Security Experts:

In Security, Prioritization should be a Priority

Staying on top of your organization’s security needs is no easy task. The constant updates, patches, vulnerability assessments and maintenance activities can quickly overwhelm an IT department or security team and delay critical projects. To-do lists end up growing at an incredible pace, and even those who are able to keep up are having a hard time measuring whether their efforts truly made the organization safer.

What causes these security maintenance headaches? Let’s start by taking a look at one of Microsoft’s recent Patch Tuesdays, or Super Patch Tuesday as it was referred to in IT circles. While the number of patches issued by Microsoft each month typically averages between six and eight, November’s list contained a whopping 16, five of which were considered critical and several requiring the always-dreaded restart.

Patch managementAt least you can plan for Patch Tuesday to some extent, as it falls on the second Tuesday of every month, but these matters are generally much less predictable. You may recall that Microsoft issued an emergency patch in November to address a bug in the Windows Kerberos authentication mechanism, and you certainly remember (and are probably still dealing with) chaos around Heartbleed and Shellshock.

A person who handles these issues for a Fortune 500 company recently mentioned that patching in the wake of Shellshock would likely take them upwards of eight weeks. I asked how he would determine which systems he would patch first, and which he would save for last, but he didn’t seem to have a strategy in mind. That’s a problem. Without the ability to prioritize in these situations, you may end up waiting eight weeks to apply the most important patch. You could also say the fact we were talking specifically about Shellshock indicates another prioritization problem – he was fixated on Shellshock because that was the threat making headlines at the moment. But when it comes to vulnerability management, you should be thinking beyond the “flavor of the week.” It’s about identifying the vulnerabilities that truly put your organization’s critical assets at risk.

Think of your corporate network like your home. There are probably lots of items on your "honey do" list, but they can’t all be completed today. That’s why you assess the situation and prioritize those that are the most critical and time-sensitive. In the middle of a cold New England winter, I wouldn’t have to think twice about whether it was more important to repair the furnace or repaint the kitchen walls. Every organization should be able to apply similar common-sense prioritization tactics when it comes to security, but most do not.

This isn’t a matter of laziness – lots of security teams don’t have the tools and knowledge to distinguish the “repair-the-furnace” vulnerabilities from the “repaint-the-wall” vulnerabilities. They simply do not have the information necessary for prioritization. After all, when vulnerability scanners produce reports the size of phone books, complete with thousands of vulnerabilities labeled “critical,” it’s tough to know where to start. Wondering if this problem is plaguing your team? Next time you see a vulnerability report, ask them: Which of these vulnerabilities could lead an attacker to our critical business assets? Which of these vulnerabilities are easy for attackers to exploit?

It never ceases to amaze me how many large-scale security events take place every year because of known vulnerabilities that IT had not gotten around to patching. Across all areas of security, vendors and enterprises must work together to improve prioritization capabilities and reverse this trend. This means vendors must provide truly actionable information and avoid leaving customers with a data dump, and enterprises must put processes in place to leverage that information effectively.

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.