Improving Vulnerability Management by Emphasizing your POV (Prioritization, Optimization, and Visibility)
Vulnerability management, and the security testing that is part of it, face ever-changing demands. More aggressive attack techniques and legislative requirements alike have driven the need for:
- More stringent and frequent testing
- ‘Blue’ defensive and ‘red’ offensive testing teams to collaborate and share information in ‘purple’ teaming
- Better overall reporting and metrics
- Less painful methods of implementing remediation verification
Currently, though, both large and small organizations rely on fairly standard vulnerability management processes that have stabilized over the past two decades but don’t necessarily address today’s requirements. Before we look at the mismatch between modern vulnerability management needs and today’s defacto processes, let’s take a step back and look at the steps involved in vulnerability management.
Step-by-Step
No matter how they are labelled or divided, the process steps for vulnerability management can generally be broken down into the following actions:
1. Observation
Observation means identifying the assets and capabilities that compose the portion of your attack surface you are planning to test (aka mapping your testing targets) and scanning those with any number of tools and/or services to determine what vulnerabilities exist in your applications and infrastructure.
2. Orientation
Organizations discover more vulnerabilities than they can fix, hence the need for vulnerability management and not just assessment. Orientation means prioritizing which vulnerabilities are critical and need to be addressed immediately, and which can be safely ignored. This requires gaining a clear sense of what the vulnerabilities are, their ease of exploitation (threat intelligence), the potential impact of ignoring them, and the procedures to remediate the issues you decide to resolve.
3. Decision
Decision is where clear communication of both technical and non-technical details is vital and teams must be able to coordinate their planning. Speed is of the essence because the longer vulnerability management cycles take to run, the more time attackers have to exploit the weakness.
4. Action
Action means implementing the specific remediation steps and then testing to make sure those vulnerabilities have been eliminated.
5. Repetition
Repetition means comparing current with past testing results to garner key metrics over time around inputs (discovered vulnerabilities and assets) and outputs (resolved vulnerabilities, overall vulnerabilities, severities, etc.) to show both progress and opportunities for vulnerability management improvement.
Where Vulnerability Management Can Improve
Security is not a product – it’s a process.
It’s how you implement that process and how you choose to manage it that will define your security success. Simply put, vulnerability management is due for an adjustment and an upgrade. There’s been a dramatic rise in both attack sophistication and volume, which has been matched by an exponential rise in vulnerability discovery.
Changes in modern IT infrastructure and development processes have also left gaps in coverage. It’s no longer as simple as aiming a vulnerability scanner at IP addresses if they are now handled by dynamic load balancers and can change daily. Nor is scanning an application every six months sufficient given the continuous updates in an agile software development process. And your greatest risks aren’t the low-hanging fruit anymore; they’re in the hidden assets your IT staff might not even know they own and they are also the unknown attack vectors that lurk in the shadows. To update your approach to vulnerability assessment and management to meet current challenges, you must understand your POV – Prioritization, Optimization, and Visibility – and work to improve each.
Making the best possible security decisions has become harder, not easier, due to the overwhelming abundance of available information. Prioritizing vulnerabilities by their importance is time consuming and challenging to automate. There are too many vulnerabilities that don’t matter, and not enough time or resources to address them all.
Prioritization
And there are more sources of disparate threat intelligence than can ever be applied to individual vulnerabilities manually. How, then, to make better and faster prioritization decisions in the face of so much information, noise and distraction? And how to do that while also not missing potentially critical vulnerabilities? The answer is: by also prioritizing what information to present to the ultimate decision maker, the human reviewer. Prioritization helps reduce the noise.
Business context, discoverability, ease of exploitation, and remediation complexity are all critical factors in prioritizing risk.
- Business context answers questions like what are my most vulnerable dev components? What are the top three attack vectors at our subsidiary that can impact our business?
With the proper business context, prioritization can easily elevate issues that should be high priority.
- A corollary to that is the ease of vulnerability discoverability. Is the issue buried or does it reside in a publicly facing application?
Understanding discoverability can help in making informed decisions instead of hasty reactions based on standalone risk scores.
- Are there multiple layers of protection between the vulnerable asset and an attacker?
Exploitation complexity is also a key factor in determining prioritization and goes hand in hand with discoverability and business context.
- Is it trivial or does it require a nation state to exploit?
If it’s easy to exploit one of your key assets, that’s critical information to have.
- Finally, ease of remediation also matters.
If a simple fix like changing a default password makes a huge difference, then implement it even if it is not the most critical pending vulnerability. Ultimately, the return on investment is worth it.
Optimization
Security evaluations conducted to meet compliance schedules simply aren’t enough, not when the attackers have outpaced the requirements. Periodic security testing reveals a snapshot in time, but doesn’t provide insightful comparison and trending metrics. Scanning on a quarterly basis actually leaves a months-long visibility gap. And the truth is that the longer systems and software are in use, the more poor hygiene like misconfigurations, missing patches, and other vulnerabilities will emerge.
Digital transformation, self-provisioned IT, dynamic cloud environments and continuous development necessitate continuous security.
Configuration changes in ancillary systems can introduce new conditions ripe for exploitation, attackers continue to research and find new methods of entry, and old software stops being supported and patched – not to mention relied on far past its intended shelf life. There are a thousand things that can change your security posture in an instant. In the rapidly emerging modern era, the best security – and really, the only security – is continuous security. And that requires continuous security testing and vulnerability assessments.
Visibility
Gaining visibility across your entire attack surface is not as easy as it used to be. Vulnerabilities hide – that’s their nature. But now, so do your assets. It’s not the cataloged assets with regular maintenance cycles that present the biggest problems now, but unknown exposures hiding in the shadows. Cloud, third party, and subsidiary environments all help form modern extended IT ecosystems and have redefined what creates your potential attack surface. Managing your vulnerabilities means doing it across your entire IT ecosystem, including the elements you don’t own or directly manage – like those of your partners and subsidiaries. Security testing now means being able to find and assess all your extended gateways and cloud environments. The explosion in assets and expansion of the attack surface has also been accompanied by attacker advancements. Attack tools, techniques, and insight are all easier to acquire and implement. If you can’t find your hidden assets, rest assured that your attackers will.
Conclusion
Vulnerability assessment products have been on the market for two decades, and organizations have spent that long developing and running security testing programs around them. Over that time span, IT infrastructure, attacker sophistication and regulations have all evolved dramatically. Vulnerability assessment tools have not done a good job staying aligned to evolving requirements, yet have become thoroughly entrenched features of security programs. While it may not be possible to simply replace these tools, it is possible to augment them and bring about a much needed evolution. The CyCognito platform does exactly that by helping to prioritize what’s critical, optimize security team resources, and vastly expand visibility.