Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/24/2020
10:00 AM
Tal Morgenstern
Tal Morgenstern
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Quarterbacking Vulnerability Remediation

It's time that security got out of the armchair and out on the field.

Traditional vulnerability remediation occurs in silos — the security team detects vulnerabilities, prioritizes which ones need to get fixed first, and punts the list over the cubicle wall for the IT operations team to handle.

But that approach is no longer tenable. The rate and pace at which vulnerabilities occur requires the strategic alignment of IT functions across the enterprise. Since the security team "owns" vulnerability management, it should be accountable for creating and maintaining that alignment. Rather than approaching vulnerability remediation as a game of "hot potato," they must play a much longer game and drive the process. Security teams need to assume the role of a quarterback — one who's gunning for a touchdown.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

Loyal Employee ... or Cybercriminal Accomplice?

Be the Quarterback
Vulnerability management is no one's favorite job, but it's essential in reaching long-term security goals for the enterprise. Infrastructure is assaulted daily by both complex vulnerabilities that take months to fix — like Boothole and Zerologon — as well as thousands of seemingly mundane vulnerabilities that, in the context of where and how they pop up in the environment, can introduce the same amount of risk as a critical vulnerability with a CVSS of 10. Leadership is key in motivating stakeholders to adopt a remediate-or-bust mindset.

Gartner estimates that security professionals will be aware of 99% of vulnerabilities exploited by the end of 2020 at the time of compromise; Ponemon found unpatched systems were the root cause of 60% of data breaches in 2019. With a deluge of new vulnerabilities being reported each year and dramatic shifts in enterprise IT, such as the abrupt, COVID-related shift to remote work — a concerted effort to remediate vulnerabilities is one of the most effective actions a company can take to reduce the chance of a breach. But vulnerability management isn't a well-oiled machine. As the team lead or project manager, the security team must oversee the entire remediation process, even when the ball's not in their hands.

Whether a vulnerability is simple or complex, it's often complicated by the internal politics playing out across IT operations, DevOps, security, and other distinct IT functions. The only way to scale remediation processes is for security to quarterback remediation plays and see the process through. Detection and prioritization are worth very little if remediation occurs at too slow a pace to neutralize the threats posed to the enterprise by vulnerabilities. Long-standing silos won't go away overnight, and IT teams won't reorganize around vulnerability remediation. But they don't need to if security ensures the various stakeholders involved in a given remediation campaign are doing their part.

Choose the Play
As the quarterback, security teams identify the nature of the vulnerability, the business assets most at risk, the potential impact on the enterprise, and the patch, configuration change, or workaround that will resolve the breach. Armed with this knowledge, they pull in the right players from other IT functions, align on the necessary fix, and coordinate the remediation campaign, efficiently and effectively. When security and IT teams align on a remediation strategy, the shared context and agreement on execution provides the foundation needed to remediate vulnerabilities at scale. Even if the fix goes wrong, problems get resolved faster when the lines of communication are open. 

Fixing complex vulnerabilities often requires multiple coordinated elements. The Boothole vulnerability is an excellent example of this: Boothole's sheer pervasiveness makes it incredibly difficult to patch in enterprise settings. It's a cross-platform vulnerability that requires both hardware and software fixes — including firmware and OS updates — that must be performed in precise order. Security, DevOps, and IT teams must work together to minimize its business impact and avoid compromise. As the quarterback, the security team needs to think and act like a team captain: What's the best approach? Should you monitor network traffic? Write a PowerShell detection script? Are Linux systems also affected? Who can help and how? Most importantly, how do we keep everyone on point?

Because every vulnerability is unique, it's critical to build a team around the infrastructure stack affected by the vulnerability — this may include third-party vendors, app developers, Web developers, network engineers, the IT operations team, and more. Rather than defending the field against emergency breaches, security practitioners can assemble cross-functional teams that drive ongoing remediation efforts toward the ultimate goalpost: reducing risk across the enterprise.

But there are very few quarterbacks who can execute that game-winning drive without help from above; they receive assistance from an offensive coordinator who can see the entire field of play from a vantage point outside of the fray. This is critical to the quarterback's success. Likewise, a vulnerability remediation coordinator, such as a CISO who requires visibility into the entire remediation process, can oversee the remediation campaign from scan to fix. A good coordinator will see many aspects of the campaign that are outside the quarterback's purview.

Move the Ball Down the Field
Just as a quarterback doesn't leave the field when the ball leaves his hand, security sees the remediation play through to completion. As they become more experienced and comfortable executing remediation plays, they'll learn how to make the best use of their players to move the ball down the field faster, improving how the team executes each remediation play.

Because that's what the best quarterbacks do.

Tal Morgenstern brings almost 20 years of experience in cybersecurity products development and design to Vulcan Cyber – experience he gained in the Israeli army, building cutting-edge Elbit systems, Israel's largest defense contractor, and during his tenure in various ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...
CVE-2021-2300
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of...