Why You Shouldn’t React to the Latest Headlines
Malicious breaches are on the rise and they’re getting more expensive, according to a July 2019 IBM report. An average breach now costs $3.92 million, with larger breaches costing over $100 million before penalties. Vulnerabilities are increasing with roughly 1,000 new ones reported per month. Meanwhile, there’s a shortage of cybersecurity workers; in the US alone, it’s estimated that 3.5 million cybersecurity positions will be unfilled in 2021.
The impact of these problems is compounded by vulnerability management teams making one or more of the following errors:
- Reacting to the latest headlines
- Not automating remediation
- Working with divided teams
- Leaving too many blind spots in the network
- Misaligning priorities
1. Reacting to the Latest Headlines
Large data breaches get lots of media attention, especially when they involve millions of people’s personal information and result in huge fines. Although it’s human nature to be interested in these stories, especially when you work in cybersecurity, it’s important not to be caught up in the hype. For instance, despite all the press reports about them, “zero day threats” actually account for only about 3% of actual breaches.
Given the limited resources faced by most enterprises, reacting to the latest headlines means overlooking for less “spectacular” vulnerabilities in your specific network that are actually more common and easier to exploit. Most hackers are looking for money, not fame, which means they focus on tried and true attacks, not new ones.
2. Not Automating Remediation
Automating remediation is essential these days. Given the number of vulnerabilities out there, no company can afford the time that manual scanning and remediation on a small network takes, let alone an enterprise one, which demands working to scale.
Automation ensures that solutions are applied accurately, especially when applied via scripts. In addition, automation enables teams to be sure that remediation efforts are done consistently, an important consideration when working to scale in large networks with multiple instances of the same asset. Even the most dedicated workers slip up from time to time, so any reduction of manual operations will pay for itself in terms of reduced errors, as well as freeing up your teams for more productive missions.
3. Divided Teams Lead to Incomplete Solutions
Responsibility for vulnerability management, especially remediation, is often divided between different teams and personnel, including CISOs, security engineers, DevOps, IT teams etc. While the CISO is busy trying to “educate” other executives about security without getting bogged down in technical details, the others are caught up in the tension between DevOps’ “move fast and break things” philosophy and Security’s “safety first” mandate.
The issue is compounded in agile environments that emphasize speed; time invested in vulnerability management cuts into development and testing time, which are already limited. The result of these tensions and conflicting responsibilities is a lack of a cohesive, company-wide approach to vulnerability management, often causing serious problems.
4. Too Many Network Blind Spots
Modern enterprise networks have a vast, varied, and distributed architecture that may include assets in different physical sites, as well as at least one cloud installation.
These components include more third-party software elements than ever before, such as applications that provide laptop access 24/7. As a result of these factors, it is extremely difficult to compile a comprehensive inventory of a network’s assets. Although there are many good scanning tools, none of them provides complete visibility. This is a serious issue because in the end, vulnerabilities affect specific assets. Therefore, protecting a network depends on knowing which assets it contains, how many instances of each are installed, and how they interconnect.
5. Misaligned Priorities
Last, but certainly not least, is the problem of setting priorities in managing vulnerabilities; there are simply too many for a team to handle all of them. Many companies use the Common Vulnerability Scoring System (CVSS) scores, which range from 0.0-10.0, with 9.0 and above being “critical,” as the basis for setting priorities.
A common approach is “remediate all critical vulnerabilities first before considering any other vulnerability.” The problem with this approach is that CVSS scores refer to technical risk with no context. They don’t take into account the fact that every network is unique, with its own set of assets and data that need to be protected. Moreover, a “medium” threat that is being exploited in the wild may be more dangerous than a “critical” threat that doesn’t have an active campaign.
So, basing prioritization decisions on scores alone is a mistake.
Overcoming the 5 Most Common Errors
Fortunately, there are vulnerability remediation platforms that overcome these errors. These solutions employ the latest thinking in vulnerability management, such as improved prioritization, as well as offering complete network visibility and supporting continuous monitoring and remediation.
To learn more about how you can effectively address the issues raised here, download our latest eBook, The Top 5 Mistakes that Everyone in Vulnerability Remediation is Making.