It's every chief information security officer's (CISO) nightmare: that midnight phone call from your security team telling you that your organization has been hit. You have a devastating realization that your company is the next big security breach headline — and you are facing a media frenzy. You've struggled to ensure that your team has rapidly identified and remediated the vulnerabilities that apply to your organization. But with the ever-shifting threat landscape, it's not an easy task. Still, sympathy will be in short supply if the cause of the breach is found to be a known vulnerability.
Cybersecurity is more than patching
Improving security is not just a game of detecting a vulnerability, slapping a patch on it and scoring points with the C-suite. A lot goes into the process of determining if a detected vulnerability needs immediate addressing, if existing configurations prevent addressing it or if current security measures are sufficient.
Pareto's "80/20" rule is a lot more like "95/5" in the IT security world. A tiny number of vulnerabilities cause almost all of the issues. In many cases, fixing 5% or less of the vulnerabilities will considerably improve your security posture. This does not mean you should ignore the others altogether.
Vulnerability remediation is a complicated job. It requires time, money and people. Unfortunately, there is not an infinite supply of any of these. It involves balancing business productivity, available resources and potential impact to determine and prioritize the most impactful remediation.
Maximize ROI by balancing your resources
Fortunately, the technology exists to aid organizations with part of the process. Scanning software can detect vulnerabilities throughout the IT ecosystem and deliver concise reports of what systems have known vulnerabilities. This expedites the process of identification.
Even with this data, it still requires time and resources to assess and remediate where needed, which takes security professionals away from other essential security duties. Moreover, not all vulnerabilities are a matter of a quick patch, as other issues can prevent remediation. Some vulnerabilities exist in complex production level systems that can't risk even a few minutes of interruption without significant planning for downtime. While spot fixes and other workarounds may help, manual solutions are time and resource-intensive. Then once implemented, they must be maintained and monitored to ensure their long-term viability.
Address the cybersecurity skills gap
Implementing and maintaining a vulnerability management program requires time and people. Yet, according to (ISC)2, there is a deficit of 4.07M professionals. This is nearly 1.5 times the existing 2.8M security workforce. It is challenging to keep up with limited staff to work with and deliver on a broad set of security needs.
With limited staff, companies can't fully address every single vulnerability the moment it's discovered. Getting the most bang for their buck requires prioritization to make the most efficient use of their resources. They need to determine a course of action to ensure that the most dangerous ones are the first ones resolved.
Prioritize to minimize productivity loss
Even when a vulnerability is deemed a high priority, a simple "patch and deploy" may not be an option. It is crucial to ensure that testing, especially for critical systems, occurs before deploying the patch on a production system. Without this testing, patch conflicts with existing configurations could lead to unplanned outages. Testing takes time and resources, but you risk unintended consequences like system outages and crashes without testing.
Existing infrastructure adds additional problems into the mix. Legacy systems may not have a patch released for a discovered vulnerability due to the age of the software. This can also occur with internally developed software, depending on the libraries they use. Yet, changing the library to a safe version may require excessive development time for testing and deployment. Still, vulnerabilities that go unaddressed create a gaping wound in your security that threat actors will gladly exploit. So how can you strike a balance between security and productivity?
You need to make hard choices.
Just because a vulnerability exists and can have a high impact does not mean that it needs to be addressed. There are many situations where a situation would have a huge impact. Still, its probability is so low that you can ignore it.
It is safe to say that a meteor falling from the sky into your headquarters would cause significant damage and completely shut down operations for a substantial period. Though the odds of a meteor hitting your HQ is infinitesimally small. Based on this, buying meteor insurance would be a waste of money. The same logic holds when managing vulnerabilities. But how can you pick what vulnerabilities matter?
Know the CVE score
CVE (Common Vulnerabilities & exposures) scores are an excellent place to start when choosing remediation priorities. These scores are an industry standardized scoring system to account for how dangerous a vulnerability is. It grades vulnerabilities on a scale of 0 to 10, with ten being the most damaging and requiring the least access to execute.
CVE scores should not merely be taken at face value. When looking at a vulnerability and its initial CVE score, they need to consider any compensating controls that might lower the CVE value below where it started. For example, on an entirely air-gapped system (removed from the network), a vulnerability that can be executed remotely would not be scored as highly. Anything performed on the system requires a person physically at the system. This adjustment process is quick, and it will help narrow down the vulnerabilities that are genuinely the most imperative.
Consider the merits of virtual patching
Virtual patching helps to bridge the gap when infrastructure needs immediate protection. Scheduling maintenance and testing solutions can delay stopping urgent threats or require more time to resolve than compliance standards or internal governance rules allow.
For these situations, virtual patching is a valuable alternative. This seldom utilized feature has been a feature of many WAFs, Firewalls and NACs for some time. It allows for a virtual blocking of the device or exploitable interface. This blocking is usually a temporary stop-gap method to allow for a proper patch to be implemented. Still, in some cases, it may be the only suitable long-term solution in some legacy systems. As a solution, it is considered sufficient to meet the timeline requirements outlined by PCI and GDPR.
Winning means maximizing your cybersecurity ROI
Vulnerability remediation can feel like an ever-escalating game of whack-a-mole. Security teams need to work smarter, not harder, to stay ahead of the onslaught of new vulnerabilities. Effective prioritization is a key step to identify the big rocks that need to be fixed first. Doing this helps to guarantee that resources are used efficiently, making the most of even understaffed teams. The game has never been about patching all of the vulnerabilities but managing the ones that matter.
