Vulnerability management has historically been treated as an engineering exercise that is disconnected from how security flaws relate to the business and the actual threat they pose.
The increasing adoption of undefended new technologies like Internet of Things (IoT) and escalation in cybercrime activity have given rise to more damaging breaches. The ensuing regulatory and legal scrutiny have revealed the shortcomings of this traditional approach. This raises the question about the limitations of traditional vulnerability management and what steps can be taken to drive a new, risk-centric approach designed to expose imminent threats (for mitigation) and more effectively reduce risk across the expanding attack surface.
According to the 2017 U.S. State of Cybercrime Survey (PDF), 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. In turn, organizations plan to upgrade their IT and data security to avoid cyber-attacks in the years to come. Based on the State of the CIO, 2014 – 2017 report, this has now become the second highest priority behind assisting in achieving set revenue goals.
In light of the wave of data breaches in 2017, we need to consider whether traditional approaches to vulnerability management are still viable and if just upgrading existing methods or tools is sufficient. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem, often leaving their security analysts without a clue on where to start. Given that the enterprise attack surface continues to expand from endpoints, applications, databases, mobile devices to IoT, things will only get worse. That’s why Gartner in its 2017 State of the Threat Landscape talks about the fact that “your roofs are leaky, and getting leakier”.
Vulnerabilities are not a new phenomenon – they are as old as computers. And while vulnerability management tools and practices have evolved over the past few decades by adding new capabilities like authenticated or agent-based scans, at their core they still rely on the Common Vulnerability Scoring System (CVVS), which is maintained by the Forum of Incident Response and Security Teams (FIRST).
It is easy to be misled by CVVS scores and play math games with them. However, these exercises typically only reduce risk on paper – not in reality. Traditional vulnerability management approaches practice gradual risk reduction. They either focus remediation actions on the most severe vulnerabilities based on a high CVSS score (so-called vulnerability-centric model) or the value and exposure of an asset (i.e., Internet-facing, third-party access, contains sensitive data, provides business critical functions; so-called asset-centric model). Unfortunately, both practices are often tied to reducing the most amount of risk with the least number of patches.
These traditional approaches no longer suffice. Instead, according to Gartner (see “Threat-Centric Vulnerability Remediation Prioritization”), organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. An imminent threat can be identified by correlating vulnerabilities to their prevalence in the wild:
• Is a vulnerability being targeted by malware, ransomware, or an exploit kit?
• Is a threat actor leveraging the vulnerability and targeting organizations like ours?
Under this new model, imminent threats are prioritized and remediated first. While we can’t predict who will attack us, we can predict who or what successfully could.
Ultimately, organizations that are planning to “upgrade” their existing vulnerability and patch management practices should move beyond looking at the “what is”, in terms of their current security posture. A better approach is to augment tools with emerging security analytics and cyber risk management capabilities that allow for a scenario and objective-based approach that assesses the “what could be”, and predicts the impact and outcomes of potential threats.