Vulnerability Remediation In Three Steps
The primary objective of vulnerability remediation is to pre-empt breaches before the vulnerabilities in data, applications, networks, or endpoints are exploited. Should a breach occur, however, then the objective of vulnerability remediation is to contain it as quickly as possible and thus minimize the damage.
As shown in the chart in Figure 1, the number of vulnerability exposures reported in 2019 continues to be significant and diverse.
Figure 1: Common Vulnerability Exposures (CVEs) Reported So Far in 2019, By Type. Source of data: CVE Details
However, none of these exposures have been actively exploited to date and, in general, only about 1% of vulnerabilities become reportable exploits. That being said, it is very important that enterprises not be lulled into complacency by that low vulnerability-to-exploit ratio.
An enterprise typically manages thousands of servers, many of which are internet-facing. When a known vulnerability on these hosts is exploited and deemed to pose a security risk to the enterprise, it may in fact require every single server be patched. This could result in significant and costly IT resources to identify, test, and deploy a patch at such a large scale—not to mention the direct and indirect costs of unscheduled downtime.
As important as enterprise vulnerability remediation is, it is not without its challenges. This blog post first discusses those challenges and then outlines the three main stages of enterprise vulnerability remediation and what to watch out for in each of them. It also shows how next-generation vulnerability response automation platforms can provide an enterprise-grade solution throughout the vulnerability remediation lifecycle.
Why Vulnerability Remediation Is So Challenging
One of the first challenges in vulnerability remediation is the complexity of the hybrid and multi-cloud infrastructures typically deployed by enterprises. Each cloud provider offers its own set of tools, logs, and dashboards for monitoring activity across its infrastructure assets as well as its managed services or applications. In addition, the enterprise operations team has its own stack for monitoring data center assets, including different types of vulnerability scanning and assessment tools. This plethora of third-party tools creates a challenge in understanding what the security best practices should be applied to the cloud tools provided.
In addition to the complexity of the infrastructures, the modern distributed applications favored by today’s forward-looking enterprises have many moving parts, including highly dynamic and ephemeral serverless functions, microservices, and container images that are launched at runtime. Today’s applications also often incorporate non-proprietary open-source modules that can expose applications to vulnerabilities. There has in fact been an 88% increase in open source application vulnerabilities during the past two years.
Other vulnerability remediation challenges include:
- Fragmented stacks (security, DevOps, configuration management, and so on): These diverse stacks don’t always play well together, creating blind spots and making it hard for teams to collaborate for effective vulnerability remediation. This challenge is further exacerbated in geographically distributed organizations with multiple branch offices.
- Prioritization: With so many vulnerabilities to track, remediation can only be effective if an enterprise can focus on vulnerabilities that represent a real and significant threat within the enterprise’s unique environment. Picking out the needle in the vulnerability haystack that requires high-priority remediation is a continuous challenge.
- Manually-driven remediation and reporting tasks: Many enterprises today still use manual remediation processes, which are time-consuming, labor-intensive, error-prone, and inefficient. To significantly lower vulnerability-related risks, enterprises must automate as many remediation processes as possible.
To complicate matters further, many enterprises are still using legacy tools and processes that are simply not capable of addressing these new challenges.
The Three Stages
Stage 1: Vulnerability Analytics and Assessment
The enterprise must create and then maintain a comprehensive mapping of its IT assets (virtual machines, servers, PCs, laptops, mobile devices, peripheral devices, applications, data repositories, code projects, and so on) across all infrastructures and geographies. Improperly mapped assets may elude scanning and have a considerable impact on the organization’s vulnerability posture.
With proper asset mapping in place, the enterprise’s vulnerability scanners generate continuous and big streams of notifications and alerts that have to be analyzed and assessed in order to set risk-based priorities.
To be effective, the priority criteria have to be highly contextual, taking into account both internal and external information. Internal insights will include:
- Well-documented, risk-based governance policies.
- Interdependencies among applications and infrastructure components: If it has been detected that an infrastructure component has been exposed to a vulnerability but that component has little or no interaction with the enterprise’s applications, then remediation of that vulnerability is of low priority. Using this kind of analysis, an enterprise can even assign its own diminished CVSS ranking to a vulnerability considered by third parties to be of high technical risk.
- Business criticality of affected components: A detected vulnerability that threatens business-critical applications—whether customer-facing or back-end—must be given a much higher priority than a vulnerability that affects less critical operations.
- Current configuration status: An affected component may be critical, but the detected vulnerability can be assigned a lower priority if internal information indicates that the component is protected by a security product or control that addresses the vulnerability.
Examples of external information are vendor notifications as well as databases that track known threat vectors, such as CVE or the National Vulnerability Database (NVD) maintained by the U.S. government.
A detected vulnerability that is analyzed and assessed as high priority must be sent as quickly as possible to the right teams for further action.
Stage 2: Remediation Processes
The three main solutions for remediating detected vulnerabilities are:
- Patching: Deploying on all instances of the affected component a vendor software update that protects the component against the detected vulnerability.
- Configuration/change management: Updating system settings and configurations across the entire organization as necessary in order to harden servers and other critical components to the detected vulnerability.
- Compensating controls: Such as disabling a process or removing a vulnerable component.
Clear remediation workflows, or playbooks, that define how to respond to different types and severities of detected vulnerabilities need to be in place. They must spell out which solution—or combination of solutions—should be triggered, in which sequence, and by which team(s). They must also ensure that all relevant tools are updated accordingly and that all stakeholders are aware of the changes made.
Stage 3: Remediation Automation
The sheer volume and complexity of the vulnerabilities faced by enterprises today makes it virtually impossible for remediation to be effective using legacy manual methods. At the highest maturity level, an enterprise’s vulnerability remediation management must be as automated as possible, with all relevant tools closely integrated and working seamlessly together. Automation is no longer a nice-to-have. It is a must-have capability that reduces human error and ensures that responses to vulnerabilities are at the same velocity as the threats themselves.
Driving Forward Vulnerability Remediation with Vulcan
Vulcan Cyber is a cloud-based Vulnerability Response Automation Platform that has been designed from the ground up to address the enterprise vulnerability remediation challenges described above.
Vulcan Cyber integrates via APIs with existing DevOps, IT, and security stacks to provide a single vulnerability source of truth across the entire enterprise. Vulcan’s advanced prioritization mechanism then intelligently analyzes and assesses vulnerabilities at scale using an enterprise-specific multi-factor approach that combines and weighs internal insights regarding security risk, business impact, and asset posture with threat intelligence from more than 50 feeds.
Vulcan Cyber’s proprietary Remediation Intelligence Database then finds the most efficient remediation pathway—any combination of patching, configuration changes, and compensating controls. The solution can then be deployed automatically, working through the enterprise’s existing patching and configuration management tools.
Always taking a remediation-focused approach, Vulcan Cyber automates and orchestrates vulnerability management from detection to resolution across infrastructure, applications, and codebase. With Vulcan Cyber security and operations teams come out ahead by effectively lowering the enterprise’s vulnerability risk and significantly improving its security posture.
A Final Note
Effective vulnerability remediation has become a business-critical KPI for enterprises. In order to competitively meet the expectations of their end-users and, in some verticals, the requirements of their regulators, enterprises must try to pre-empt attacks on their assets by reducing vulnerabilities to a minimum. Next-generation platforms like Vulcan Cyber are no longer a nice-to-have.
Schedule a demo to see first-hand how Vulcan Cyber can help you meet your vulnerability remediation challenges.