Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/15/2019
02:00 PM
Jim Souders
Jim Souders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Flaw in Vulnerability Management: It's Time to Get Real

Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, starting with endpoint vulnerabilities, we can build for a safer future.

Today, the risk of cyberattack is simply part of the cost of doing business. Companies spend millions of dollars every year on the most advanced software in an attempt at defense. But it's not enough.

The nature of attacks is persistently and rapidly changing, so preparing an adequate defense is like chasing smoke. Meanwhile, companies struggle to take care of their most vulnerable area, the endpoint. Routine software updates and maintaining current, compliant security configurations across all systems require significant resources and diligence, and security hygiene sometimes gets sacrificed on the long list of IT priorities with teams that are already stretched thin. As a result, companies can't take full advantage of many of the features in their security software.

Though very different problems, both lead us to acknowledge that because of the ever-changing nature of attacks and the difficulty maintaining all endpoints at all times, organizations remain at least somewhat exposed on any given day. Even small risks carry tremendous burdens that can prove devastating to the companies and users that are ultimately affected.

Vulnerability Management to the Rescue?
To help organizations shore up their endpoints, a number of vendors have created software to automatically detect system vulnerabilities. These offerings typically fall under the "vulnerability management" category and provide a necessary first step. Proactively scanning endpoints and pinpointing vulnerabilities for teams alleviates a lot of the resource drain associated with endpoint management. But this is only a step, not a complete solution.

According to recent research that tracked more than 316 million security incidents, it takes companies an average of 38 days to patch a vulnerability. More than a month to fix a problem after it has been identified! This is unacceptable given the potential impact and the amount of money pouring into security today. We must be able to fix vulnerabilities much, much faster if companies are going to have a shot at protecting data and intellectual property in the future.

Let's Get Real
It's time to be honest about what vulnerability management actually requires because it currently doesn't cover remediation in any meaningful sense. Opening a ticket doesn't count as resolving the vulnerability. That's passing the buck along for someone else to handle when they can get to it. Vulnerability management as it stands today should really be considered vulnerability assessment — finding but not solving problems or managing against threats.

So, why does this happen? Why is it so hard to fix an issue once it is identified? Primarily because departments within the enterprise remain relatively siloed. Security teams find issues, and then IT teams are asked to fix them. There is little collaboration between groups.

Aside from making it more difficult to fix an issue because of the lack of coordination between teams, this creates dreaded lag time in rolling out a fix. For every minute the problem is not addressed, viruses and malware can penetrate further into an organization's infrastructure as hackers actively try to weaponize vulnerabilities. Just look at all of the issues WannaCry caused simply because it was able to keep moving before people were able to remediate with software that had already been released.

Addressing the Future
It's time for vulnerability management to get an upgrade if companies want to effectively defend against malicious attacks over the long term. The solution is twofold. First, companies must rethink how teams are constructed so that security and IT groups can work together more efficiently. This is why the idea of SecOps is gaining traction. When these two groups — security and operations — collaborate, they can create and agree on at least some baseline remediations for their most common issues.

There also needs to be significant innovation coming from vulnerability management vendors to incorporate true remediation, whether this comes via their own advances or by strategic integrations with partners. Companies will require solutions that remediate vulnerabilities at scale; after all, fixes must be rapidly deployed enterprisewide or they are not true fixes. Modern remediation should take seconds to minutes, not days to weeks, and automation will be the key to making this level of efficiency possible.

Even with bold, aggressive innovation and organizational structure in vulnerability management, we may never be able to patch 100% of vulnerabilities within hours. But consider how much better off organizations would be if they could fix the majority of issues automatically, right as they occur. It would make a monumental difference in terms of costs and resources devoted to security. IT and security teams would then be much better equipped to deal with remaining issues in a timely manner.

It is unrealistic to believe that companies ever will be fully immune to a cyberattack. But by getting real about where we are with the basics, starting with vulnerabilities at the endpoint, we can build for a future that minimizes entry points for attacks and remedies issues as soon as they occur in order to mitigate damage. It's time to embrace the challenge and take the next step forward in vulnerability management.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 5 Things to Know About Cyber Insurance.

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years' experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JimS980
50%
50%
JimS980,
User Rank: Author
8/16/2019 | 1:20:40 PM
Re: The real problems facing vulnerability management are...
Automation always has it's limits and challenges. Working across and breaking down the organizational silo's  is certainly a big part of the challenge. But failure to develop the conditional logic and overcome the langage barriers between organizations is not a good enough excuse for not moving forward. Certainly the degree of auto remediation is limited to those vulnerabilities that you can ascertain with certaintity and resolve effectively. We recently implemented at a large retailer and we were able to resolve almost 80% of the predefined health checks and vulnerabilities automatically. The remainder required some human intervention. This translated to a significant SLA improvement and huge savings in time and money. Will they ever get to 100% is unlikely or maintain 80% is hard to say, but they have already benefited and arguably will continue to do so to varying and justifiable degree's going forward. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...