How radical transparency paves the way to more effective vulnerability management
Vulnerability management is one of the most painful challenges of cybersecurity. The lack of transparency in our industry isn’t helping matters. Vendors often work behind the curtain to fix the identified security flaws without effective communication or -- if they do communicate -- with significant delays in reporting.
However, there are signs of positive steps toward this much-needed transparency. In July, for example, the Microsoft Security Response Center announced that it will start issuing Common Vulnerabilities and Exposures (CVEs) for critical cloud service vulnerabilities. There have also been moves from legislators to ensure greater rigor in reporting, such as the EU's Cyber Resilience Act, which mandates that manufacturers of all connected and IoT devices report serious cyber incidents and unpatched vulnerabilities. This is essential for building trust among vendors, businesses, and stakeholders alike. Greater resilience starts with a common understanding.
And it doesn’t stop there. At a time when teams are managing insurmountable volumes of incoming data, with silos of information from disparate tools, it’s more difficult to stay on top of new vulnerabilities that cybercriminals are eager to exploit. Organizations also need to look at new internal approaches to organize and contextualize this within, and across, their own security teams.
Why transparency matters
Cyber teams are facing a losing battle managing both new and existing threats. Alarmingly, over 76 percent of vulnerabilities exploited by ransomware gangs in 2023 were discovered more than three years ago. This indicates that many businesses were either unaware of these disclosed vulnerabilities, did not receive prompt communication to patch them, or were unable to sift through the noise of alerts to deal with the most significant threats.
Whichever the reason, greater transparency in sharing vulnerability information reporting is non-negotiable in ensuring that organizations are equipped and prepared to defend against threats. It also drives more effective collaboration among security teams by enabling them to share detailed vulnerability data and threat intelligence. After all, it’s hardly a zero-sum game. This exchange of insights allows vendors to develop more effective, timely patches and anticipate potential attack vectors for their end users, ultimately strengthening the overall security ecosystem.
That’s why it’s critical for vendors to communicate every security flaw, minor bugs, and updates to their end customers and channel partners. This extends to even those vulnerabilities that do not require any customer action.
When vendors are open about their vulnerabilities and the steps they are taking to address them, they demonstrate a wider commitment to security and accountability. From a business perspective, this openness builds confidence and credibility among customers and stakeholders, which are essential for long-term success.
Even with reliable vulnerability data at hand, though, staying ahead of the rapid influx of CVEs can deflate the strongest of teams. So far this year alone, more than 24,000 Common Vulnerabilities and Exploits (CVEs) have been submitted to NIST’s national vulnerability database. Such an obtuse influx means that any efforts that simplify and provide context around these vulnerabilities are also invaluable. Organizations not only need timely information, they need to understand its impact on their unique infrastructure. In short, focus on what matters to you and forget the rest.
It’s no surprise then why a growing number of organizations are exploring new ways of managing, prioritizing, and remediating threats.
The role of a Vulnerability Operations Center (VOC)
One of the initiatives that progressive cyber teams are pioneering is the Vulnerability Operations Center (VOC). Unlike traditional Security Operations Centers (SOCs) that primarily focus on detecting and responding to incidents, a VOC is dedicated to proactive prevention, which means threats can be tackled before they are exploited by threat actors. At its heart is centralized data so that vulnerabilities are recorded and communicated from a single system across the entire organization. CVE data siloed by scanner becomes a thing of the past.
By centralizing vulnerability data and employing advanced analytics, teams can evaluate and prioritize vulnerabilities based on their potential impact on the business. This risk-based prioritization ensures that resources are focused on mitigating vulnerabilities that pose the greatest threat to their organization’s specific attack surface. If you can’t identify your top 0.1 percent of remediation actions, you’re stuck in the 99.9 percent of CVSS noise sucking up your cyber team’s bandwidth and budget.
It’s an approach which also allows security teams to communicate their current security posture more effectively with stakeholders, the risks they face, and the steps being taken to mitigate these risks. By demonstrating proactive management and clear accountability, a VOC helps build trust and confidence in the organization’s cybersecurity efforts.
Security teams can’t and shouldn’t fix every vulnerability. But they need to start from the point of having the most up-to-date, accurate information to inform decisions on where to allocate resources. This starts with vulnerability reporting and disclosure from vendors, but it must also extend to internal processes so that teams have the most granular information on what matters to them -- not the latest headline keeping the industry in suspense.
When vendors share precise information about vulnerabilities, they deliver immediate pain relief to cyber teams and the organizations they protect.
Image credit: billiondigital/depositphotos.com
Pierre Samson is CRO at Hackuity.