Tim Callahan, Vice President
The modern security professional is being hit from all sides. When combating known vulnerabilities, traditional methods of security and vulnerability management shouldn’t be dismissed – but new areas of focus like threat intelligence and attack path analysis must be built on to them to help prioritize which vulnerabilities to remediate first. However, there are also threats that just can’t be known. The security professional is compelled to spread their attention across so many areas of growing threat that it can be overwhelming. What can be done?
"Vulnerability management tools can often be used for technical compliance management. In this concept, one can scan for both vulnerability and configuration compliance"
One suggestion is to conduct a risk assessment: Identify what is most precious to protect, plan for an incident with a sound and rehearsed response plan, and get your senior leadership’s buy-in and approval on the strategy. Concentrate on doing what you know you can do to reduce your company’s threat surface.
The 2015 Verizon Data Breach Investigation Report (DBIR) shows breaches follow similar patterns as criminals utilize tried and true methods to get to your data. One alarming statistic from the DBIR indicates that 99.9 percent of exploited vulnerabilities in 2014 had been compromised more than a year after their associated Common Vulnerabilities and Exposures (CVE), a dictionary of publicly known information security vulnerabilities and exposures, was published. The DBIR found that vulnerabilities were exploited where the CVE was published as early as 1999. Like bad news, vulnerabilities don’t get better with time.
Although much falls into the realm of the “unknown-unknown,” published vulnerabilities do not, and security professionals must pay attention to them. Even if you fixed the published exploited vulnerabilities found in the CVE, it would be imprudent to believe that compromises wouldn’t happen. The reality is that a persistent attacker will find a way, and security professionals must be even more persistent on their mission to block the bad guys from gaining a foothold into their organization’s system.
As it gains traction, the path to effective vulnerability management can prove extremely complicated and demanding of security professionals’ time. One obstacle is having ill-defined roles and responsibilities, leaving no one accountable for taking ownership of the issues that arise. It’s essential to have a clear distinction between the owner of the vulnerability management program and the owner of the remediation of vulnerabilities to ensure no stone is left unturned.
While risk-ranking requires a collaborative endeavor with all stakeholders, the ultimate decision on its design and execution must remain with the security organization. Identifying and validating vulnerabilities in the environment, as well as determining the method to risk-rank them, must be clearly mapped out. Also, an action plan must be in effect to quickly remediate vulnerabilities deemed the highest risk.
Once a weakness is ranked based on the applicability and mitigating controls of the particular organization, the fix must be implemented or, if for technical reasons it can’t be fixed in the time required by the standard, there must be a formal exception process. This should state a target time for remediation and list any mitigating factors that may lessen the risk, as well as the risk presented if the fix were to meet the required time. This process must be rigorously followed so that at any given time the security organization can report on open vulnerabilities, those responsible for the fix and the timeline for when this fix will be accomplished.
An organization that leaves this process to their technology group will likely be less successful, because their resources are often spread thin. As a result, fixes are delayed due to production outages, implementation of new technology and any other tasks the IT professional has on their plate. Having an independent team finding vulnerabilities, publishing those vulnerabilities and expressing in terms of risk is crucial to getting those fixes in.
Closely tied to the vulnerability program is technical compliance management. In other words, an organization should have security configuration standards and the means by which to monitor them. Exploits can happen due to inadequate and improper configuration, not changing default passwords and so forth. Vulnerability management tools can often be used for technical compliance management. In this concept, one can scan for both vulnerability and configuration compliance. The same process can be used to fix the non-compliant actions. This identification of issues shouldn’t be left to the IT professionals; rather, it must be part of the security team’s responsibility. The IT team must be the owner of the fix.
There is generally agreement in the industry that in any significantly sized organization, the number of vulnerabilities can often overwhelm the organization’s ability to address them. This is why risk-ranking becomes so important. But even with this process, there are still more vulnerabilities than can be fixed in the standard times. This leaves organizations in a race to fix them before the bad guys exploit them. An emerging concept is the prioritization of the fixes based on the most probable attack path using vulnerabilities. Companies such as Core Security are making progress in this area. The premise is not that those vulnerabilities can be left unchecked, but that with proper analysis of the path that attackers could and most likely would use to exploit, the organization can concentrate their remediation efforts on the most vulnerable of the vulnerabilities.
It is clear that with vulnerabilities being among the preferred targets of the criminal hacker, organizations must put a priority on their program. Organizations should examine their particular risk, risk tolerance and circumstance to develop a program and process to deny the criminals this opportunity for compromise.