The Center for Strategic & International Studies reports data on cyberattacks on government agencies, defense and technology companies and economic crimes with losses of more than a million dollars. In 2019 alone, the list consists of dozens of attacks on government agencies and other nations, as well as hacking that occurred recently at pharmaceutical and aerospace companies and colleges and universities.
Still, new research shows that just 17% of organizations are maintaining pace with new high-risk vulnerabilities, while 50% of organizations are falling behind, remediating fewer vulnerabilities than the the volume of high-risk vulnerabilities discovered each month.
The researchers analyzed real-world vulnerability management strategies from hundreds of organizations. “We found that it is possible to get ahead of new high-risk vulnerabilities over time,” said Jay Jacobs, Data Scientist, Co-Founder and Partner, Cyentia Institute. “Of course, that outcome depends on whether organizations have the information to prioritize those vulnerabilities for remediation.”
System flaws expose vulnerability
Vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed due to flaws in the design, implementation, or administration of a system. A vulnerability provides a mechanism for a threat to exploit the weakness of a system or process.
The vulnerability management process is a continuous information security risk undertaking that requires management oversight to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon the risk and the cost associated with fixing them.
In a recent blog, 9 Keys to Getting the Most Out of Your Vulnerability Management Solution, Ben Rothke, a Senior Security Consultant at Nettitude, identified key activities that when implemented correctly make up a strong vulnerability management framework. Each activity and its sub activities need to be part of a continuous cycle focused on improving security and reducing the risk profile of network assets.
The key activities needed to ensure your vulnerability management program is efficient, effective, and drives high-value to the organization are:
- Identify all networked assets
- Define asset criticality rankings (ACR)
- Determine exposures and vulnerabilities
- Track relevant threats
- Determine and assign risk
- Plan and take corrective actions
- Identify Key metrics
- Identify and address compliance risks and gaps
- Implement an Automated Vulnerability Management system
The first task is arguably the most important, Rothke writes.
“If you don't know what your technology assets are, where they operate, and details about them, then you are simply powerless to fully protect them.”
Network Asset inventory is a crucial step in the a strong VM program. An updated enterprise asset inventory lays the basic groundwork for a successful vulnerability management program. Organizations must spend time identifying the assets, creating a blueprint of their network. The process of Network Discovery usually provides a comprehensive inventory output that details every laptop, desktop, server, network device and everything in between on the company network.
People as important as process
Just as a vulnerability management tool is important, don't overlook the significance of making sure you have good, trained staff who know how to:
- Run the tool
- Make sense of the tool's output
- Apply that output to address the many vulnerabilities that the Vulnerability Scanner will find.
When senior management asks “What is the current security patch status within the organization?” it will not be satisfactory to respond with great, excellent, good or poor without hard data to back up your statement.
This is where reporting and metrics can help. A structured patch reporting cadence will improve the organization’s effectiveness at managing vulnerabilities and the overall security posture. Placing the right focus on reporting will enable the team to:
- Demonstrate compliance
- Provide current status and historical trend of patches application to IT assets
- Help assess patch effort efficiency
- Prioritize patching actions
- Create transparency and visibility on current vulnerabilities
Most organizations struggle with consistently accomplishing the aforementioned; therefore, implementing as part of the overall reporting cadence aids organizations in shoring up an operational gap, but, moreover, the visibility gained across IT Operations, Security and Risk will improve the overall security posture, which, after all, is the goal.
Finally, the SailPoint 2018 Identity Report points out that one of the most important innovations of cybersecurity is the rise of managed security services. Through managed services, enterprises of all sizes can mitigate the effects of the cybersecurity staffing crisis; they can enjoy the benefits of 24/7 security monitoring, delegated access and role management, and compliance reporting. Given the stress IT security teams face every day under myriad deadlines and expectations, delegating duties to other cybersecurity experts can help alleviate some of the burdens.
IT Security and Risk is everyone's job and Vulnerability Management should be a default and standard component of the regulatory and information security framework.
Learn more about Genesis10’s Vulnerability Management services.