No More Business As Usual: Vulnerability Management Focused On Managing Risk
Transforming vulnerability management with a methodical and proactive approach for seamless risk management.
Yoav Nathaniel, CEO of Silk Security, shares insights on redefining vulnerability management to focus on risk mitigation. Discover practical steps and tools for efficient and effective cybersecurity.
Detecting, assessing, prioritizing, and remediating vulnerabilities is increasingly critical in achieving security teams’ key objective of managing business risks. The problem: many companies stop after the detection stage and rarely make it to remediation.
Vulnerability assessment and prioritization of findings based on risk is even more challenging because of the changes in IT environments from digital transformation. The attack surface has expanded, and security teams are overwhelmed by the increasing volume of issues detected from a growing number of tools on an increasing number of assets.
While keeping on top of emerging and potentially severe vulnerabilities is like whack-a-mole, the reality is that the more prevalent risk is successful exploits that involve older vulnerabilities that weren’t remediated. An unintended outcome of digitalization is that the operational process of assigning the task of remediation to the right owner has also become more challenging – extending the timeframe for attackers to exploit these unpatched, older vulnerabilities on exposed systems.
While there are no quick fixes, security teams can become more efficient and take a more constructive approach to managing vulnerability based on risk by creating more interconnected processes, iterative improvements, and automating when appropriate.
Why Process Is Crucial
The term ‘vulnerability management’ can itself be misleading. Most VM (vulnerability management) tools organize, assess, and perhaps even validate vulnerabilities by scanning for CVEs (common vulnerabilities and exposures). But that’s often not equivalent to managing the lifecycle process of a vulnerability, from the point of detection to some point of resolution – patched, accepted, or mitigated by a compensating control. To better manage the vulnerability lifecycle, the handoff from identification of a vulnerability to remediation of the finding should be a bridge, not a dividing chasm.
Without efficient, scalable processes for communicating, tracking, and reporting vulnerabilities once detected, security teams are stuck in the predicament of just trying to throw more bodies at keeping track of what was seen and whether it’s been addressed. And, without incorporating a dimension of subjective risk into the assessment, security teams are not in a position to communicate remediation priorities.
Many security teams, for example, can’t track which teams have made exception requests for communicated vulnerabilities – and how these unpatched vulnerabilities will impact their enterprise’s risk posture.
In response to this challenge, industry analyst firm Gartner published the Continuous Threat Exposure Management (CTEM) program, which details the lifecycle to identify, prioritize, and manage risks by combining attackers’ and defenders’ views. The program acknowledges that while no organization can protect against every cybersecurity event, enterprises can and should still improve on tackling exposures that most threaten their businesses – from detection to remediation.
See More: The Pitfalls of Blind Trust: Open Source and the Log4Shell Vulnerability
Every Journey Starts With A Single Step
As powerful as the CTEM framework is, it will likely remain an aspirational goal for many vulnerability management teams. But that shouldn’t preclude them from making progress toward the goal of mobilizing remediation more consistently. Equally, maintaining a subjective assessment of exposure risks, always prioritizing findings that are the most likely to be exploited, and maintaining visibility into what Gartner describes as the mobilization phases in the CTEM framework is not an overnight transition.
Automation has a place here. Outdated modes of assessing, compiling, and communicating via Excel spreadsheets are increasingly counter-productive because of issues like alert duplication.
Here are some straightforward steps that security teams can take that will both improve efficiency and set the stage for more automated processes that get them closer to realizing the CTEM model:
Get Sharper On Security Risk
One of the persistent hurdles to achieving more intelligent prioritization of vulnerability scanning output is reliance on CVE severity ranking. There is certainly a role for CVE scoring as a foundational input. However, security teams now have access to newer models that have emerged over the last few years due to the realization that technical severity alone cannot guide prioritization.
For example, the Exploit Prediction Scoring System (EPSS) model provides input by scoring the likelihood of an exploit for a specific CVE. Likewise, the CISA KEV catalog, maintained by the federal agency, enables security teams to determine which vulnerabilities to focus on further by providing information about which vulnerabilities have been exploited.
Make Assessment Subjective With Asset Profiling
As the adage states, nothing is a priority if everything is a priority. Assessing the relative probability of an exploit is important. Still, it can be improved by incorporating information about the asset where the finding was detected and applying business context through asset tags and labels. With greater clarity regarding security and business risks, security teams can tie remediation urgency to business impact and determine which critical findings are less urgent because of environmental contextual input.
Generally, most enterprises struggle to maintain an accurate and up-to-date asset inventory. Luckily, rather than waiting for the perfect asset discovery and inventory solution, some options can help fill the gaps. Scanning tools generate asset information in their output, which can be correlated with information in CMDBs (Configuration Management Database), ITSMs (IT Service Management), and cloud service asset management. Newer tools like cyber asset attack surface management can also help with compiling inventories for asset profiling.
Each incremental data source, if efficiently consumed, correlated, and ideally de-duplicated, can help clarify the relative prioritization of technical risks based on environmental information (such as between Internet-facing and non-production assets) as well as whether the asset is on a network that’s within a compliance scope, or is a component of a high-value application.
Orient Toward The Fix, Not The Issue
One of the limitations of models like EPSS is that it produces a mathematical outcome that is useful for the security team engaged in assessment but could be more actionable for the development, operations, and infrastructure teams. Another new model that can provide a consistent, repeatable structure for translating priorities into terms and order of priorities that make sense for operations teams has emerged.
The Stakeholder-Specific Vulnerability Categorization (SSVC) model is intended to help organizations understand how to apply vulnerability risk to their environment and what the appropriate remediation decisions are based on that contextualized subjective risk.
SSVC’s expanded scope on how an organization structures and implements its remediation strategy holds promise for a systematic, consistent, and scalable risk resolution approach – but is not without its operationalization challenges. As the name suggests, this transition is driven by interaction, collaboration, and transparency across stakeholders in tandem with more contextual decision criteria.
Reaching a decision value by working through the SSVC decision framework makes the action specific and can also inform who should be responsible for the next step.
Codify Tribal Knowledge
As a direct result of digital transformation, the responsibility for fix implementation is distributed across multiple teams. Whereas in the past, security teams could rely on institutional knowledge or strategically placed nudges on who to assign remediation responsibilities, the landscape has significantly shifted. Ownership assignment – as a precursor to what Gartner describes as mobilization – can be frustrating and time-consuming.
Rather than rely on periodic meetings, security teams can start to be more proactive by building maps of how applications are built and delivered. One starting point can be enterprise directories, supplemented by activities like poring through logs and leveraging clues like code commits – which can be time-consuming without an automated tool.
By compiling a more structured view of the most likely owners, security teams can at least make the assignment less of a guessing game – especially if they have a mechanism to incorporate feedback from fixers to improve assignments.
Report: Don’t Play The Blame Game
Accountability relies on visibility. While many VM tools provide integrations into ticketing systems, they don’t provide any visibility into what happens once the ticket is issued. Security teams can log in to each ticketing system to track the progress (or not) of a remediation task, which can be time-consuming.
Instead, security and operations should find mechanisms for bidirectional communication. This may only be feasible with some teams, but starting with one and working out a more collaborative process can help establish a more repeatable and scalable model with the right tools.
Solidifying reporting on a successful remediation path, instead of pointing fingers at where tickets go into limbo, can help support a more constructive process.
Finally, to ensure buy-in from the business, reports should be crafted and customized for specific audiences and recommend owners for different risks. Facilitating such a methodical and proactive approach, alongside complete ownership by a workforce, will guarantee a more seamless risk management.
How can your organization enhance vulnerability management? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON RISK MANAGEMENT
