. As the program evolves, new, and more specific, metrics can be introduced such as number of days from discovery to resolution (i.e., time when a patch is available to actual application).
Practitioners can start improving the process by making some simple changes. For example, most vulnerability assessment tools offer standard prioritization of risks based on CVSS score and asset classification. However, this approach is still generating too much data for remediation teams. Some organizations have started to perform advanced correlation with threat intelligence feeds and exploit databases. Yet, this process can be a full-time job in itself, and is too taxing on resources.
Technologies exist today to help ease this process through automation by enriching the results of vulnerability scan data with rich context beyond the CVSS score. Through correlation with external threat, exploit, malware, and social media feeds and the IT environment, a list of prioritized vulnerabilities is delivered based on the systems most likely to be targeted in a data breach. Automating this part of the process with existing technologies can help cut the time spent on prioritization from days to hours.
Today, vulnerability management has become as much about people and process as it is about technology, and this is where many programs are failing. The problem is not detection. Prioritization, remediation, and program governance have become the new precedence. It is no longer a question of if you will be hacked, but rather when, and most importantly, how. The inevitable breach has become a commonly accepted reality. Vulnerability risk management calls for a new approach that moves beyond a simple exercise in patch management to one focused on risk reduction and tolerable incident response.
