Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/17/2019
10:30 AM
Tim Erlin
Tim Erlin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Selecting the Right Strategy to Reduce Vulnerability Risk

There's no one-size-fits-all strategy for eliminating vulnerability risk. Knowing how your organization operates is what makes the difference.

While vulnerability management has been around for years, it remains a top issue for organizations. And while new vulnerability management tools are deployed regularly, they haven't stopped attackers from exploiting vulnerabilities. The reality is that vulnerability management isn't a technology problem. It's a people and process problem.  

Deploying tools is easy, but implementing the right strategy for your organization is a significant challenge. Worse, implementing a vulnerability remediation strategy that clashes with your organizational culture will fail to be effective. Consider how these strategies might fare at your organization.

1. The Fire Brigade
Strategy: Incident response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.

Organizational Profile: Do you know someone who works better with a deadline? Some organizations are the same way. If you work where people only really respond to emergencies, then tie vulnerability management to a tight deadline.

Pros: Fixing the highest-risk vulnerabilities is better than doing nothing.

Cons: Lots of residual vulnerability risk.

  • This strategy is only going to hit the high-profile vulnerabilities, leaving lots of opportunity for attackers.
  • Doesn't address root cause. An incident response strategy is unlikely to affect the underlying causes of vulnerability proliferation within an organization.
  • Potential for staff burnout. People eventually get worn out responding to emergencies.

2. Building Blocks
Strategy: Asset-focused. Identify the highest-risk assets and fix them first, regardless of specific vulnerability conditions.

Organizational Profile: Do you have system owners who largely correspond to assets? Can you identify an owner for most of the "boxes" on your network? If your organization builds processes around assets, this strategy may be effective.

Pros: Iterative improvement. 

  • As you address high-risk assets, you'll reduce the average asset vulnerability risk so that the highest-risk assets are consistently lower in objective vulnerability risk.
  • Positive feedback loop. System owners won't want to regularly patch vulnerabilities individually and will seek ways to reduce work by making wholesale changes, such as retiring assets more efficiently.
  • Aligned to the business. By prioritizing around assets with a business value, you are generally aligning risk reduction to the business.

Cons: Inefficient use of resources.

  • Addressing individual assets ignores opportunities for systemic improvement.

3. Vulcan Logic
Strategy: Vulnerability-focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.

Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization is a well-oiled machine, start feeding that machine vulnerabilities.

Pros: Seriously effective at reducing vulnerability risk.

  • If you can prioritize and fix vulnerabilities, you'll reduce risk.
  • Iterative improvement. Fixing highest-risk vulnerabilities first continuously reduces risk over time.

Cons: Only as good as the priorities. 

  • You can't fix everything at once. Pick the wrong priorities, and you leave risk hanging around to be exploited.
  • Potential whack-a-mole. You can hit high-risk vulnerabilities individually but miss opportunities to make systemic changes to reduce risk.

4. The Hive
Strategy: Central analysis, distributed work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.

Organizational Profile: Does your organization rely on a clear "tone from the top"? Is information security a centralized group in a distributed organization? If your organization operates with a clear chain of command, then focus on building the most effective analysis to reduce risk.

Pros: Systematic reduction of vulnerability risk.

  • A well-executed centralized strategy can follow through on multiple steps without continuously explaining the plan to everyone.
  • Consistency of risk. If the whole organization executes, then decisions can be made organization-wide. This can produce a very responsive information security practice.

Cons: Lowest common denominator execution.

  • A centralized analysis may be less tuned to individual execution. The whole organization can only move as fast as its slowest parts.
  • Poor analysis, poor results. A misstep in analysis at the top affects all areas, leaving room for systemic problems.

5. Board of Directors
Strategy: Distributed analysis and work, centralized tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.

Organizational Profile: Do the groups across your organization require autonomy? Is your organization metrics-driven? If your organization likes independence and a results-oriented approach, then focus on the metrics to drive outcomes.

Pros: Business-focused.

  • Choosing metrics that matter to the business can drive risk reduction that matters.
  • With different groups executing differently, they can compete based on the metrics and drive improvement.

Cons: Bad metrics, bad results.

  • If you choose metrics that don't matter, you'll end up with groups doing busy work rather than reducing risk.
  • When groups compete, someone ends up at the bottom, which can create internal conflict.

6. Process Optimizer
Strategy: Reduce attack surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.

Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization's digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.

Pros: Dramatic vulnerability risk reduction.

  • Since vulnerabilities exist in applications, eliminating the unneeded applications can dramatically eliminate vulnerabilities.
  • If you've removed an application from your environment, newly discovered vulnerabilities in that application won't affect you.
  • Focusing on configurations and reducing attack surface generally results in a better managed environment, which can drive cost-reduction, operational efficiency, and stability.

Cons: Limited duration of effectiveness and high-priority risk gap.

  • Once you've removed unnecessary applications and hardened configurations, you'll be left with the harder-to-address vulnerabilities in required systems.
  • If you're focused on eliminating attack surface, you might be ignoring serious vulnerabilities in critical systems.

There's no perfect strategy for eliminating vulnerability risk. While employing the right tools helps, knowing how your organization operates is what will make the difference between an expensive product and an effective program.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Tim Erlin is VP of Product Management & Strategy at Tripwire. He previously managed Tripwire's Vulnerability Management product line, including IP360 and PureCloud. Erlin's background as a sales engineer has provided a solid grounding in the realities of the market, allowing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...