We've seen COVID-19 infection curves flatten when people are conscientious about recommended pandemic hygiene, such as social distancing and wearing a mask. As we start to re-emerge from quarantine, it serves as a powerful example of what can be accomplished if security and IT teams approach cyber hygiene with the same rigor and sense of urgency. Effective cyber hygiene requires a level of cross-team collaboration, which is rarely the norm. Here are three ways security teams can make effective improvements while creating the common ground needed to sustain them.
Seek to Understand and Empathize
Corporate IT teams remain surprisingly siloed, which makes fundamental yet essential cyber hygiene functions such as vulnerability and patch management difficult to do well. Reducing vulnerability-related IT risk isn't possible without contributions from both security and IT operations teams. Teamwork is hard, and even simple cyber hygiene workflows are easily complicated, often by the division of labor across different teams.
Security teams are usually the ones that find vulnerabilities, while other IT teams (mainly IT operations and DevOps teams) are the ones that fix the issues. When those fixes don't work as planned, it can impede their ability to preserve the availability and reliability of infrastructure. The bottom line is that full-stack security isn't trivial and requires compromise and collaboration across all stakeholders.
As the pandemic has reminded us, the simple act of connecting with another human being can have a profound impact on the personal and professional resilience of all parties. Take the initiative to reach out to colleagues on other teams. Ask what a successful day looks like for them, about the tools they use and love, the processes that work well and don't work at all. With normal processes and interpersonal communications upended, now's the time for security teams to connect with their counterparts on other teams and (re)forge the connections that lead to productive partnerships.
Intelligent Vulnerability Remediation Goes Beyond Patch Management
According to Imperva, there were more than 20,000 new vulnerabilities reported in 2019. Unfortunately, handling the influx of all these new security threats remains a largely manual and error-prone process. And we all know patches can easily break more things than they fix. But patching is not the only remedy for security vulnerabilities. Configuration-based remediation options such as closing down firewall ports can be used to close security gaps quickly, even if only used as a temporary stopgap until a more robust solution can be implemented.
It's difficult for IT operations teams to source and compile the patches, workarounds, configuration changes, and compensating controls needed to remediate an avalanche of vulnerabilities every week. Using remediation repositories that store what can also be called remediation intelligence, the vulnerability management equivalent of threat intel, security teams can help to lighten their load. Instead of tossing a list of unprioritized vulnerabilities over the cubicle wall for the IT team to deal with, remediation intelligence enables security teams to take a more active and collaborative role in closing tickets.
From using Ansible playbooks or Chef recipes to patch a Linux server to preventing exploits by updating a firewall configuration, remediation intelligence enables security teams to help IT operations teams determine the best fix for their environment. Take this time to figure out how your security and IT teams can use remediation intelligence to streamline infrastructure security.
Re-Evaluate Remediation KPIs to Ensure Relevancy
Security operations teams often rely on industry-standard benchmarks to prioritize the execution of cyber hygiene workflows, but many of those metrics are outdated or have become dangerously misleading. For example, prioritizing remediation based solely on a vulnerability's Common Vulnerability Scoring System (CVSS) score is still a common but highly flawed practice. CVSS scores are essential for benchmarking the criticality of a vulnerability, but not how critical the threat is to the assets in a unique environment.
So, what metrics should be used to guide and prioritize the efficient work of vulnerability remediation? Here are a few of my favorites. While these are metrics used by security teams, strong cross-team support leads to greater control over these benchmarks.
- Coverage: Does the security team have sufficient vulnerability scanning in place for all business-critical systems and applications? Are there any blind spots? Coverage clarity across the full scope of risks, known and unknown, is necessary for comprehensive security.
- Vulnerability dwell time: The time between vulnerability disclosure and published exploit of the vulnerability in the wild has contracted substantially over the last couple of years, from weeks to days. The longer the vulnerability dwell time, or the time the vulnerability is persistent in the environment, the greater chance it will be exploited.
- SLA goals versus actual remediation results: By evaluating remediation results against goals outlined in service-level agreements with the business, you can gauge how well your team has met its stated operational and risk management goals, why or what not, and how to improve.
- A commonsense risk model: Just because an Oracle vulnerability has a CVSS score of 10 doesn't mean it matters to your organization if you don't run any Oracle. But if significant components of your infrastructure run on Oracle, you'd want these vulnerabilities to be flashing red on the remediation list.
As Rahm Emanuel (via Winston Churchill) famously said, "Never let a good crisis go to waste." Change at scale is never easy, but the pandemic has created a once-in-a-career opportunity to make material improvements to cyber hygiene practices.
- Is CVSS the Right Standard for Prioritization?
- 8 Trends in Vulnerability and Patch Management
- There May Be a Ceiling on Vulnerability Remediation
- Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
- How Data Breaches Affect the Enterprise