Too Much Technology? Simplicity is Key in Vulnerability Management
By Earl C. Duby, Jr., Chief Information Security Officer, Lear Corporation
In the Sixteenth century, astronomer Johannes Kepler noted that “nature loves simplicity.” In more modern times, Information Security teams have also come to appreciate simplicity – simpleris easier to defend. As organizations have continued to expand, both organically and through mergers and acquisitions, the enterprise network has turned into a complicated mix of misaligned architectures and mismatched applications. Instead of helping to augment network defense, additional technology has only proven to make the organizational battle field more complex.
The most successful Vulnerability Management (VM) program, therefore, will be the one that helps the organization achieve optimal simplicity in its technology stack; something easier said than done.
Often,a complex portfolio of non-standardized business services is providing value to the organization and will be staunchly protected by the people and business units that are leveraging those services. As old versions of software are retained to enable these legacy applications, new technologies are layered on top to support more contemporary services and innovative thinking. Organizational complacency with this technology “sprawl” creates technical debt, network complexity, and unnecessary points of failure that threat actors can use for adversarial activities.
Technical debt has real implications. According to a 2018 Ponemon Institute report, 60% of data breaches in the past two years were enabled by a vulnerability that was not yet patched. Staying properly patched becomes a challenge when the number of systems and architectures continues to grow, bringing with it an exponential growth in vulnerabilities. A well-supported VM program can help identify these vulnerabilities, inventory the systems that are most vulnerable, and help the organization systematically address the most critical weaknesses.
Maintaining static and aging applications simultaneously clouds the vision of enterprise defenders and increases the attack surface. Author Richard Bejtlich has been pointing out for years in hisworks on network security monitoring (NSM) that prevention will eventually fail. Detection capabilities are critical to minimizing the impact of an attacker that has breached the perimeter defenses. Detection capabilities are predicated on visibility into the network, and understanding what is within the walled garden of the organization. A proper VM program is critical to successful detection and response capabilities.
If an organization’s environment is becoming more complex, how can the defender differentiate between systemic noise and adversarial activity? A primary objective, then, of the network defender should be to assist in the simplification of the network to improve the odds of detecting nefarious activities. A robust and thoughtful VM strategy will provide thorough risk profiles and prioritized inventories of devices that are contributing to unwanted risk and unnecessary complexity.The Information Security team must drive the organization toward a simple architecture, reducing complexity by highlighting antiquated platforms and the applications that are running on them.
"Supporting technical simplicity and a well-aligned VM program will lead to positive business outcomes"
By identifying archaic technologies for retirement, the VM program will ultimately allow an organization to focus its resources on newer technologies instead of caretaking older systems. IT can then become an instrument for strategic innovation. At the same time, the Information Security team will be in a better position to protect the people and defend the data of its organization. Many legacy systems are preventing organizations from enjoying the full capabilities of newer technologies they’re already paying for (cloud service incompatibilities and integration limitations, for example). Identifying those legacy systems, assessing their risk, and then putting plans in place to migrate those systems to more contemporary architectures should be an urgent imperative for today’s organizations.
While the operationalization of a well-aligned VM program is not an easy task, the fundamentals are easily laid out. Solid technologies already exist for the scanning, inventorying, and risk assessment components. More critical is ensuring that any determinations of risk and complexity are free of conflicts of interest. All stakeholders, from IT to the business users of the systems, must have a clear view of the risks. Cross-functional understanding of the risks and impact of continued use of outdated technology is critical to true risk mitigation. Finally, the VM process has to be both horizontal and vertical in nature; cross-functional, while being supported by leadership with authority to authorize any necessary migrations to modern architectures.
In summary, an organization’s VM program can drive simplicity and concurrently stronger defenses and more efficient innovation – by identifying antiquated and end-of-life systems, prioritizing their risk, and measuring progress on migrating those systems to modern standards. Reducing complexity will have positive impacts on securing the organization and in preparing the organization to plan for and take advantage of disruptive innovations. Supporting technical simplicity and a well-aligned VM program will lead to positive business outcomes.