Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/17/2019
10:30 AM
Tim Erlin
Tim Erlin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Selecting the Right Strategy to Reduce Vulnerability Risk

There's no one-size-fits-all strategy for eliminating vulnerability risk. Knowing how your organization operates is what makes the difference.

While vulnerability management has been around for years, it remains a top issue for organizations. And while new vulnerability management tools are deployed regularly, they haven't stopped attackers from exploiting vulnerabilities. The reality is that vulnerability management isn't a technology problem. It's a people and process problem.  

Deploying tools is easy, but implementing the right strategy for your organization is a significant challenge. Worse, implementing a vulnerability remediation strategy that clashes with your organizational culture will fail to be effective. Consider how these strategies might fare at your organization.

1. The Fire Brigade
Strategy: Incident response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.

Organizational Profile: Do you know someone who works better with a deadline? Some organizations are the same way. If you work where people only really respond to emergencies, then tie vulnerability management to a tight deadline.

Pros: Fixing the highest-risk vulnerabilities is better than doing nothing.

Cons: Lots of residual vulnerability risk.

  • This strategy is only going to hit the high-profile vulnerabilities, leaving lots of opportunity for attackers.
  • Doesn't address root cause. An incident response strategy is unlikely to affect the underlying causes of vulnerability proliferation within an organization.
  • Potential for staff burnout. People eventually get worn out responding to emergencies.

2. Building Blocks
Strategy: Asset-focused. Identify the highest-risk assets and fix them first, regardless of specific vulnerability conditions.

Organizational Profile: Do you have system owners who largely correspond to assets? Can you identify an owner for most of the "boxes" on your network? If your organization builds processes around assets, this strategy may be effective.

Pros: Iterative improvement. 

  • As you address high-risk assets, you'll reduce the average asset vulnerability risk so that the highest-risk assets are consistently lower in objective vulnerability risk.
  • Positive feedback loop. System owners won't want to regularly patch vulnerabilities individually and will seek ways to reduce work by making wholesale changes, such as retiring assets more efficiently.
  • Aligned to the business. By prioritizing around assets with a business value, you are generally aligning risk reduction to the business.

Cons: Inefficient use of resources.

  • Addressing individual assets ignores opportunities for systemic improvement.

3. Vulcan Logic
Strategy: Vulnerability-focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.

Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization is a well-oiled machine, start feeding that machine vulnerabilities.

Pros: Seriously effective at reducing vulnerability risk.

  • If you can prioritize and fix vulnerabilities, you'll reduce risk.
  • Iterative improvement. Fixing highest-risk vulnerabilities first continuously reduces risk over time.

Cons: Only as good as the priorities. 

  • You can't fix everything at once. Pick the wrong priorities, and you leave risk hanging around to be exploited.
  • Potential whack-a-mole. You can hit high-risk vulnerabilities individually but miss opportunities to make systemic changes to reduce risk.

4. The Hive
Strategy: Central analysis, distributed work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.

Organizational Profile: Does your organization rely on a clear "tone from the top"? Is information security a centralized group in a distributed organization? If your organization operates with a clear chain of command, then focus on building the most effective analysis to reduce risk.

Pros: Systematic reduction of vulnerability risk.

  • A well-executed centralized strategy can follow through on multiple steps without continuously explaining the plan to everyone.
  • Consistency of risk. If the whole organization executes, then decisions can be made organization-wide. This can produce a very responsive information security practice.

Cons: Lowest common denominator execution.

  • A centralized analysis may be less tuned to individual execution. The whole organization can only move as fast as its slowest parts.
  • Poor analysis, poor results. A misstep in analysis at the top affects all areas, leaving room for systemic problems.

5. Board of Directors
Strategy: Distributed analysis and work, centralized tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.

Organizational Profile: Do the groups across your organization require autonomy? Is your organization metrics-driven? If your organization likes independence and a results-oriented approach, then focus on the metrics to drive outcomes.

Pros: Business-focused.

  • Choosing metrics that matter to the business can drive risk reduction that matters.
  • With different groups executing differently, they can compete based on the metrics and drive improvement.

Cons: Bad metrics, bad results.

  • If you choose metrics that don't matter, you'll end up with groups doing busy work rather than reducing risk.
  • When groups compete, someone ends up at the bottom, which can create internal conflict.

6. Process Optimizer
Strategy: Reduce attack surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.

Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization's digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.

Pros: Dramatic vulnerability risk reduction.

  • Since vulnerabilities exist in applications, eliminating the unneeded applications can dramatically eliminate vulnerabilities.
  • If you've removed an application from your environment, newly discovered vulnerabilities in that application won't affect you.
  • Focusing on configurations and reducing attack surface generally results in a better managed environment, which can drive cost-reduction, operational efficiency, and stability.

Cons: Limited duration of effectiveness and high-priority risk gap.

  • Once you've removed unnecessary applications and hardened configurations, you'll be left with the harder-to-address vulnerabilities in required systems.
  • If you're focused on eliminating attack surface, you might be ignoring serious vulnerabilities in critical systems.

There's no perfect strategy for eliminating vulnerability risk. While employing the right tools helps, knowing how your organization operates is what will make the difference between an expensive product and an effective program.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Tim Erlin is VP of Product Management & Strategy at Tripwire. He previously managed Tripwire's Vulnerability Management product line, including IP360 and PureCloud. Erlin's background as a sales engineer has provided a solid grounding in the realities of the market, allowing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.