Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Tal Morgenstern
Tal Morgenstern
Connect Directly
E-Mail vvv

Quarterbacking Vulnerability Remediation

It's time that security got out of the armchair and out on the field.

Traditional vulnerability remediation occurs in silos — the security team detects vulnerabilities, prioritizes which ones need to get fixed first, and punts the list over the cubicle wall for the IT operations team to handle.

But that approach is no longer tenable. The rate and pace at which vulnerabilities occur requires the strategic alignment of IT functions across the enterprise. Since the security team "owns" vulnerability management, it should be accountable for creating and maintaining that alignment. Rather than approaching vulnerability remediation as a game of "hot potato," they must play a much longer game and drive the process. Security teams need to assume the role of a quarterback — one who's gunning for a touchdown.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

Loyal Employee ... or Cybercriminal Accomplice?

Be the Quarterback
Vulnerability management is no one's favorite job, but it's essential in reaching long-term security goals for the enterprise. Infrastructure is assaulted daily by both complex vulnerabilities that take months to fix — like Boothole and Zerologon — as well as thousands of seemingly mundane vulnerabilities that, in the context of where and how they pop up in the environment, can introduce the same amount of risk as a critical vulnerability with a CVSS of 10. Leadership is key in motivating stakeholders to adopt a remediate-or-bust mindset.

Gartner estimates that security professionals will be aware of 99% of vulnerabilities exploited by the end of 2020 at the time of compromise; Ponemon found unpatched systems were the root cause of 60% of data breaches in 2019. With a deluge of new vulnerabilities being reported each year and dramatic shifts in enterprise IT, such as the abrupt, COVID-related shift to remote work — a concerted effort to remediate vulnerabilities is one of the most effective actions a company can take to reduce the chance of a breach. But vulnerability management isn't a well-oiled machine. As the team lead or project manager, the security team must oversee the entire remediation process, even when the ball's not in their hands.

Whether a vulnerability is simple or complex, it's often complicated by the internal politics playing out across IT operations, DevOps, security, and other distinct IT functions. The only way to scale remediation processes is for security to quarterback remediation plays and see the process through. Detection and prioritization are worth very little if remediation occurs at too slow a pace to neutralize the threats posed to the enterprise by vulnerabilities. Long-standing silos won't go away overnight, and IT teams won't reorganize around vulnerability remediation. But they don't need to if security ensures the various stakeholders involved in a given remediation campaign are doing their part.

Choose the Play
As the quarterback, security teams identify the nature of the vulnerability, the business assets most at risk, the potential impact on the enterprise, and the patch, configuration change, or workaround that will resolve the breach. Armed with this knowledge, they pull in the right players from other IT functions, align on the necessary fix, and coordinate the remediation campaign, efficiently and effectively. When security and IT teams align on a remediation strategy, the shared context and agreement on execution provides the foundation needed to remediate vulnerabilities at scale. Even if the fix goes wrong, problems get resolved faster when the lines of communication are open. 

Fixing complex vulnerabilities often requires multiple coordinated elements. The Boothole vulnerability is an excellent example of this: Boothole's sheer pervasiveness makes it incredibly difficult to patch in enterprise settings. It's a cross-platform vulnerability that requires both hardware and software fixes — including firmware and OS updates — that must be performed in precise order. Security, DevOps, and IT teams must work together to minimize its business impact and avoid compromise. As the quarterback, the security team needs to think and act like a team captain: What's the best approach? Should you monitor network traffic? Write a PowerShell detection script? Are Linux systems also affected? Who can help and how? Most importantly, how do we keep everyone on point?

Because every vulnerability is unique, it's critical to build a team around the infrastructure stack affected by the vulnerability — this may include third-party vendors, app developers, Web developers, network engineers, the IT operations team, and more. Rather than defending the field against emergency breaches, security practitioners can assemble cross-functional teams that drive ongoing remediation efforts toward the ultimate goalpost: reducing risk across the enterprise.

But there are very few quarterbacks who can execute that game-winning drive without help from above; they receive assistance from an offensive coordinator who can see the entire field of play from a vantage point outside of the fray. This is critical to the quarterback's success. Likewise, a vulnerability remediation coordinator, such as a CISO who requires visibility into the entire remediation process, can oversee the remediation campaign from scan to fix. A good coordinator will see many aspects of the campaign that are outside the quarterback's purview.

Move the Ball Down the Field
Just as a quarterback doesn't leave the field when the ball leaves his hand, security sees the remediation play through to completion. As they become more experienced and comfortable executing remediation plays, they'll learn how to make the best use of their players to move the ball down the field faster, improving how the team executes each remediation play.

Because that's what the best quarterbacks do.

Tal Morgenstern brings almost 20 years of experience in cybersecurity products development and design to Vulcan Cyber – experience he gained in the Israeli army, building cutting-edge Elbit systems, Israel's largest defense contractor, and during his tenure in various ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...