Vulnerability Management: The Game-Changer Enterprises are Waiting for
By Bill Swearingen, Director, Centurylink
As businesses work through their digital transformations, leveraging the latest software and cloud technologies to enhance customer experience and streamline operations, they do so against an unfortunate backdrop of unprecedented growth in cybercrime. It’s estimated the global economy lost as much as $600 billion in recent years to bad actors and their handiwork, fueled, in part, by what some experts are seeing as a “record-breaking year” for vulnerabilities.
With more at stake than ever before, enterprises are rethinking their approach to cybersecurity and vulnerability management–or at least, they should be. Gone are the days when businesses could bide their time implementing software patches until resources free up. The fact is we live in a world where vulnerabilities–old and new–are discovered on a near daily basis. Although it can feel overwhelming, it is worth emphasizing the discovery and disclosure of vulnerabilities is a good thing. Notification should be recognized as an opportunity to plan, prioritize and resolve problems before they negatively impact a business.
For example, imagine vulnerability is discovered in a specific version of garage door openers, allowing anyone to open any garage door using the code “1234.” Would you rather know about the issue upfront, allowing you time to take action, or find out about it after your belongings are stolen?
"The fact is we live in a world where vulnerabilities– old and new–are discovered on a near daily basis"
Proper planning and performing regular maintenance of anything with a power cable and network connection will keep you a step ahead of cybercrime, which is evolving into a highly organized and lucrative shadow industry with no signs of slowing down.
There’s still Hope.
Even as bad actors lurk, intent on exploiting every opportunity to make a buck, business leaders are learning to bolster their cyber defenses by applying some age-old risk management practices, not the least of which is vulnerability management. The goal of vulnerability management is to detect and prioritize vulnerabilities in the network systems, operating systems and applications used in an organization’s network through a continual cycle of identification, remediation and mitigation.
A common starting point in all sound security frameworks is creating and maintaining a system inventory. You can’t protect what you can’t see; businesses need to have full awareness and visibility into the devices and equipment deployed in the network. Simply knowing what you have, and how important the system is to a business will help guide the prioritization of remediation–and how much time it takes to resolve the issue.
We need an Intelligence-first Mentality.
Tools, alone, won’t do the work. To combat what continues to be a mounting number of half- and zero-day vulnerabilities, enterprises need to ensure vulnerability management tools are constantly informed by the latest intelligence. Not only do vulnerability exposures need to be discoverable by scanning tools, but the scanning tools themselves need to have up-to-date, actionable information. While false positives (which occur when tools falsely identify an issue) can be difficult to manage, false negatives (when tools don’t identify an issue) could have the greatest impact. It is critical scanning tools are supported by the vendor and receive regular updates to properly identify most issues. Enterprise vulnerability management is not an easy task. With an accurate view of the risk, enterprises can make the appropriate assessment of when and how to implement patches or other resolution measures.
Time can be a double-edged sword.
Another vital part of vulnerability management is the prioritization of exposures in order of what needs to be addressed or patched and how quickly. Most vulnerabilities are given a Common Vulnerability Scoring System (CVSS) score, a numerical value ranging from 0.0 (no risk) to 10.0 (critical risk) that can help prioritize remediation in an enterprise’s environment. However, it is important to consider the business criticality and other mitigating factors of a system to determine the prioritization in any environment. While both need patching, an internet-facing system with a vulnerability having a CVSS score of 6.0 may require a higher prioritization than an internal system without any sensitive data with a CVSS of 8.0. The WannaCry and NotPetya malware are fitting examples of the risk businesses face in not patching seemingly benign exposures. On the other hand, some enterprises reported notable performance degradation after applying early versions of patches meant to address Meltdown and Spectre. The guesswork in identifying the right time to act can be confounding.
Security is in the Layers.
If recent headlines are any indication, the need to carefully weigh when and how to address exposures through a sound vulnerability management program has never been greater. For some, they’re also evidence that the best path to security is a multifaceted one. Vulnerability management works best when it is part of a broader governance risk and compliance (GRC) framework, one that has been adopted and supported from the highest levels of leadership to frontline employees. This includes regular evaluations and audits of IT infrastructure and comprehensive training for employees. Having a plan is great, but it’s not enough unless it’s continually tested and refined.
What about systems that cannot be patched, either due to business issues or because they are no longer supported by the vendor? It is important to recognize these systems put the entire organization at risk. There are two actions businesses can take to limit the risk to the organization. First, businesses should leverage hosted or network-based controls to segment these systems to only allow connections that are required. Second, businesses should limit the software that is allowed to execute on these systems through application whitelisting and monitor for alerts of unauthorized software attempting to run. While segmentation and whitelisting will not prevent these systems from being attacked, these steps can slow an attacker and identify when a system or application is being targeted.
Nearly half of external breaches in 2017 were due to software vulnerabilities, according to Forrester's 2017 global security survey. We know the next global vulnerability is out there, waiting to be exploited on a massive scale. By implementing effective vulnerability management programs comprised of the right mix of tools, intelligence and leadership, enterprises can do something right now to disrupt the trends–and tip the scales back in their collective favor.