Vulnerability management has always been as much art as science. However, the rapid changes in both IT networks and the external threat landscape over the last decade have made it exponentially more difficult to identify and remediate the vulnerabilities with the greatest potential impact on the enterprise.
With a record of 18,378 vulnerabilities reported by the National Vulnerability Database in 2021 and an influx of new attack techniques targeting increasingly complex and distributed environments, how can CISOs know where to start?
Why has maintaining network visibility become such a challenge?
Heavy investments into digital transformation and cloud migration have rendered significant, foundational changes to the enterprise IT environment. Gartner predicts end-user spending on public cloud services will reach almost 600 billion in 2023, up from an estimated $494.7 billion this year and $410.9 in 2021.
Long gone are the days when security teams could concern themselves only with connections to and from the data center; now they must establish effective visibility and control of a sprawling, complex network that includes multiple public clouds, SaaS services, legacy infrastructure, the home networks of remote users, etc. Corporate assets are no longer limited to servers, workstations, and a few printers; teams must now secure virtual machines on premise and in the cloud, IoT devices, mobile devices, microservices, cloud data stores, and much more – making visibility and monitoring infinitely more complex and challenging.
In many cases, security investments have not kept up with the rapid increase in network scope and complexity. In other cases, agile processes have outpaced security controls. This results in security teams struggling to achieve effective visibility and control of their networks, resulting in misconfigurations, compliance violations, unnecessary risk, and improperly prioritized vulnerabilities that provide threat actors with easy attack paths.
Adversaries are specifically targeting these blind spots and security gaps to breach the network and evade detection.
What are the most common mistakes being made in attempting to keep up with threats?
With the average cost of a data breach climbing to $4.35 million in 2022, CISOs and their teams are under extraordinary pressure to reduce cyber risk as much as possible. But many are hindered by a lack of comprehensive visibility or pressure to deliver agility beyond what can be delivered without compromising security. One of the most common issues we encounter is an inability to accurately prioritize vulnerabilities based on the actual risk they pose to the enterprise. With thousands of vulnerabilities discovered every year, determining which vulnerabilities need to be patched and which can be accepted as incremental risk is a critical process.
The Common Vulnerability Scoring System (CVSS) has become a useful guidepost, providing security teams with generalized information for each vulnerability. Prioritizing the vulnerabilities with the highest CVSS score may seem like a logical and productive approach. However, every CISO should recognize that CVSS scores alone are not an accurate way to measure the risk a vulnerability poses to their individual enterprise.
To accurately measure risk, more contextual information is required. Security teams need to understand how a vulnerability relates to their specific environment. While high-profile threats like Heartbleed may seem like an obvious priority, a less public vulnerability with a lower CVSS score exposed to the Internet in the DMZ may expose the enterprise to greater actual risk.
These challenges are exacerbated by the fact that IT and security teams often lose track of assets and applications as ownership is pushed to new enterprise teams and the cloud makes it easier than ever for anyone in the enterprise to spin up new resources. As a result, many enterprises are riddled with assets that are unmonitored and remain dangerously behind on security updates.
Why context is critical
With resources like the National Vulnerability Database at their fingertips, no CISO lacks for data on vulnerabilities. In fact, most enterprises do not lack for contextual data either. Enterprise security, IT, and GRC stacks provide a continuous stream of data which can be leveraged in vulnerability management processes. However, these raw streams of data must be carefully curated and combined with vulnerability information to be turned into actionable context – and it is this in this process where many enterprises falter.
Unfortunately, most enterprises do not have the resources to patch every vulnerability. In some circumstances, there may be a business case for not patching a vulnerability immediately, or at all. Context from information sources across the enterprise enables standardized risk decisions to be made, allowing CISOs to allocate their limited resources where they will have the greatest impact on the security of the enterprise.
Making the most of limited resources with automation
There was a time when a seasoned security professional could instinctively assess the contextual risk of a threat based on their experience and familiarity with the organisation’s infrastructure. However, this approach cannot scale with the rapid expansion of the enterprise network and the growing number of vulnerabilities that must be managed. Even before the ongoing global security skills shortage, no organization had the resources to manually aggregate and correlate thousands of fragments of data to create actionable context.
In today’s constantly evolving threat landscape, automation offers the best chance for keeping up with vulnerabilities and threats. An automated approach can pull relevant data from the security, IT, and GRC stacks and correlate it into contextualized information which can be used as the basis for automated or manual risk decisions.
Vulnerability Management Program Guide: Managing the Threat and Vulnerability Landscape