Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Three Mistakes Companies Make When it Comes to ‘Vulnerability Management’

Vulnerability management has become a term that continues to be thrown around in security circles as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.

Vulnerability management has become a term that continues to be thrown around in security circles as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.

In its common definition, vulnerability management sounds like security utopia: if you purchase the right software, implement the proper solution or engage tougher policies and procedures, etc. you will be safeguarded from the threats of the outside world. Sounds perfect, right? There’s one problem- it doesn’t work this way. The term leads companies down a path towards a false sense of security. This has led to many companies falling victim to the illusion that they are secure, which can lead to dire consequences down the road. It’s simply a matter of time before the gap between identification and mediation is exposed.

Vulnerability Management ChallengesBut perception has a way of becoming reality. If you mention vulnerability management to prospects, they will almost certainly tell you, predictably and definitively, they are already “doing it.” Well, to that I can only parrot Sacha Baron Cohen’s alter ego and Kazakhstan ultra national Borat Sagdiev’s retort to an American humorist instructing him on the art of comic timing to effectively deliver the punch line to a joke: “NOT!”

Because distinguishing the hype from reality and the facts from fiction of vulnerability management can be confusing and difficult, I’ve come up with a quick and simple self-assessment. I would recommend every person charged with IT security in an organization to ask themselves these questions on a regular basis. For executives responsible for signing off on company security, I would also recommend that you ask these questions of your chief security officer and demand definitive answers.

Can we provide a definitive yes to the following three questions:

1. Do we understand the actual risk?

2. Has it been properly fixed?

3. Can we validate that the fix has worked?

If the reply to any of these questions was a no or if you were unsure as to the correct answer, than you are doing something other than vulnerability management. Don’t feel too badly however, the reality is that very few organizations are currently employing true ‘management’ of threats and vulnerabilities, but rather a form of vulnerability identification. That’s a step in the right direction, but only the first step in the path to management.

Advertisement. Scroll to continue reading.

It really boils down to three common, but dangerous, mistakes businesses make when it comes to management.

1. Most people believe that if the software solution is capturing the vulnerability, collecting it the way kids may collect baseball cards, that they are safe from the threat. They are not. A mid-sized company may run a monthly scan that includes 10,000 potential threats, but there is little to no visibility into how these issues affect the company. They have no insight into how these risks work together or if any of them really matter.

Dice2. Just as frightening, threats are typically not being managed – they are simply being identified. It becomes an exercise in moving all of the potential risks around, but nothing is actually being resolved. Potential risks are identified and passed along to different groups, without anyone actually seeing the threat through to mediation. It essentially becomes a game of vulnerability pass-the-buck.

3. All this information ends up going nowhere. CISOs don’t fix the perceived threats, don’t believe them, and basically end up just shifting information around. There is simply too much data to process or act upon. It’s like that classic trope recalled in the face of inevitable disaster: you can re-arrange the deck chairs on the Titanic but regardless of how you move them, the ship is still going to sink and there’s nothing you do that will change that outcome. The same is true in the security space. No matter how much input you receive or the level of analysis you apply to that input, your network, once under attack, remains at risk.

In a recent issue of Business Computing World, author Gidi Cohen says that all the vulnerability scanning you can perform is pointless without the context needed to focus mitigation activities on real priority risks or the ability to correlate contextual information into actionable vulnerability remediation options that are needed to prevent data breaches and cyber-attacks. I agree. When it comes to security, you can scan for vulnerabilities all day long and even convince yourself that you know where that threat is hiding, but until you’re able to capture, correlate and contextualize it, it means nothing.

Until context can be put around potential threats and vulnerabilities, the term “vulnerability management” will remain something of a myth.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.