Any organization’s vulnerability management program must be a cornerstone of its cybersecurity initiative. Security vulnerabilities, if left unidentified and/or unaddressed, can bring the business down like a house of cards. As your organization adopts emerging innovation and technology, it also correspondingly outgrows in the threat landscape. This makes the protection of your most critical business assets all the more difficult.
By Doug Drew, Client Solutions Advisor, Americas, Optiv
The number (and sophistication) of threat actors continue to spiral upwards. However, the larger problem has been finding, prioritizing, and fine-tuning the response to these susceptibilities. This has always been a top priority for security professionals, but the growing number of traditional and zero-day vulnerabilities makes it difficult, if not impossible, for legacy vulnerability assessment tools to be effective.
Legacy vulnerability assessment tool? What’s that?
A legacy vulnerability assessment tool is commonly used for scanning business networks and applications for “known weaknesses.” It checks for predefined exploitable characteristics which expose business networks to possible cyberattacks. Once the scanning is complete, the tool then sends a standard report notifying IT administrators of the vulnerabilities that need remediation. This, though, is a protracted process, as administrators must manually prioritize, align and remediate the vulnerabilities.
It’s time to move away from this one-dimensional approach – the future of cybersecurity is risk-based vulnerability management (RBVM). Your vulnerability management program needs to evolve, prioritize and continue to protect the most critical business assets rather than burning time on exposures that are unlikely to be exploited. An RBVM approach is a perfect fit for this. It reduces vulnerabilities across your attack surface by prioritizing remediation based on the risks they pose to your organization.
So, how is RBVM adopted and managed? It depends on these six simple principles.
1. See the forest through the trees
The threat landscape has evolved dramatically over the past 10 years in ways that have challenged our ability to understand, manage and predict threats. This trend is continuing at an unprecedented rate and with the attack surface growing around cloud-based services, IoT and OT, the security borders are becoming more transparent, raising the bar for security teams trying to protect business assets.
Managing vulnerabilities in today’s connected landscape requires us to understand both the extent of our attack surface and also the value of each target. Without marking your operational boundaries, you can’t predict threats in the darker side of the woods; without tagging the risk value we can’t ascertain what needs to be guarded.
So, make contextual and informed decisions using a risk-based approach. Sift through the clutter of the vulnerability trees and draw parallels between essential vulnerability characteristics. Combine the criticality of the assets affected, the threat identified and the exploit intelligence available along with other key contextual elements. What you have then is a formula that helps your organization understand the actual risk posed by each vulnerability.
2. You can’t boil the ocean
There is no way to fix it all. Time is a tremendous constraint in today’s business world. 24/7 operations, limited change windows, and staffing pressures force us to focus on what matters the most – addressing risk. However, when it comes to legacy vulnerability management practices, remediation timeframes are often based on outdated industry standards like the Common Vulnerability Scoring System (CVSS).
CVSS is an open framework that defines severity scores to software vulnerabilities based on a theoretical calculation. However, a vulnerability is only as dangerous as the threat exploiting it. 95% of “high severity” CVSS score vulnerabilities have never been exploited in the wild. This means the attackers don’t care about the vulnerability score as long as they can successfully leverage these attack vectors.
In contrast, RBVM helps in prioritizing efforts based on business risks. Acting on what is specific to the real-world activities of hostile actors is requisite to staying ahead of them.
3. Don’t ignore what’s beneath the tip of the iceberg
Seven-tenths of an iceberg never appears above water, but that doesn’t mean it can’t sink your ship. Today’s tip of the iceberg involves IoT, OT, and cloud technologies – with DevOps being an important addition to the list. The landscape has changed. But, organizations need to look below the surface into traditional IT environments too. Because traditional vulnerabilities often sink the security ship. So adopt a risk-based vulnerability management approach to cover the entire attack surface. Determine the vulnerabilities and prioritize remediation of critical assets that lie both above and below the water.
4. The tail can’t wag the dog
The strategy must drive tactics, not the reverse. Some security teams have a thought process that vulnerability scanning is the “endgame.” The risk goes beyond vulnerabilities. There is an entire set of data and tools, like application scanning, configuration scanning, and pen-testing data, which gives you a different POV of your business environment and can provide valuable vulnerability insights. Focus on what matters to your business and remediate those things or you can be consumed with repetition fatigue and staff burnout.
5. Don’t be the slowest gazelle
Always remember, “if everything is important, then nothing is important.” A risk-based vulnerability management approach allows the organization to effectively assess the problem and then appropriately prioritize or deprioritize it. But true risk-based vulnerability information doesn’t just provide a complete overview of the threat landscape; it also speeds decision-making.
Combined with orchestration and automation efforts, an RBVM program can reduce both the need for human intervention and the time to remediation and validation by integrating your security tools properly. This approach will help keep you ahead of the pack and minimize disruption in your environment.
6. Risk is a team sport; lean on your teammates
Football is a classic example of a team sport. Every touchdown scored is a well-orchestrated symphony. Every player has a different role, yet the play is carried out with one end goal – putting the ball in the end zone. It’s the same with risk management in the business world.
Facing adversaries on your own can be a daunting task. This can especially seem very difficult in the case of zero-day attacks. Your defense partner may be able to hold the fort against it – or maybe not. For such scenarios, there is one team member who creates and executes the strategy – the head coach.
Organizations need to ask who are their head coaches and how well-prepared are they? If you aren’t comfortable with your answer to this question, it’s time to upgrade your operations with a prudent risk-based vulnerability management program and tools like the one from Optiv.
Need more information on this? Click here to know how Optiv can take care of your organization’s RBVM needs right away!