Your patch management solution needs help
Proper patch management is an important component of cybersecurity hygiene. If organizations don’t apply fixes to software bugs in a timely manner, they risk exposing themselves to a variety of threats. But scrambling to fix bugs identified by the Common Vulnerabilities and Exposures (CVE) program is not a complete solution. Organizations need to be doing much more.
The CVE and CVSS programs are essential components of information security management systems (ISMS) at most organizations, but they clearly have issues. The CVE program offers a reference for publicly known vulnerabilities and exposures. CVSS provides a way to capture the main characteristics of a vulnerability and produce a numerical score that reflects its severity. Among the many challenges with these programs, CVSS is not a true indication of the risk a CVE represents to an organization. That’s because it attempts to take the environment into consideration but only has limited success doing so.
The amount of risk to an organization is entirely dependent upon its business conditions, not the CVSS score. In addition, the Mathematical model that underpins CVEs is flawed, in part because low CVE scores are underrepresented in the data. A low CVE may be precisely the vulnerability that impacts your company. (More details about the trouble with the math can be found here at the Theory of Predictable Software, which does a deep analysis of the math behind CVE scores to "understand how it works, what it does well, and what it doesn't.")
In addition, there are more than 50 CVEs published every day. It is unreasonable to expect a security team to go through all of them, and even if they did, not every CVE contains all the information the team needs to effectively put patches in place. The team can prioritize the important CVEs, but it’s not always clear which ones actually present the most risk to a given environment. Consider third-party plugins, for example. If an organization is using a platform such as WordPress, effective and timely patch management should keep the core application secure. But with WordPress -- like many other platforms -- most users rely on plugins and add-ons to enhance the applications they build. In many cases, these plugins are not covered by formal reporting processes.
Executing a proactive approach to comprehensive security
Organizations need to be more proactive. Reactive patch management will always have an important place in a comprehensive security strategy. But the dwell time between when a vulnerability is identified and when bad actors can exploit the flaw has shrunk. This makes the attack surface way too difficult to manage just by trying to keep up with patches to vulnerabilities as they’re identified. In reality, most organizations cannot keep up with patch management.
A recent survey shows that 76 percent of vulnerabilities that are currently being exploited have been known since prior to 2020. Companies are clearly overwhelmed and not able to effectively patch vulnerabilities that actually do affect their business. Companies need to look at patch management in the context of holistic cybersecurity solutions.
What enterprises need in order to address today’s daunting security challenges is continuous penetration testing that provides comprehensive external attack surface management (EASM).
A strong, comprehensive EASM program answers four fundamental questions:
- What Internet-facing assets does the organization have?
- What vulnerabilities or anomalies does it have, and how do they impact the environment you’re protecting?
- Where should the security team focus its attention?
- How can the team fix any existing vulnerabilities or risks?
Over the past several years, organizations have moved rapidly to the cloud, with different business groups launching a variety of cloud services that are not always centrally managed. This has created security challenges because IT and security teams might not even be aware of the cloud assets potentially exposing data via the Internet. This is why it’s important for the EASM program to discover all assets before bad actors have a chance to run automated tools to discover and monitor the organization’s attack surface.
Asset discovery can be achieved by constantly scanning for new subdomains to uncover new services as they become available. Once digital assets have been discovered, scan them to find vulnerabilities and anomalies. The key is to use tools that perform the same reconnaissance tasks that a cybercriminal would use to attack the organization.
The next step is to prioritize vulnerabilities and anomalies from most to least critical. This way, security teams can focus their efforts immediately on what poses the biggest risk to them. As part of prioritization, teams can group assets based on a number of pre-set criteria. The final step is to remediate any vulnerabilities that need to be fixed. Because many organizations lack the resources or expertise to provide fixes, it’s important to use processes and tools that will surface actionable advice on how to resolve a vulnerability. For example, be sure to arm teams with information such as the request URL, payload used to identify the vulnerability, code snippets, and screenshots when they’re available.
The current methods of finding and remediating vulnerabilities, based on CVE and CVSS, have their merits. But ultimately, these are flawed solutions that will not provide the level of security organizations need today. They are potentially leaving companies exposed to higher levels of risk than they probably realize. Companies need to have strategies and solutions that provide the needed expertise and automation to help security teams address vulnerabilities in the most efficient way possible. By doing this, organizations can be more proactive with security.