Where Vulnerability Management Can Improve
Security is not a product – it’s a process.
It’s how you implement that process and how you choose to manage it that will define your security success. Simply put, vulnerability management is due for an adjustment and an upgrade. There’s been a dramatic rise in both attack sophistication and volume, which has been matched by an exponential rise in vulnerability discovery.
Changes in modern IT infrastructure and development processes have also left gaps in coverage. It’s no longer as simple as aiming a vulnerability scanner at IP addresses if they are now handled by dynamic load balancers and can change daily. Nor is scanning an application every six months sufficient given the continuous updates in an agile software development process. And your greatest risks aren’t the low-hanging fruit anymore; they’re in the hidden assets your IT staff might not even know they own and they are also the unknown attack vectors that lurk in the shadows. To update your approach to vulnerability assessment and management to meet current challenges, you must understand your POV - Prioritization, Optimization, and Visibility - and work to improve each.
Making the best possible security decisions has become harder, not easier, due to the overwhelming abundance of available information. Prioritizing vulnerabilities by their importance is time consuming and challenging to automate. There are too many vulnerabilities that don't matter, and not enough time or resources to address them all.
And there are more sources of disparate threat intelligence than can ever be applied to individual vulnerabilities manually. How, then, to make better and faster prioritization decisions in the face of so much information, noise and distraction? And how to do that while also not missing potentially critical vulnerabilities? The answer is: by also prioritizing what information to present to the ultimate decision maker, the human reviewer. Prioritization helps reduce the noise.
Business context, discoverability, ease of exploitation, and remediation complexity are all critical factors in prioritizing risk.
- Business context answers questions like what are my most vulnerable dev components? What are the top three attack vectors at our subsidiary that can impact our business?
With the proper business context, prioritization can easily elevate issues that should be high priority.
- A corollary to that is the ease of vulnerability discoverability. Is the issue buried or does it reside in a publicly facing application?
Understanding discoverability can help in making informed decisions instead of hasty reactions based on standalone risk scores.
- Are there multiple layers of protection between the vulnerable asset and an attacker?
Exploitation complexity is also a key factor in determining prioritization and goes hand in hand with discoverability and business context.
- Is it trivial or does it require a nation state to exploit?
If it's easy to exploit one of your key assets, that’s critical information to have.
- Finally, ease of remediation also matters.
If a simple fix like changing a default password makes a huge difference, then implement it even if it is not the most critical pending vulnerability. Ultimately, the return on investment is worth it.
Security evaluations conducted to meet compliance schedules simply aren’t enough, not when the attackers have outpaced the requirements. Periodic security testing reveals a snapshot in time, but doesn’t provide insightful comparison and trending metrics. Scanning on a quarterly basis actually leaves a months-long visibility gap. And the truth is that the longer systems and software are in use, the more poor hygiene like misconfigurations, missing patches, and other vulnerabilities will emerge.
Digital transformation, self-provisioned IT, dynamic cloud environments and continuous development necessitate continuous security.
Configuration changes in ancillary systems can introduce new conditions ripe for exploitation, attackers continue to research and find new methods of entry, and old software stops being supported and patched – not to mention relied on far past its intended shelf life. There are a thousand things that can change your security posture in an instant. In the rapidly emerging modern era, the best security – and really, the only security – is continuous security. And that requires continuous security testing and vulnerability assessments.
Gaining visibility across your entire attack surface is not as easy as it used to be. Vulnerabilities hide – that’s their nature. But now, so do your assets. It’s not the cataloged assets with regular maintenance cycles that present the biggest problems now, but unknown exposures hiding in the shadows. Cloud, third party, and subsidiary environments all help form modern extended IT ecosystems and have redefined what creates your potential attack surface. Managing your vulnerabilities means doing it across your entire IT ecosystem, including the elements you don’t own or directly manage – like those of your partners and subsidiaries. Security testing now means being able to find and assess all your extended gateways and cloud environments. The explosion in assets and expansion of the attack surface has also been accompanied by attacker advancements. Attack tools, techniques, and insight are all easier to acquire and implement. If you can’t find your hidden assets, rest assured that your attackers will.
Vulnerability assessment products have been on the market for two decades, and organizations have spent that long developing and running security testing programs around them. Over that time span, IT infrastructure, attacker sophistication and regulations have all evolved dramatically. Vulnerability assessment tools have not done a good job staying aligned to evolving requirements, yet have become thoroughly entrenched features of security programs. While it may not be possible to simply replace these tools, it is possible to augment them and bring about a much needed evolution. The CyCognito platform does exactly that by helping to prioritize what’s critical, optimize security team resources, and vastly expand visibility.