The challenges of vulnerability management [Q&A]
Recent vulnerabilities like Log4j have highlighted how difficult it can be to manage risks and ensure that software patches are kept up to date.
We spoke to Rob Gurzeev, CEO of attack surface management specialist CyCognito, to discuss the challenges involved and how to deal with them.
BN: Why does it take companies so long to patch something like the recent Log4j vulnerability?
RG: The biggest challenge is finding all of the vulnerable assets. You need to run a 'dedicated active' test on every server/application to know if it’s vulnerable. In a world where organizations don’t even know -- and therefore can’t effectively manage -- between 30 percent and 50 percent of their internet-exposed assets, that’s a daunting task. Some LinkedIn polls confirmed many don’t even regularly test 100 percent of the assets they do manage.
There is no 'one size fits all' solution to the Apache Log4j issues. That's what makes Log4j extra difficult to rein in. Upon discovery of the vuln in December 2021, we quickly implemented two testing modules (one passive, one active). We also performed an internal assessment on our exposure to these vulnerabilities in order to protect our customer data.
The good news is that modern technologies like machine learning have allowed us to help dozens of Fortune 500 companies (including top financial institutions) to find and validate security gaps that legacy vulnerability scanners, security ratings services, and manual efforts missed.
BN: How can companies manage the number of false positives and 'noise' so they can get to the actual problem they need to fix?
RG: That's a great question -- the problem that has plagued security teams for the last 20 years. The key is to look at the business context of each asset -- what’s its purpose, its value, and the data it holds – as well as risk intelligence on how discoverable and exploitable the asset is. For example, legacy vulnerability management tools will rate two vulnerabilities the same even if one relates to a critically important database and the other leads to a random, abandoned Apache server. Why? Because they completely ignore business and risk context.
We leverage machine learning, graph data modeling, and Natural Language Processing to determine what’s really at risk. Often, it's just 10 to 50 truly critical issues, so CyCognito lets security teams focus on those, instead of bombarding them with thousands of supposed criticals that would actually waste their time, but do little to actually lower the risk if they were mitigated.
BN: Most companies scan for known assets; why is it an advantage to scan externally as well?
RG: Some 80 percent to 90 percent of breaches are attributed to outside-in attacks. External attackers search for weak spots and their path of least resistance to get access to your data and networks. That's why you have to do the same as the attackers -- that is, if your goal is to actually prevent breaches and protect your data, not to merely achieve compliance or show management you checked off many security boxes. Mapping external attack surfaces is a complex challenge of 'unknown unknowns'. Bad actors only need to find one true critical vulnerability, but you must find them all. Achieving that coverage, with high accuracy, at scale takes years of R&D and significant capital. It also requires building the right architecture and infrastructure from day one. We knew we'd have to do that when we established CyCognito in 2017.
BN: It seems like CISOs are waiting for the next big breach just based on the rise in threats in the last few years. What should they be thinking about?
RG: One thing I learned from my years in intelligence agencies is that you have to meet risk where it is. If you want to protect a skyscraper in Manhattan from a terrorist attack or robbery, you can't ask the doorman or the company that installed the CCTV system how to prevent such attacks. It's better to ask a SWAT team how they would breach the building and how to make it difficult for attackers. Forward-thinking CISOs see it the same way: understand what exposed attack surface you have to protect, and identify the weak links in your security strategy -- at the asset and network level, from the perspective of an outside attacker.
Log4j taught us a lot, mainly that we need to be prepared and have a robust framework to better handle future vulns of this magnitude. Based on our experience responding to Log4j, advice from expert CISOs, and our community of customers, we came up with a step-by-step simplified response plan CISOs can use today and for future outbreaks.
- Self-assess: your first priority should be ensuring your customers’ data is secure. Investigate your Bill of Materials (BOM) in any software you provide. Check with third-party partners to get confirmation they are not affected and therefore cannot affect your software. Monitor all logs, services, and traces acting as if an incident did occur until you can be confident that none has.
- Trace: Investigate your external attack surface first and internal attack surface second to understand if and where you are using specifically vulnerable software.
- Prioritize and Patch: Start by addressing the assets that are vulnerable. An exploit to these vulnerable hosts can provide initial access for an attacker to a much wider breach and subsequent cleanup.
- Vaccinate: Inoculate any applications affected by the vuln; this is very Log4j-specific. It may not be necessary for all vulns.
- Test, test, test: perform ongoing and continuous testing for the vulnerability on suspected assets, including custom-built apps.
- Quarantine: if you find systems that can't be patched or vaccinated, consider taking them offline or putting them behind a firewall and continue monitoring affected assets for signs of compromise.
- Mask: Another way to protect systems that can’t be patched or vaccinated is to use compensating controls like web application firewalls (WAF) and eXtended Detection and Response (XDR) that 'virtually patch' vulnerable hosts until other mitigations can be implemented.
- Communicate: Risk teams need to be aware of current status; business and technical risk managers need up-to-date information on remediation plans and progress. Also disclose to your customers what your status is.
BN: Do you think things will continue to get worse as the cloud becomes more complex?
RG: Definitely. The number of applications, networks, and also 'connectivity' between networks and organizations ballooned over the last 10 years. Organizations also rely more and more on WFH employees and third-party companies to provide services, including in IT and software development. The cybersecurity industry has improved incrementally while the cybersecurity risk grows exponentially. We have to step into the attacker's mindset to solve these problems. That cannot be done using the traditional tools like vulnerability management, manual pentesting, and SRS (Security Ratings Services), so we have to adopt modern technologies that recognize attack surface and truly critical security gaps faster than attackers can.