here is a growing realization in the industry today that it is better not to remediate all IT security vulnerabilities. Sounds contrarian but makes a lot of sense when we look at the math behind vulnerabilities. Take for instance the fact that out of 70,000 vulnerabilities reported since 2006, only around 800 CVEs were exploited last year.
As per Verizon DBIR 2016 report, only 200 out of several thousand vulnerabilities reported in 2013-2015 were exploited last year. Millions of malware released last year cumulatively exploited only around 100 vulnerabilities. This raises the question on the generic approach of fixing all vulnerabilities that are detected. The approach for fixing vulnerabilities on high value assets no longer works; attackers can start by compromising lower value assets and linger in the environment.
The effort to mitigate a vulnerability is also significant. It takes several person weeks of effort to remediate vulnerabilities; ranging from impact analysis of patch to be applied to the actual patching activity or secure configuration of systems. Not to mention the effort that comes up when patch reversals happen due to disrupted functionality. The time taken to remediate is also high. One industry estimate puts the average time to fix at 176 days. That’s an average time to fix of almost six months. This is a long window of opportunity for cyber-crime syndicates to breach any organization.
In short, the way we look at vulnerabilities and manage them needs to change. Leading edge Chief information Security Officers (CISOs) are gravitating towards more innovative ways of executing a vulnerability management program. One such example is the concept of prioritizing a vulnerability. It might be more prudent to focus on the smaller set of vulnerabilities that are being exploited and be complacent about fixing the larger set of thousands of vulnerabilities that cyber-crime syndicates are not looking at.
Paladion listened to leadings CISOs to hear about the trends they saw. We added our observations as an IT security vulnerability program service provider working with large and leading enterprises. We consolidated the best practices in to this white paper here:
Vulnerability assessment is now getting centralized and run as continual operations instead of a stop-start periodic program. De-duplication of vulnerabilities and prioritization becomes important in the context of continuous scanning operations. A good prioritization engine can pick out the 2% of vulnerabilities that truly require remediation, thus saving time and money, while beefing up protection. The prioritization process also does continuous evaluation of vulnerabilities against external and internal parameters to re-score the prioritization value. Certain vulnerabilities can become important to fix in the context of changes to some external/internal parameters. As an example, a flash plugin vulnerability might bubble up and become critical in the context of a ransom ware that is spreading based on exploiting the vulnerability.
Another trend that we noticed is that the leaders in the industry also scan for Indicators of Compromise (IOC) to identify if a breach has already happened on any of the systems. This is over and above the traditional scans for vulnerabilities and security configurations. This is the new reality in the light of continuous hits that are happening from ransomware and other malware.
Virtual patching using IPS or WAF is also being used to effectively remediate vulnerabilities without patching all machines that are affected.
An Approach that Recognizes the Need for Machine and Human Strengths
It’s also important to realize that even in this digital technology-driven era, effective vulnerability management means more than just hooking up a scanning software tool and setting it to repeat indefinitely. While automation is a critical part of VM, there will be scenarios where human skill sets and judgment will become important. Here’s one example: making the choice to apply virtual patches via an IDPS (intrusion detection and prevention system) to mitigate many vulnerabilities in one go, rather than trying to apply corrections one by one to a large population of machines and systems. This will require a level of risk thinking rather than simply automating.
The Double Whammy of Better Vulnerability Management
Complacency is a risky commodity in any area of business. The good news is that in vulnerability management complacency is a virtue. Don’t spend remediation effort on vulnerabilities that have a low prioritization score and have not bubbled up to be serious enough for fixing. Instead of boiling the ocean, it is better to focus on fixing vulnerabilities that can cause harm and let the system bubble up vulnerabilities that require attention. This can help you can save cost and at the same time improve protection.
Get more insights on vulnerability management in our white paper: