By Haythem Hammour, Product Marketing Manager, Brinqa
It’s maddening. Security professionals are often fully aware of the vulnerabilities that lead to breaches in their systems. The challenge is remediation. It’s hard, sometimes impossible, for security teams and their partners in IT operations to keep up. Reducing the remediation gap is critical for achieving a strong security posture. Automation offers a way forward.
Overview – How hackers target known, but un-remediated vulnerabilities
Imagine the following, unfortunately, familiar scenario. A hacker takes over one of your endpoints, a Linux-based server. The attack results in a loss of data and a long, complicated incident response process.
The post-incident investigation reveals the Linux server had not been patched for a known vulnerability. This is extremely common. Industry research estimates vary, but it’s believed that more than three in four cyberattacks target systems with known—but unpatched—vulnerabilities. This raises several questions, including “How did the attacker know to target this unremediated vulnerability?”
The basic answer is that hackers are adept at penetrating networks and scanning the infrastructure for known vulnerabilities. They often use automated tooling to accomplish this. In fact, in some cases, the hacker has no idea what his or her automated scanner is even doing until it finds something particularly vulnerable and sends an alert. (The hacker is busy doing hacker things like buying cool hoodies and practicing that aloof but menacing grin in the mirror.) Once notified of the vulnerability, the hacker can commence the attack. In reality, though, sometimes even the initial phase of the attack is also completely automated.
The Remediation Gap – Why it’s so hard to keep up with vulnerabilities
The other question to arise from the assessment of an attack that exploited a known, but unpatched vulnerability is, “Why wasn’t this patched when the vulnerability was first revealed?” The answers are logical, but satisfy no one.
There could be several reasons why a known vulnerability was not patched in time to stop an attack. We call this the “remediation gap.” One cause of the gap could be a simple delay. IT operations are usually responsible for patching vulnerabilities identified by the security team. They also have to stay on top of patch releases from vendors, a la Microsoft’s “patch Tuesday.” Doing it right means testing the patch before deploying it. It’s a big workload, and IT ops can easily fall behind. In the interim, the unpatched systems are vulnerable.
Another possibility is that the vulnerability is unknown. Or, the target itself could be unknown to the IT ops team. It is very common for a business or government organization to have devices running on its network that are not known to IT ops. This can happen in merger and acquisition situations, for example, but many other factors contribute to the existence of such phantom devices.
In addition, some systems simply cannot be patched. They’re too old, or the patch will break applications running on it and so forth.
Remediating the Remediation Gap with automation
As the remediation gap creates more serious risk exposure, solutions are emerging to address it. Given the scale and scope of the problem, automated solutions work best. And, realistically, automation is the only way to reduce the remediation gap. It’s far too complex and large-scale an issue to attack through manual efforts. An automated vulnerability management system typically offers the following functions:
- Asset inventory—Like the hacker who uses an automated tool to probe your network for vulnerabilities, an automated vulnerability management system connects asset discovery tools, vulnerability scanners, and any other source of asset information to build a comprehensive asset inventory. You’ll know what you have. And, if history is any guide, you’ll get a few “Wow, I had no idea that was even running anymore!” sort of surprises. Only from an accurate asset inventory can you create an authoritative list of the vulnerabilities in your environment.
- Threat analysis—Know what threats are more aligned with your vulnerabilities. The automated vulnerability management system constantly pulls in threat intel from multiple sources, matching them with your known and unpatched vulnerabilities, to highlight those that have the highest likelihood of being exploited.
- Risk quantification and prioritization—Which threats are the most serious? You can’t handle them all at once. You will need to establish a priority for remediation. The priority should go to vulnerabilities that represent the greatest potential negative business impact, e.g. brand or reputation damage or financial loss versus a nuisance.
- Remediation management—A primary reason for the remediation gap is that remediation processes are often inefficient. Modern vulnerability management systems improve remediation efficiencies in several ways – reducing manual decision making by creating tickets automatically based on rules, reducing the overall volume of tickets by grouping vulnerabilities based on ownership and fixes, and improving communication by informing and engaging stakeholders. These tools can give you constant, real-time control over the remediation process.
- Integration with ITSM tools—Assign remediation tasks in the IT Service Management (ITSM) tools your organization is already using. This way, stakeholders can be clear on what they need to do, when, and whom to notify when the work is finished.
- Reporting and working with non-IT stakeholders—It’s essential that you measure and track how you’re doing in closing the remediation gap. The automated vulnerability management system provides real-time visibility into the state of the remediation processes. The tool can also generate summary reports for senior managers and non-IT stakeholders. Business managers, for example, may want to know the state of systems that support their areas of business operations.
Staying on top of vulnerabilities going forward
Vulnerability management never stops. New exploits are constantly being revealed. Hackers continue to evolve and refine their techniques. Legacy systems get older and harder to patch. The only way to stay on top of vulnerabilities going forward is to make Vulnerability Management a permanent, foundational InfoSec program. It’s as much an organizational issue as a technological one. An automated vulnerability management system can serve as the core of this critical program and its workflows.
About the Author
firstname.lastname@example.org I ☎ (512) 372-1004