“If it were easy, everyone would do it.”
With the never-ending headlines of major breaches caused by vulnerabilities, it’s clear that vulnerability management isn’t easy. According to the Ponemon Institute, the average total cost of a breach in 2018 ranged from between 2-7 million dollars, depending on the number of compromised records.
With those kinds of financial damages on the line, every business would quickly resolve every vulnerability – if it were easy.
When it comes to vulnerability management, there are aspects of the process that can be more challenging than others. For example, scanning for vulnerabilities on the network is a relatively straightforward task that is easy to schedule and can even be configured to be continuous. Where the process becomes more challenging is determining how to actually remediate vulnerabilities and eliminate the risk from the network.
There are three main reasons response is the most difficult part of the vulnerability management process.
#1 Knowing What to Patch
Before deciding which vulnerability to patch first, it’s important to decide which vulnerabilities are actually worth patching. Just because an asset has been scanned and reported with a vulnerability doesn’t mean it must be patched. There are many factors to consider; is the vulnerability exploitable? How difficult is it to exploit? Is the vulnerability already mitigated by something else, like a firewall? Is the severity of the vulnerability enough to risk a possible downtime by patching?
Another key factor is the vulnerable asset itself. Every network has assets of varying importance and function. Some assets support mission-critical functions, business sensitive information, or are customer-facing systems. These various roles of criticality must be considered when prioritizing what assets should be patched first, as well as any impacts if a patch causes an asset to go down or lose critical functions.
#2 Testing Takes Time
Any changes made to a production system can cause an outage. The business impact can be catastrophic if the outage occurs on a critical asset. Testing patches should be done just as you would test any other change in production. So once you’ve decided what should be patched, testing needs to be done before going to production.
However, the whole testing process can take quite a lot of time. If done correctly, testing involves a change to the control process, setting up the test environment, and developing a rollback plan. In 2018, there were a total of 16,555 CVEs released for known vulnerabilities – that’s an average of 1,380 vulnerabilities every month! When dealing with potentially hundreds of new vulnerabilities every month, testing could take up a lot of time and resources.
#3 Getting Leadership Buy-in
Vulnerability response may be seen by many in an organization as disrupting business or development goals. Therefore, in order to reduce the resistance or push-back of necessary remediation activities, getting development and leadership buy-in is essential. McAfee CISO, Grant Bourzikas, says it’s important to be “very honest about the cybersecurity posture of the organization and being very truthful. When you can articulate the risk from a business standpoint, the CEOs and the CFOs can understand the security points you’re talking about.”
Getting non security personnel involved in the workflow process of vulnerability management will help get everyone on board and aligned on the objectives for success. The effort to create this collaboration and understanding is no small task, as Bourzikas notes, “What we have to do as CISOs and leaders in cybersecurity is create that conversation and really inform our executive team about the risks we face.”
What Can Help
While not every problem can be solved with technology, automating tasks like prioritization can save valuable time. Automated vulnerability orchestration and remediation can speed up the overall process and give you the visibility you need to get leadership buy-in on the value of vulnerability management.
Vulcan is addressing these problems with our continuous remediation platform that integrates vulnerability assessment, IT and DevOps tools, automating and orchestrating existing tools and processes to eliminate the most critical risks caused by vulnerabilities.
