Cyber Risk Management is not the Goal
As we discussed in a previous post, a tsunami of known vulnerabilities is flooding businesses worldwide. In fact, the number of vulnerabilities reported to date in 2018 (8138 as of this writing) far outstrips the total number of vulnerabilities reported in all of 2016 (6447). We’re only halfway through the year, so it’s fair to estimate that the total for EOY 2018 will top last year’s record of over 14,600 reported vulnerabilities.
Enterprises are understandably concerned about the management and remediation of so many vulnerabilities with such detrimental potential. Risk analysis services and technologies offered by both veteran and newer players are among the solutions CSOs and other network stakeholders are considering. In this post, we’ll take a look at these services, and examine their (few) pluses and (very prominent) minuses.
The Problem with Cyber Risk Assessment Technologies
Traditional cyber risk assessment paradigms (tools and methodologies) were – true to their name – designed to assess. The idea was to examine multiple aspects of risk for each vulnerability, prioritize, and then use this information to eventually decide what vulnerability to fix first. This was all about managing risk – not eliminating the threat. In fact, there was purposeful disconnect between threat and remediation – technologically and organizationally.
As Brian Evans of Security Intelligence magazine writes, “Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade.”
Today, the number of vulnerabilities is so high – and the pace of their discovery so rapid – that the disconnect between threat and remediation is no longer viable. Risk assessment needs to be a direct step on the path to remediation – a tool, not a goal.
By changing the perception of how risk management fits in to the bigger picture of vulnerability management, organizations can better focus their remediation efforts. Risk, as many organizations have learned the hard way, is not only comprised of the business and threat risks themselves, but also from the potential risk that the solution to a given threat may cause downtime, bad service, data integrity.
Most solutions don’t factor in the actual impact of remediating the vulnerabilities they find – threat severity, downtime required to patch and remediate, etc. Intelligent use of limited resources for effective remediation, after all, is certainly a priority for vulnerability management teams. But conducting analysis and generating a cyber risk score – which rates the potential impact of each threat but conveys little about each threat’s probability of impact on your organization – is not sufficient. As one industry source put it, “Companies rarely encounter even one or two of the 100 most severe threats that are relevant to them.”
Thus, risk management needs to be considered a minor part of overall vulnerability management strategy, and not focus on assessing risk but rather on remediating the risk out of the network. Risk management should adopt a solution perspective (which solutions there are for a given vulnerability, how impactful are they may be on infrastructure, how fast they can be deployed, what their dependencies are, etc.).
All of this will drive remediation faster and more thoroughly while reducing the risk continuously. Vulnerability management conversations have to shift from continuously calculating the risk to continuously reducing the risk.
A Better Way
Detection and prioritization of vulnerabilities based on technical severity alone is not viable. The reason is that what determines actual vulnerability severity is threat intelligence in conjunction with the greater business, ecosystem, and technical context. Without context, a severe vulnerability on a little-used, low-value system would be remediated before a medium-severity vulnerability on a mission-critical system.
Moreover since threat exposure is continuous, snapshot reports lack relevance. In the time it takes to generate them, attackers may have exploited yet-unremediated vulnerabilities, or moved on to yet-undiscovered vulnerabilities.
So how can we make this happen? Here are the three key steps that organizations can take to get vulnerability management on track:
Step 1: Improve Visibility – Vulnerability detection systems are siloed and provide insights separately based on the platforms and infrastructures they scan. This forces teams to look, act and prioritize them in a detached way. A sound vulnerability remediation process should enable teams to view all vulnerabilities under the same parameters clearly, regardless of where they reside in the infrastructure.
Step 2: Create a Trans-Organizational Culture of Vulnerability Remediation – Security teams working in vulnerability detection and remediation should prioritize helping individual units work on their own priorities (for example, IT employing patches, DevOps changing architecture and replacing packages, and R&D fixing code). They should also ensure that vulnerabilities are addressed in newly defined processes and SLAs both quickly and with minimum levels of friction.
A “fix oriented” remediation must be implemented to address:
- which one fix is most beneficial – that is, how to remediate a large number of vulnerabilities at once
- which fix reduces risk the most from a threat standpoint
Step 3: Automate Vulnerability Remediation with Existing Tools – Use existing tools and processes that other teams are using – including continuous integration and and continuous delivery, cloud infrastructures, enterprise IT orchestration – to provide a simple automation of steps. Manual reviews and existing processes which create far too more work and interdepartmental friction must be limited, with operations working to scale at all times.
Want to learn more? Download our ebook “Why Continuous Software Exposure Demands Continuous Remediation: Three Steps to Fix what’s Broken in Modern Software Vulnerability Management” now!