Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/15/2019
02:00 PM
Jim Souders
Jim Souders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Flaw in Vulnerability Management: It's Time to Get Real

Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, starting with endpoint vulnerabilities, we can build for a safer future.

Today, the risk of cyberattack is simply part of the cost of doing business. Companies spend millions of dollars every year on the most advanced software in an attempt at defense. But it's not enough.

The nature of attacks is persistently and rapidly changing, so preparing an adequate defense is like chasing smoke. Meanwhile, companies struggle to take care of their most vulnerable area, the endpoint. Routine software updates and maintaining current, compliant security configurations across all systems require significant resources and diligence, and security hygiene sometimes gets sacrificed on the long list of IT priorities with teams that are already stretched thin. As a result, companies can't take full advantage of many of the features in their security software.

Though very different problems, both lead us to acknowledge that because of the ever-changing nature of attacks and the difficulty maintaining all endpoints at all times, organizations remain at least somewhat exposed on any given day. Even small risks carry tremendous burdens that can prove devastating to the companies and users that are ultimately affected.

Vulnerability Management to the Rescue?
To help organizations shore up their endpoints, a number of vendors have created software to automatically detect system vulnerabilities. These offerings typically fall under the "vulnerability management" category and provide a necessary first step. Proactively scanning endpoints and pinpointing vulnerabilities for teams alleviates a lot of the resource drain associated with endpoint management. But this is only a step, not a complete solution.

According to recent research that tracked more than 316 million security incidents, it takes companies an average of 38 days to patch a vulnerability. More than a month to fix a problem after it has been identified! This is unacceptable given the potential impact and the amount of money pouring into security today. We must be able to fix vulnerabilities much, much faster if companies are going to have a shot at protecting data and intellectual property in the future.

Let's Get Real
It's time to be honest about what vulnerability management actually requires because it currently doesn't cover remediation in any meaningful sense. Opening a ticket doesn't count as resolving the vulnerability. That's passing the buck along for someone else to handle when they can get to it. Vulnerability management as it stands today should really be considered vulnerability assessment — finding but not solving problems or managing against threats.

So, why does this happen? Why is it so hard to fix an issue once it is identified? Primarily because departments within the enterprise remain relatively siloed. Security teams find issues, and then IT teams are asked to fix them. There is little collaboration between groups.

Aside from making it more difficult to fix an issue because of the lack of coordination between teams, this creates dreaded lag time in rolling out a fix. For every minute the problem is not addressed, viruses and malware can penetrate further into an organization's infrastructure as hackers actively try to weaponize vulnerabilities. Just look at all of the issues WannaCry caused simply because it was able to keep moving before people were able to remediate with software that had already been released.

Addressing the Future
It's time for vulnerability management to get an upgrade if companies want to effectively defend against malicious attacks over the long term. The solution is twofold. First, companies must rethink how teams are constructed so that security and IT groups can work together more efficiently. This is why the idea of SecOps is gaining traction. When these two groups — security and operations — collaborate, they can create and agree on at least some baseline remediations for their most common issues.

There also needs to be significant innovation coming from vulnerability management vendors to incorporate true remediation, whether this comes via their own advances or by strategic integrations with partners. Companies will require solutions that remediate vulnerabilities at scale; after all, fixes must be rapidly deployed enterprisewide or they are not true fixes. Modern remediation should take seconds to minutes, not days to weeks, and automation will be the key to making this level of efficiency possible.

Even with bold, aggressive innovation and organizational structure in vulnerability management, we may never be able to patch 100% of vulnerabilities within hours. But consider how much better off organizations would be if they could fix the majority of issues automatically, right as they occur. It would make a monumental difference in terms of costs and resources devoted to security. IT and security teams would then be much better equipped to deal with remaining issues in a timely manner.

It is unrealistic to believe that companies ever will be fully immune to a cyberattack. But by getting real about where we are with the basics, starting with vulnerabilities at the endpoint, we can build for a future that minimizes entry points for attacks and remedies issues as soon as they occur in order to mitigate damage. It's time to embrace the challenge and take the next step forward in vulnerability management.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 5 Things to Know About Cyber Insurance.

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years' experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JimS980
50%
50%
JimS980,
User Rank: Author
8/16/2019 | 1:20:40 PM
Re: The real problems facing vulnerability management are...
Automation always has it's limits and challenges. Working across and breaking down the organizational silo's  is certainly a big part of the challenge. But failure to develop the conditional logic and overcome the langage barriers between organizations is not a good enough excuse for not moving forward. Certainly the degree of auto remediation is limited to those vulnerabilities that you can ascertain with certaintity and resolve effectively. We recently implemented at a large retailer and we were able to resolve almost 80% of the predefined health checks and vulnerabilities automatically. The remainder required some human intervention. This translated to a significant SLA improvement and huge savings in time and money. Will they ever get to 100% is unlikely or maintain 80% is hard to say, but they have already benefited and arguably will continue to do so to varying and justifiable degree's going forward. 
seven_stones
50%
50%
seven_stones,
User Rank: Apprentice
8/16/2019 | 11:14:47 AM
The real problems facing vulnerability management are...
This article centres mostly around faster remediation and advocates automating this (patch deployment), and cites this as the main problem facing TVM capabilities. Automatic remediation is an extraordinarily bad idea, almost as bad as mayo on chips (french fries). This is basic IT operations 101. It's. A. Terrible. Idea.

No - the 2 main problems:
  • Staff in infosec are unable to speak the same language as IT teams who will address the problem and sign-off on the change request. Mostly they lack an attack mindset. They're not in a position to empathise and effectively justify the change.
  • lets say the aforementioned problem is not a problem, even then the tools used for automation of vulnerability assessment are BAD. I mean really bad. The market is so poorly served by vendors who managed somehow to get their name in the Gartner Magic Quadrant.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14869
PUBLISHED: 2019-11-15
A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could esc...
CVE-2019-18987
PUBLISHED: 2019-11-15
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or otherwise) been made public, its previous versions can be exposed, thus potentially disclosing private or sensitive information within the filter's definition.
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.