Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Tal Morgenstern
Tal Morgenstern
Connect Directly
E-Mail vvv

Quarterbacking Vulnerability Remediation

It's time that security got out of the armchair and out on the field.

Traditional vulnerability remediation occurs in silos — the security team detects vulnerabilities, prioritizes which ones need to get fixed first, and punts the list over the cubicle wall for the IT operations team to handle.

But that approach is no longer tenable. The rate and pace at which vulnerabilities occur requires the strategic alignment of IT functions across the enterprise. Since the security team "owns" vulnerability management, it should be accountable for creating and maintaining that alignment. Rather than approaching vulnerability remediation as a game of "hot potato," they must play a much longer game and drive the process. Security teams need to assume the role of a quarterback — one who's gunning for a touchdown.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

Loyal Employee ... or Cybercriminal Accomplice?

Be the Quarterback
Vulnerability management is no one's favorite job, but it's essential in reaching long-term security goals for the enterprise. Infrastructure is assaulted daily by both complex vulnerabilities that take months to fix — like Boothole and Zerologon — as well as thousands of seemingly mundane vulnerabilities that, in the context of where and how they pop up in the environment, can introduce the same amount of risk as a critical vulnerability with a CVSS of 10. Leadership is key in motivating stakeholders to adopt a remediate-or-bust mindset.

Gartner estimates that security professionals will be aware of 99% of vulnerabilities exploited by the end of 2020 at the time of compromise; Ponemon found unpatched systems were the root cause of 60% of data breaches in 2019. With a deluge of new vulnerabilities being reported each year and dramatic shifts in enterprise IT, such as the abrupt, COVID-related shift to remote work — a concerted effort to remediate vulnerabilities is one of the most effective actions a company can take to reduce the chance of a breach. But vulnerability management isn't a well-oiled machine. As the team lead or project manager, the security team must oversee the entire remediation process, even when the ball's not in their hands.

Whether a vulnerability is simple or complex, it's often complicated by the internal politics playing out across IT operations, DevOps, security, and other distinct IT functions. The only way to scale remediation processes is for security to quarterback remediation plays and see the process through. Detection and prioritization are worth very little if remediation occurs at too slow a pace to neutralize the threats posed to the enterprise by vulnerabilities. Long-standing silos won't go away overnight, and IT teams won't reorganize around vulnerability remediation. But they don't need to if security ensures the various stakeholders involved in a given remediation campaign are doing their part.

Choose the Play
As the quarterback, security teams identify the nature of the vulnerability, the business assets most at risk, the potential impact on the enterprise, and the patch, configuration change, or workaround that will resolve the breach. Armed with this knowledge, they pull in the right players from other IT functions, align on the necessary fix, and coordinate the remediation campaign, efficiently and effectively. When security and IT teams align on a remediation strategy, the shared context and agreement on execution provides the foundation needed to remediate vulnerabilities at scale. Even if the fix goes wrong, problems get resolved faster when the lines of communication are open. 

Fixing complex vulnerabilities often requires multiple coordinated elements. The Boothole vulnerability is an excellent example of this: Boothole's sheer pervasiveness makes it incredibly difficult to patch in enterprise settings. It's a cross-platform vulnerability that requires both hardware and software fixes — including firmware and OS updates — that must be performed in precise order. Security, DevOps, and IT teams must work together to minimize its business impact and avoid compromise. As the quarterback, the security team needs to think and act like a team captain: What's the best approach? Should you monitor network traffic? Write a PowerShell detection script? Are Linux systems also affected? Who can help and how? Most importantly, how do we keep everyone on point?

Because every vulnerability is unique, it's critical to build a team around the infrastructure stack affected by the vulnerability — this may include third-party vendors, app developers, Web developers, network engineers, the IT operations team, and more. Rather than defending the field against emergency breaches, security practitioners can assemble cross-functional teams that drive ongoing remediation efforts toward the ultimate goalpost: reducing risk across the enterprise.

But there are very few quarterbacks who can execute that game-winning drive without help from above; they receive assistance from an offensive coordinator who can see the entire field of play from a vantage point outside of the fray. This is critical to the quarterback's success. Likewise, a vulnerability remediation coordinator, such as a CISO who requires visibility into the entire remediation process, can oversee the remediation campaign from scan to fix. A good coordinator will see many aspects of the campaign that are outside the quarterback's purview.

Move the Ball Down the Field
Just as a quarterback doesn't leave the field when the ball leaves his hand, security sees the remediation play through to completion. As they become more experienced and comfortable executing remediation plays, they'll learn how to make the best use of their players to move the ball down the field faster, improving how the team executes each remediation play.

Because that's what the best quarterbacks do.

Tal Morgenstern brings almost 20 years of experience in cybersecurity products development and design to Vulcan Cyber – experience he gained in the Israeli army, building cutting-edge Elbit systems, Israel's largest defense contractor, and during his tenure in various ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...