Get a demo
White paper

The difference between legacy and modern vulnerability management

In terms of the endgame, security teams all share the same goal: drive down risk and keep organizations secure from data breaches. But it’s in the approaches they take to getting there that we see different attitudes. This stems from fundamental distinctions between legacy and modern vulnerability management.
This white paper lays out the main differences between the two, and how teams can optimize their cyber risk mitigation efforts and help their organizations get fix done.

Introduction

Vulnerability remediation is the process of finding the security weak spots in your digital infrastructure, and then finding and applying remedies to these potential threats. Although it sounds straightforward, in practice, vulnerability remediation is perhaps best described by Yaron Levi, CISO, Blue Cross and Blue Shield of Kansas City as “[security] trying to manage a mountain of work they usually have little to no control over by pushing other overtaxed teams, such as IT and engineering, to remediate during non-ideal times.”

This white paper explores the ever-growing challenges to effective vulnerability remediation. It then pinpoints the true vulnerability management end-game of detecting the vulnerability and applying the right fix as quickly as possible, plus easily verifying that you’re done with that vulnerability. In short, it is time to “get fix done.” This paper also provides some vulnerability remediation best practices and traps to avoid, with a special emphasis on the importance of automation. In the end, it describes how the Vulcan Cyber platform goes beyond traditional vulnerability remediation to deliver vulnerability remediation orchestration by helping security and IT operations teams prioritize, remedy, automate, and analyze.

 

Modern vulnerability management:
More challenging than ever

Threats to network security have been exacerbated by the technological changes and advances we’ve seen over the past few years. In the 1990s and early 2000s, there were relatively few vulnerabilities and each company team took care of its own. But with the birth of the cloud and changes in enterprise infrastructure, networks have become more exposed to external threats.

With companies having embraced public cloud infrastructures, open-source software, and third-party SaaS solutions, their exposure has grown while real-time visibility into potential vulnerabilities has shrunk. Complex multi-cloud, hybrid architectures, as well as highly diverse stacks comprising multiple vendors and solutions, make it especially challenging to keep networks secure.

The switch to agile development and rapid code releases has further increased this risk with more and more public-facing software being deployed without being adequately tested. In addition, the substantial adoption of 24/7 SaaS products makes it harder for sites to shut down to perform maintenance or remediate vulnerabilities. This combination of agile development and the demand for continuous availability has resulted in companies’ core, mission-critical software being continuously vulnerable.

In turn, these factors have caused a veritable flood of vulnerabilities, with companies having too little time and resources to solve them all. The result: Flexible, intelligent, powerful, and cost-effective vulnerability remediation is more important than ever.

 

 

Vulnerability management vs. vulnerability remediation

Vulnerability remediation, also known as the modern VM, is the part of vulnerability management where the rubber meets the road and threats are mitigated.

Vulnerability management focuses on:

  • Knowledge: Staying knowledgeable about and up-to-date on new security threats through information automatically collected from security product vendors, system updates, and threat intelligence reports.
  • Discovery / Visibility: Having visibility into how your systems’ components interact, how many instances you have of key software, where the access points to your network are, who “owns” what, etc.
  • Configuration: Setting clear rules and practices for configuring software across multiple instances in different physical installations.
  • Assessment: Scheduling frequent periodic and surprise-assessment scanning sessions to identify new vulnerabilities.
  • Prioritization: Prioritizing vulnerabilities based on your specific network to determine which vulnerabilities actually pose the greatest risk to your network.

Effective vulnerability remediation focuses on “get fix done” in order to preempt threats before they can cause harm. Good vulnerability remediation involves multiple teams—including management, developers, IT, and security management—working across departments to both harden security and find the most efficient way to fix the vulnerabilities in the system. Whenever possible, automation is used, not only to save time and money by working at scale but also to ensure consistency.

 

Getting started with vulnerability remediation

While every company is unique, we recommend your vulnerability remediation plan contain the following elements:

  • Increase company awareness of vulnerabilities: Communicate with your partners in the C-suite, as well as IT, security, and DevOps managers, about the importance of vulnerability remediation and the ways they can participate and make the most of the shared effort.
  • Guard your CI/CD pipeline: New technologies necessitate new remediation strategies. Today, more vulnerabilities are being pushed to production and measures need to be taken to protect the CI/CD pipeline. There are a number of excellent free scanning programs and other open-source tools that can help you reduce or remediate vulnerabilities to safeguard your pipeline.
  • Have a complete inventory of your network’s assets: You cannot accurately assess the threat posed by vulnerabilities in your network without complete visibility of your network, i.e., what assets are connected to it and how they interact.
  • Know which vulnerabilities are out there and prioritize according to risk: It’s easy enough to find a list of vulnerabilities with “objective” ratings of their severity, such as the CVSS, but your security team needs to prioritize vulnerabilities by their potential impact on your specific environment. Vulnerability ratings are inherently subjective since exploiting the same vulnerability impacts each environment differently. Therefore, the same vulnerability should be treated differently in each network.
  • Think twice before you patch: There’s no doubt that applying a patch is often the best way to remediate a vulnerability. But patches can be risky and often break production, especially if the software involved interacts with other software. Sometimes, a mere change in configuration could be enough to safeguard your network. That’s why Vulcan Cyber developed its proprietary remediation intelligence database—and VulnRX as the free, community version of the database—to inform security teams of the most efficient solution to any security threat. This solution, which could be a patch, configuration change, or workaround, would be the least disruptive to production. The solution can be deployed automatically using your preferred deployment or security tool.
  • Re-scan: Finally, make sure the problem is truly gone, by scanning and validating that the threat has been removed from the system.

Many of these steps can be completed more efficiently if your company’s vulnerability remediation solution includes a vulnerability remediation intelligence database and vulnerability threat intelligence. These tools ensure you have the latest information from vendors, forums, and other sources on vulnerability remediation alternatives, including the advantages and disadvantages of each.

 

The benefits of automation

As you implement your vulnerability remediation program, you should aim to automate the work as much as possible. In general, automation saves time and improves the consistency and quality of remediation. For many companies, automation is the only practical way to implement remediation due to the size and complexity of the networks and components involved.

Here are some examples of how automation improves your vulnerability remediation efforts:

  • Reduces manual errors: This lets your team avoid errors associated with manually performing repetitive, mundane tasks and instead focus their energy on areas where they can add more value.
  • Reduces vulnerabilities in your CI/CD pipeline: Automatic scanning keeps an ever-vigilant eye on your pipeline, reducing the risk of you deploying compromised code.
  • Curated remediation intelligence as a service that saves time and effort: Instead of having your team search for different solutions themselves, have the information retrieved automatically from vendors, forums, and other sources of information. Better still, incorporate a vulnerability remediation database that retains and analyzes this information, for a smart remediation process.
  • Vulnerability prioritization focused on the right threats: Automating your evaluation of the threats to your network, or selecting a solution that does this for you, will keep your team focused on the most important vulnerabilities, thus remediating threats in the optimal order.
  • Solutions are applied consistently: In networks that have multiple instances of the same component, automation guarantees that the same remediation method is applied to each one.
  • Solutions are applied continuously: Some solutions may need to be applied continuously, not just once. Automation makes it possible to remediate using automated scripts and playbooks.
  • Solutions are applied in the correct order: There are cases where multiple solutions need to be applied to one component or a group of components. An automated script performs the steps in the correct order, which is particularly important if there are multiple instances of components.
  • Enterprise-grade scalability: Automation makes remediation at scale extremely efficient, cutting costs and resource demands.

 

Forrester quote

 

Vulnerability remediation traps and how to avoid them

With many different vulnerability remediation approaches out there, it’s important to avoid wasting time and money on the common traps described below.

Trying to patch everything

It’s understandable that you want to remediate every vulnerability. But with tens of thousands of vulnerabilities being discovered each year, that’s simply impossible. Moreover, patching has its own risks, so it is important to reserve patching for cases where it is truly the most efficient course of action. Sometimes, a change in configuration settings is sufficient. Other so-called “threats” may actually pose no risk to your environment. In such cases, you may be better off not taking any action for the time being and focusing on more critical problems.

Focusing on the wrong threats

But how do you identify the most important threats? True, there’s the Common Vulnerability Scoring System (CVSS), which ranks vulnerabilities’ severity. But before focusing only on threats scored as “critical,” be aware that many vulnerabilities with a lower rating have active exploits, while some “critical” ones are too difficult or simply not accessible for threat-actors to use effectively. In other words, if you focus only on critical problems as ranked by objective metrics like CVSS, you may end up ignoring threats that pose the greatest risk to your company while wasting your efforts on ones that don’t.

Believing the hype

With security such a popular topic, the media is also looking out for critical problems that could turn into disasters. Unfortunately, the press can exaggerate the importance of vulnerabilities, just like the experts may. Consider the Spectre and Meltdown threats. Both were much promoted at the time yet ended up being much ado about nothing. Anyone swept along with the hype ended up wasting time and money without making their systems any more secure. A mature vulnerability remediation program is essential to maintain focus on the vulnerabilities that matter to your business.

 

The Vulcan Cyber approach

The Vulcan Cyber risk management platform provides vulnerability remediation that allows security teams to safeguard digital environments against threats and misconfigurations. This effectively achieves the vulnerability management end-game of get fix done.

The Vulcan Cyber platform:

  • Prioritizes, pinpointing business-critical threats according to the unique risk they pose to the environment.
  • Remedies, offering a range of options, from configuration changes to patches based on your network’s specific characteristics.
  • Automates, scaling up the remediation process through workflow automation and orchestration across multiple teams.
  • Analyzes, providing a clear view into end to-end remediation campaigns to ensure work is optimized, service level agreements are met, risk is actually reduced, and compliance is achieved.

The platform prioritizes security threats based on the subjective risk they pose to the environment, enabling security teams to focus on the most critical vulnerabilities to their organization. This is done by incorporating security data extracted from threat intelligence gathered from dozens of feeds:

  • Security tools
  • Business data derived from CMDBs
  • Network architecture and asset configuration data obtained from infrastructure integrations (vSphere, AWS, GCP, etc.)
  • Patch, configuration and deployment tools (Chef, Puppet, MS Intune, etc.)
  • Service management tools (ServiceNow, Jira, Azure Boards)

This way, security teams can rest assured that they’re dealing with the right threat at the right time.

The Vulcan Cyber proprietary remediation intelligence database, also now available as a community resource known as VulnRX, provides curated solutions and fixes from vendors, forums, and other sources on remediation alternatives. This way, security teams can assess the most efficient solution to any security threat, one that is the least disruptive to production.

The platform is designed to orchestrate vulnerability remediation, promoting both off-the-shelf and customizable playbooks to ensure threats are removed in the most consistent, safe, and efficient way possible. Vulcan Cyber helps the vulnerability management discipline fulfill its promise with an orchestration framework that allows security and IT teams to remediate at scale.

To see the Vulcan Cyber Remediation Orchestration Platform in action, schedule a demo with a member of the Vulcan Cyber team today.

Nisl aliquam lectus placerat augue adipiscing congue

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

Mauris id nulla amet ut lectus. Sociis est sit habitant aliquam rutrum in ultrices. Est egestas bibendum pellentesque adipiscing. Iaculis mauris justo blandit viverra mauris, nunc. Faucibus ac lorem nibh eget dolor, rutrum ipsum. Nulla in neque porttitor viverra dolor amet at. Enim, elementum, ultrices netus non egestas pretium condimentum. Malesuada maecenas vulputate interdum suspendisse vestibulum purus sed in facilisis. Dignissim tellus dictum dictumst aliquam elit amet orci.

Nisl aliquam lectus placerat augue adipiscing congue

Id cursus ipsum nibh vitae. Ut fringilla amet, amet, et non congue aliquam et tempor. Risus id feugiat pretium porttitor augue eget auctor fusce. Auctor tortor massa orci vel nam id in sagittis, in. Porta sit in elementum dictum fermentum, id. Bibendum molestie bibendum tincidunt nullam blandit suscipit nisl, magna. Tortor vel elit ultrices pretium a sit rutrum.

Consequat tellus donec tortor et nibh at elementum adipiscing nisl

Et faucibus justo, quis mauris amet, in placerat.

Euismod auctor blandit ullamcorper ante sagittis, sodales risus bibendum. Turpis sed nunc nibh adipiscing dis in sed. Amet non eros sed mi risus. Diam consequat vel, vitae, justo, ultrices. Viverra nisl urna sed quam venenatis mauris rhoncus. Rhoncus libero sapien, at vitae sed viverra lacus aenean. Et arcu vivamus eu imperdiet morbi turpis senectus. Orci, morbi sodales aliquam at orci vestibulum phasellus. risus amet metus ultrices turpis ante. Sodales mollis donec lectus eleifend etiam faucibus justo, aliquet. Elit, elementum diam aenean hac purus vitae sodales in. At ut faucibus habitant posuere. Facilisi nibh posuere elit gravida molestie nulla.

Malesuada in sed ac quis egestas venenatis

1. Vitae, est, egestas ipsum

consectetur sodales ut ullamcorper. In amet mauris commodo aliquam ut. Orci varius rutrum fringilla elementum lorem turpis pellentesque posuere tellus. Ipsum, viverra molestie lobortis nec cras vestibulum vivamus nunc. Amet sollicitudin pharetra, ac, diam, donec ridiculus iaculis interdum. Amet tincidunt fusce metus at. Risus viverra lobortis eu nunc in. Sed lorem non sit mauris elit.

Description for image

Et faucibus justo, quis mauris amet, in placerat

Euismod auctor blandit ullamcorper ante sagittis, sodales risus bibendum. Turpis sed nunc nibh adipiscing dis in sed. Amet non eros sed mi risus. Diam consequat vel, vitae, justo, ultrices. Viverra nisl urna sed quam venenatis mauris rhoncus. Rhoncus libero sapien, at vitae sed viverra lacus aenean. Et arcu vivamus eu imperdiet morbi turpis senectus. Orci, morbi sodales aliquam at orci Dui link luctus metus ultrices turpis ante. Sodales mollis donec lectus eleifend etiam faucibus justo, aliquet. Elit, elementum diam aenean hac purus vitae sodales in. At ut faucibus habitant posuere. Facilisi nibh posuere elit gravida molestie nulla.

Vulcan Cyber Benefits

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

About Mandiant

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

Challenge

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

Solution

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

Results

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.

Want to hear more?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent neque ut malesuada elementum scelerisque eget. Risus sapien mauris velit morbi quam ultrices. Amet adipiscing libero fusce elementum rhoncus vitae cras. Quis at sit ipsum, eros, eu, tellus nunc. Leo, risus amet, sed feugiat blandit feugiat urna. Et consectetur turpis habitant senectus eget. Viverra magna ac nunc augue posuere id suscipit et.