Vulnerability management has become a term that continues to be thrown around in security circles as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.
In its common definition, vulnerability management sounds like security utopia: if you purchase the right software, implement the proper solution or engage tougher policies and procedures, etc. you will be safeguarded from the threats of the outside world. Sounds perfect, right? There’s one problem- it doesn’t work this way. The term leads companies down a path towards a false sense of security. This has led to many companies falling victim to the illusion that they are secure, which can lead to dire consequences down the road. It’s simply a matter of time before the gap between identification and mediation is exposed.
But perception has a way of becoming reality. If you mention vulnerability management to prospects, they will almost certainly tell you, predictably and definitively, they are already “doing it.” Well, to that I can only parrot Sacha Baron Cohen’s alter ego and Kazakhstan ultra national Borat Sagdiev’s retort to an American humorist instructing him on the art of comic timing to effectively deliver the punch line to a joke: “NOT!”
Because distinguishing the hype from reality and the facts from fiction of vulnerability management can be confusing and difficult, I’ve come up with a quick and simple self-assessment. I would recommend every person charged with IT security in an organization to ask themselves these questions on a regular basis. For executives responsible for signing off on company security, I would also recommend that you ask these questions of your chief security officer and demand definitive answers.
Can we provide a definitive yes to the following three questions:
1. Do we understand the actual risk?
2. Has it been properly fixed?
3. Can we validate that the fix has worked?
If the reply to any of these questions was a no or if you were unsure as to the correct answer, than you are doing something other than vulnerability management. Don’t feel too badly however, the reality is that very few organizations are currently employing true ‘management’ of threats and vulnerabilities, but rather a form of vulnerability identification. That’s a step in the right direction, but only the first step in the path to management.
It really boils down to three common, but dangerous, mistakes businesses make when it comes to management.
1. Most people believe that if the software solution is capturing the vulnerability, collecting it the way kids may collect baseball cards, that they are safe from the threat. They are not. A mid-sized company may run a monthly scan that includes 10,000 potential threats, but there is little to no visibility into how these issues affect the company. They have no insight into how these risks work together or if any of them really matter.
2. Just as frightening, threats are typically not being managed – they are simply being identified. It becomes an exercise in moving all of the potential risks around, but nothing is actually being resolved. Potential risks are identified and passed along to different groups, without anyone actually seeing the threat through to mediation. It essentially becomes a game of vulnerability pass-the-buck.
3. All this information ends up going nowhere. CISOs don’t fix the perceived threats, don’t believe them, and basically end up just shifting information around. There is simply too much data to process or act upon. It’s like that classic trope recalled in the face of inevitable disaster: you can re-arrange the deck chairs on the Titanic but regardless of how you move them, the ship is still going to sink and there’s nothing you do that will change that outcome. The same is true in the security space. No matter how much input you receive or the level of analysis you apply to that input, your network, once under attack, remains at risk.
In a recent issue of Business Computing World, author Gidi Cohen says that all the vulnerability scanning you can perform is pointless without the context needed to focus mitigation activities on real priority risks or the ability to correlate contextual information into actionable vulnerability remediation options that are needed to prevent data breaches and cyber-attacks. I agree. When it comes to security, you can scan for vulnerabilities all day long and even convince yourself that you know where that threat is hiding, but until you’re able to capture, correlate and contextualize it, it means nothing.
Until context can be put around potential threats and vulnerabilities, the term “vulnerability management” will remain something of a myth.