Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/27/2012
02:01 AM
50%
50%

Is Vulnerability Management Broken?

Some argue that it is time to rethink the vulnerability management hamster wheel

If the definition of insanity is doing the same thing over and over and expecting different results, then are today's IT security departments just a little nutty about vulnerability management? Some security experts think so, claiming that the vulnerability management process is flawed at most organizations today.

"It's what we call the security insanity cycle," says Anup Ghosh, founder and CEO of Invincea, "which is that cycle of scan your network, patch your vulnerabilities, detect the intrusions, and wash, rinse, and repeat. We keep doing it thinking that somehow this is going to get better, and it doesn't. Vulnerability management as a strategy isn't working -- that method is fundamentally flawed."

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

When most organizations employ vulnerability scanners, the problem is that the scanning itself doesn't necessarily help manage the problem, says Brian Laing, director of U.S. marketing and products for AhnLab, and a long-time figure in the vulnerability management world during stints at ISS and Red Seal Networks. Today's vulnerability numbers are so huge that they make it difficult to relate the knowledge of these problems with actionable work that mitigates the risk around them, he says.

"I've been trying to get that industry to change to a patch view for years," Laing says. "Don't tell me I have 5 million vulnerabilities. Tell me I have to install 1,000 patches. That I can budget for."

But even with a perfect patching and change management routine in place, organizations with enough intellectual property or financial plumbing in place to entice motivated attackers are proving soft targets for targeted attacks.

"If they're targeting you with a piece of malware, they're going to be taking a very structured approach. They're going to come at you with a vulnerability that's not known," Laing says.

One of the application ecosystems that plays out the insanity cycle Ghosh laments is that of Java, which has suffered a seemingly constant volley of zero-day announcements that enterprises can't keep up with on the patch side or through pre-emptive uninstalls.

"You cannot uninstall Java because of the number of enterprise apps that use it," he says. "Then it's why not just patch Java? Well, that's what everyone's trying to do, but every week there's a new exploit for the latest version of Java. You can't stay on top of it."

The way things are trending should be enough to turn security philosophy on its head, he says. The problem is deciding where to turn.

"A lot of people are saying, 'Hey, stop focusing on vulnerabilities because you'll never get your arms all the way around it. Instead, focus on the threats.' Unfortunately, that's where the dialogue stops," says Ghosh, who believes that the threat-centric approach will require architectural creativity.

His firm relies on the containerized approach of application sandboxing, which relies on the same type of internal barriers and chamber doors within the client that make network segmentation such a good idea on the network side.

"So you click on a link and that link happens to infect that application; they're constrained in a container so they can't move outside of that environment to infect the rest of the host and then the network," he says. "That's a different approach to trying to patch everything -- taking an architectural approach to the problem."

Of course, some security experts warn that sandboxing shouldn't be seen as a panacea for the vulnerability management churn. That's because as hackers start tinkering and finding weaknesses in the way the user can "escape" that virtualized container, those barriers could start to vanish.

"Bottom line: The market success of any sandboxing effort will always revolve around how permissions to escape the sandbox are managed," says David Hess, founder of Data Bakery.

That is why Laing still believes a sane patch management cycle does make sense, in concert with a better examination of the threat behavior itself. Behavioral analysis is hardly a new idea, but the methods have room to further evolve. He believes that it might be helpful for security vendors to start thinking of malware a bit like illegal substances. As he explains, when the government first banned certain drugs, like marijuana, it banned a specific chemical compound. But in the case of acid, which could vary wildly in chemical makeup, the ban was on a class of substances that achieved a certain mental state.

"You don't know what it is you're going to look for, so you have to look for the state that it puts the system in rather than just whether it's a specific set of malware," he says. "Look at what it is doing overall. Did it open up the registry? Well, that by itself isn't so bad. Did it write to the registry? That by itself isn't necessarily bad either. Did it write to the run-once registry key? That's bad. String together not just the one behavior, but look at multiple behaviors together."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
12/27/2012 | 4:22:50 PM
re: Is Vulnerability Management Broken?
Some tricks I-ve used in the past:

1) Remove browsers from servers.
2) Check browser security constantly with browser scanning services like Browsercheck.
3) Focus on vulnerabilities that have services active in ports. If an application is vulnerable, but is not talking with the outside world, it is a little less vulnerable.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.