So What is Vulnerability Remediation?
On paper, vulnerability remediation is very easy to explain. It’s the process of a) finding the weak spots in the software running on your network that malicious actors can exploit, and b) finding and applying remedies to them. In practice, with over 14,700 new vulnerabilities reported in both 2017 and 2018, the situation is perhaps best described as “[security] trying to manage a mountain of work they usually have little to no control over by pushing other overtaxed teams, such as IT and engineering, to remediate during non-ideal times.”
While there have always been threats to network security, the problem has gotten worse due to the technological changes and advances we’ve seen over the past few years. In the 1990s and early 2000s, there were relatively few vulnerabilities and each company’s team took care of its own. With the birth of the cloud and changes in enterprise infrastructure, company networks became more exposed to external threats. Companies started to use more third-party software, such as AWS and Azure, as well as open-source software, all of which effectively expose all networks to hackers and other malicious actors. The massive growth in the number of vendors and multi-platform solutions has also forced companies to expose their networks to more users. While authorization solutions have generally kept pace with this greater exposure, these changes have resulted in businesses, especially SaaS suppliers, to face greater risks from the additional software interacting with their networks.
Adding fuel to the fire, the switch to agile development has increased this risk because of the new approach’s preference for rapid releases, which has resulted in more and more software entering the public arena without being adequately tested.
Finally, the success of the subscription-based sales method has ensured that users are online more often, increasing the chances of an attack. As a result, “exploitable SaaS-based assets are exposed to anyone, anywhere”. SaaS demands that software be available 24×7, eliminating the ability for sites to shut down as they did 10 years ago to perform maintenance, which included patching vulnerabilities. The combination of agile development and the demand for continuous availability has resulted in companies’ core, mission-critical software constantly changing, making it continuously vulnerable.
These factors have caused a veritable flood of vulnerabilities that are simply too much for teams to handle. With too many vulnerabilities out there, too little time to solve them all, and too much at stake, it’s no wonder that vulnerability remediation is more important than ever.
Vulnerability Management vs Vulnerability Remediation
Network security is a continuously-evolving field with changing threats, methodologies, and terminology. This is especially true in the area of vulnerabilities, where you often hear about vulnerability management and vulnerability remediation. Are they the same, different, or overlapping?
Although there are varying definitions of both terms, vulnerability management is generally understood to be an organized effort to avoid vulnerabilities in the first place, as well as identifying external and internal ones, and planning responses to them. Vulnerability remediation focuses on fixing threats once they are detected, with the most effective solutions using risk-assessment to focus on the vulnerabilities that pose the greatest risk to the network, rather than relying on inappropriate metrics to prioritize the process.
Vulnerability management, therefore, has a wider scope and, as a recent article states, including:
- Knowledge: Vulnerability management begins with being continually updated about new security threats. This means staying knowledgeable and up-to-date through information automatically collected from security product vendors, system updates, and threat intelligence reports.
- Discovery/Visibility: Knowing what’s on your network. It’s essential that you know how your systems’ components interact, how many instances you have of key software, where the access points to your network are, etc. Visibility provides coverage that lets you and your team know who “owns” what and where everything is saved.
- Configuration: Setting clear rules and practices for configuring software. This is extremely important for companies that have multiple instances of the same software in different physical installations. Using standard configurations for similar technologies keeps remediation efforts “in sync” across a company.
- Assessment: Scheduling frequent periodic and surprise assessment scanning sessions to identify new vulnerabilities. There are a wide variety of free programs that can assist you in this process as well as more comprehensive solutions that incorporate free and proprietary software.
- Prioritization: Analyzing the unique effect of each vulnerability in the network on your organization and then prioritizing them accordingly. It is important that this prioritization focuses on your specific network so that you can determine which vulnerabilities actually pose the greatest risk to your network.
Effective vulnerability remediation focuses on actually resolving threats, aiming to remediate them before they cause any harm. A good vulnerability remediation strategy includes a process for prioritizing vulnerabilities and a way to consolidate knowledge about a wide variety of solutions for rapid and efficient retrieval.
Good vulnerability remediation involves multiple corporate teams, including management, developers, IT and security management working in a cross-department effort to both harden security and to find the most cost-effective way to fix the vulnerabilities in the system. Whenever possible, automation is used, not only to save time and money by working to scale, but also to ensure consistency.
Vulnerability remediation is, therefore, the part of vulnerability management where the rubber meets the road and threats are mitigated.
Getting Started with Vulnerability Remediation
While every company is unique, we recommend your vulnerability remediation plan contain the following elements:
- Increase company awareness of vulnerabilities. Communicate with your partners in the C-Suite, as well as IT, Security, and DevOps managers about the importance of vulnerability remediation and the ways they can participate and make the most of the shared effort
- Guard your CI/CD pipeline. New technologies necessitate new remediation strategies. Today, more vulnerabilities are being pushed to production and measures need to be taken to protect the CI/CD pipeline. There are a number of excellent free scanning programs as well as other open-source software that can help in reducing or remediating vulnerabilities, in order to safeguard your pipeline.
- Have a complete inventory of your network’s assets. You cannot accurately assess the threat that the vulnerabilities in your network pose without complete visibility of your network, i.e. what assets are on it and how they interact.
- Know which vulnerabilities are out there and prioritize them according to risk. It’s easy enough to find a list of vulnerabilities with “objective” ratings of their severity, such as the CVSS, but your security team needs to prioritize vulnerabilities by their potential impact on your specific environment: vulnerability ratings are inherently subjective, since exploiting the same exact vulnerability impacts each environment differently. Therefore, the same vulnerability should be treated differently in each network.
- Think twice before you patch. There’s no doubt that applying a patch is often the best way to remediate a vulnerability. But patches can be risky and cause downtime, especially if the software involved interacts with other software. Sometimes a change in configuration could be enough to safeguard your network. That’s why Vulcan Cyber developed its proprietary remediation intelligence database that informs security teams of the most efficient solution to any security threat – the solution that would be least disruptive to production — in the form of a patch, a configuration change, a compensating control or workaround; a solution that can be deployed automatically using your preferred deployment or security tool.
- Rescan. Finally, be sure the problems are truly gone, by scanning and validating that the threat has been removed from the system.
Many of these steps can be completed more efficiently if your company’s vulnerability remediation solution includes a vulnerability intelligence database and incorporates vulnerability threat intelligence. Adopting these approaches ensure you have the latest information from vendors, forums, and other sources on alternatives to remediate vulnerabilities, including the advantages and disadvantages of each.
The Benefits of Automation
As you implement your vulnerability remediation program, you should aim to automate it as much as possible. In general, automation saves time and improves the consistency and quality of remediation. Nowadays, for many suppliers and enterprises automation is the only practical way to implement remediation due to the size and complexity of the networks and components involved.
Here are some examples of how automation improves your efforts against vulnerabilities:
- Automation reduces the number of errors associated with manually performing repetitive mundane tasks. Let your teams focus their energy where it really matters.
- Automatic scanning reduces vulnerabilities in your CI/CD pipeline. Automatic scanning keeps an ever-vigilant eye on your pipeline, reducing the risk of you deploying compromised code.
- Automating your remediation intelligence gathering process saves your team time and effort. Instead of having your team search for different solutions themselves, have it retrieved automatically from vendors, forums, and other sources of information. Better still, incorporate a vulnerability remediation database as part of your solution that retains this information, for an efficient remediation process.
- Automating vulnerability prioritization ends wasting time dealing with the wrong threats. Automating your evaluation of the threats to your network, or selecting a solution that does this for you, will keep your team focused on the most important vulnerabilities, removing threats in the optimal order.
- Automation ensures that solutions that are applied are consistent. In networks that have multiple instances of the same component, automation guarantees that the same remediation method is applied to each one.
- Automation ensures that solutions are applied consistently and continuously. Some solutions may need to be applied continuously, not just once. Automation makes it possible to remediate using automated scripts and playbooks.
- Automation ensures that solutions are applied in the correct order. There are cases where multiple solutions need to be applied to one component or a group of components. An automated script performs the steps in the correct order. This is particularly important if there are multiple instances of components.
- Automation pays off at the enterprise level. Automation makes remediation at scale extremely efficient, cutting costs and manpower.
Vulnerability Remediation Traps and How to Avoid Them
With many different vulnerability remediation approaches out there, it’s important to avoid wasting time and money on common traps such as these:
1. Trying to Patch Everything
It’s understandable that you want to remediate every vulnerability. But with 14,000 or more being discovered each year, that’s simply impossible. Moreover, patching has its own risks, so it is important to reserve patching for cases when it is truly the most efficient course of action. Sometimes, a change in configuration settings is sufficient. Other so-called “threats” may actually pose no risk to your environment. In such cases, you may be better off not taking any particular action for the time being, and focusing on more critical problems.
2. Focusing on the Wrong Threats
But how do you identify “the most important threats”? True, there’s the Common Vulnerability Scoring System (CVSS), that ranks vulnerabilities’ severity. But before focusing only on threats scored as “critical”, be aware that many vulnerabilities with a lower rating have active exploits, while some “critical” ones are too difficult or just not accessible for threat actors to use effectively. If you focus only on “critical” problems as ranked by objective metrics like the CVSS, you may ignore the threats that actually pose the greatest risk, and waste your efforts on the ones that don’t.
3. Believing The Hype
With security becoming a popular topic, the media is also looking out for “critical” problems that could turn into disasters. Unfortunately, the press can exaggerate the importance of vulnerabilities, just like the “experts.” Consider the Spectre and Meltdown “threats”, much-ballyhooed at the time yet ending up being much ado about nothing. Anyone swept along with the hype ended up wasting time and money without being any more secure.
The Vulcan Cyber Approach to Vulnerability Remediation
Vulcan Cyber’s Remediation Automation platform enables security teams, for the first time, to actually remediate the vulnerabilities and misconfigurations in their digital environments. The Vulcan platform pinpoints the most business-critical threats, according to the unique risk they pose to the environment and offers a range of options to handle them — from configuration changes to patches, if needed — based on a network’s specific characteristics. Then, the platform enables you to implement these solutions, scaling up the process of remediation through automation and orchestration.
The platform is designed to drive automation, promoting both off-the-shelf and customizable playbooks to ensure that threats are removed in the most consistent, safe, and efficient way possible. Through it’s automation framework, security teams can scale their remediation efforts.
The platform prioritizes security threats based on the subjective risk they pose to the environment, enabling security teams to focus on the most critical vulnerabilities to their organization. This is done by incorporating security data extracted from security tools; business data derived from CMDBs; network architecture and asset configuration data obtained from integrations across inventories (Vsphere, AWS, GCP, etc.), deployment tools (Chef, Puppet, MS Intune, etc.), and asset management tools (ServiceNow, BMC, Freshdesk, etc.); and threat intelligence gathered from dozens of threat intelligence feeds. This way, security teams can rest assured that they’re dealing with the right threat at the right time.
With Vulcan’s proprietary Remediation Intelligence Database, containing information from vendors, forums, and other sources on alternatives to remediate, security teams can automatically deploy the most efficient solution to any static security threat; the one that would be the least disruptive to production.
To see the Vulcan Cyber Continuous Remediation platform in action, schedule a demo with a member of the Vulcan Cyber Team.