Three stages of risk-based vulnerability management: Crawl, Walk, Run
The market is saturated with hundreds of security products, and companies spend billions of dollars each year on cybersecurity spend (expected to top $100 billion by 2020). Yet breaches and hacks are still in the news every day, because cybersecurity is such a tough problem. Organizations have a massive and exponentially growing attack surface -- there are a myriad of ways by which networks can be breached. Analyzing and transforming the enterprise cybersecurity posture is not a human-scale problem anymore. An enterprise vulnerability management program is the cornerstone for any modern cybersecurity initiative and helps security teams proactively understand and improve their security posture to avoid breaches and protect the business from brand and reputation damage, as well as loss of customer trust.
Understanding and acting on data output from your vulnerability assessment scanner is a critical component of your vulnerability management program. However, if your scanner is identifying vulnerabilities by the thousands every time a scan completes, your team will soon be left overwhelmed and struggling with how to proceed. Failure to address vulnerabilities in a timely manner due to the high volume of alerts is very problematic. And of course, most of these vulnerabilities are bogus or merely theoretical. Traditional vulnerability management programs leave you drowning in data, but starving for insights.
The large volume and poor quality of vulnerability scanner output is the reason why most organizations are unable to stay up-to-date with patching. With both the Equifax breach and WannaCry, leading indicators of the vulnerabilities later exploited by attackers were drowning in a sea of unprioritized security data, and not acted upon in a timely fashion.
Reasons Why Organizations Struggle with Patching:
- Overwhelming number of alerts with too many vulnerabilities to patch.
- Many flagged vulnerabilities are bogus -- i.e., the ask to patch IE when the users’ default browser is Chrome for a vulnerability that is very hard to exploit.
- Lack of prioritization to focus the security team’s efforts towards patching most critical issues.
- Small, resource-constrained teams.
- Lack of guidance on HOW to fix the issues identified.
Introducing Risk-based Vulnerability Management
To truly enhance security posture and improve resilience, organizations need a risk-based vulnerability management approach that identifies vulnerabilities across all assets, and also takes the next crucial step of prioritizing the action items based on business criticality and actual risk. To do this, your system must understand the context around each vulnerability and the enterprise asset that it affects, and it must be able to offer prescriptive fixes to address the issues. Armed with this information, security teams are better equipped to tackle the open vulnerabilities head-on, and make real strides to eliminate them.
So, here’s the key question -- how do you get started with risk-based vulnerability management?
Starting to Crawl
If your organization has yet to implement modern security controls and practices, and you have zero to a few security professionals on staff, you can start smart with risk-based vulnerability management. You need converged security products, lots of automation and simple prescriptions. If your organization has a traditional vulnerability management tool deployed, you are familiar with the problems listed above.
Considering that your attack surface is massive and hyper-dimensional, automation and use of AI is a necessity (as analyzing thousands of observations from monitoring your enterprise assets across potential attack vectors is simply not a task humans can take on alone). Not unlike other technology transformations, it’s best to crawl before you try to walk or run. This is really the only way to build a strong and resilient bridge to a more advanced approach. The initial phase of your journey involves understanding vulnerabilities, assessing breach risk, and prioritizing actions to move toward a predictive, proactive and effective risk-based vulnerability management program.
The Crawl Plan
- First, start with a portion of your network, and make sure that you have visibility into all of your assets (users, apps and devices) for this part of your network.
- Don’t scan for vulnerabilities. Instead, invest in a tool that gives you real-time visibility into your vulnerabilities, like you would expect from a google-search.
- Monitor more than just unpatched software systems -- your new tool must have coverage across other attack vectors, such as passwords, configuration, encryption issues, phishing, etc.
- Prioritize vulnerabilities based on business risk, taking into account the business impact and context of each asset.
- Get a patching strategy in place and patch, patch, patch.
Wanting to Walk
The next phase of your journey allows you to tighten the reins on your vulnerability management program and enhance your capabilities. You want to expand the scope of your new, prioritized vulnerability management program and make your priority formula even more aligned with business risk.
The Walk Plan
- Extend accurate visibility of your assets to your entire extended network, including cloud, mobile and unmanaged assets. Discover new inventory in real-time and keep your inventory list up-to-date. Deploy continuous, real-time visibility for vulnerabilities of each asset in your inventory.
- Monitor your extended inventory across a broad range of attack vectors, not just unpatched software.
- Assess existing mitigation controls and use this information to prioritize vulnerabilities.
- Use a layered risk model to understand the actual business risk -- this risk calculation should take into account vulnerabilities, threats, business criticality and the effect of compensating controls
- Focus on patching the most critical vulnerabilities by following patching guidance and prescriptive fixes.
Ready to Run
Now that you can tie vulnerabilities to risk, you are essentially creating a sense of order around the data and observations identified by your vulnerability management solution. In this phase, you will optimize on the patching SLAs, trading off cost/expense with the amount of acceptable risk. You will automate what can be automated, and implement strategic compensating controls to mitigate any unacceptable residual risk from your vulnerability management program.
The Run Plan
- Create your risk-based vulnerability management mandate across all stakeholders with agreement on key SLAs such as mean/max-time-to-patch for assets in each business impact class.
- Proactively integrate vulnerability management context into your SecOps, AppSec, and other security tools via API glue
- Track mean-time-to-patch diligently to quantify your enterprises’ improvement and compliance over time.
- Compare your program against peers in your industry to assess how well you are doing, and tune where you want to be in the cybersecurity posture spectrum.
- Communicate risk reduction and program success to all levels, including board of directors using metrics, charts, trending graphs and quantified business benefits.
It’s important that you champion your program’s business benefits and strategic value across the enterprise up to the highest levels. If you have diligently created an accurate risk model, you can now prioritize vulnerabilities based on business risk. Machine learning and AI help make the overall process manageable. Security teams can keep up while focusing on mitigating the most significant issues first. In short, you are now in a position to protect your organization from the most urgent threats, proactively avoid breaches and raise your organization’s cyber-resilience to a whole new level.
Get ahead of the game
It is unlikely that the rate of new vulnerabilities and the number and sophistication of attacks will abate over time. On the contrary, there is every reason to expect that these numbers will continue to grow. The only way to stop reacting to attackers and get ahead of the game is to adopt a truly risk-based vulnerability management program that improves your overall security posture. Investing in emerging technologies that use AI and deep learning algorithms to monitor your environment and predict your breach risk is an effective strategy. Armed with insights into potential breach scenarios, organizations can move towards a stronger security posture. Then, with a prioritized list of action items and prescriptive fixes for these action items, vulnerabilities can be addressed and eliminated before they can be exploited.
Gaurav Banga is the Founder and CEO of Balbix, and serves on the boards of several companies. Before Balbix, Gaurav was the Co-founder & CEO of Bromium and led the company from inception for over 5 years. Earlier in his career, he served in various executive roles at Phoenix Technologies and Intellisync Corporation, and was Co-founder and CEO of PDAapps, acquired by Intellisync in 2005. Dr. Banga started his industry career at NetApp. Gaurav has a PhD in CS from Rice University, and a B.Tech. in CS from IIT Delhi. He is a prolific inventor with over 60 patents.