Traditional vulnerability remediation occurs in silos — the security team detects vulnerabilities, prioritizes which ones need to get fixed first, and punts the list over the cubicle wall for the IT operations team to handle.
But that approach is no longer tenable. The rate and pace at which vulnerabilities occur requires the strategic alignment of IT functions across the enterprise. Since the security team "owns" vulnerability management, it should be accountable for creating and maintaining that alignment. Rather than approaching vulnerability remediation as a game of "hot potato," they must play a much longer game and drive the process. Security teams need to assume the role of a quarterback — one who's gunning for a touchdown.
Be the Quarterback
Vulnerability management is no one's favorite job, but it's essential in reaching long-term security goals for the enterprise. Infrastructure is assaulted daily by both complex vulnerabilities that take months to fix — like Boothole and Zerologon — as well as thousands of seemingly mundane vulnerabilities that, in the context of where and how they pop up in the environment, can introduce the same amount of risk as a critical vulnerability with a CVSS of 10. Leadership is key in motivating stakeholders to adopt a remediate-or-bust mindset.
Gartner estimates that security professionals will be aware of 99% of vulnerabilities exploited by the end of 2020 at the time of compromise; Ponemon found unpatched systems were the root cause of 60% of data breaches in 2019. With a deluge of new vulnerabilities being reported each year and dramatic shifts in enterprise IT, such as the abrupt, COVID-related shift to remote work — a concerted effort to remediate vulnerabilities is one of the most effective actions a company can take to reduce the chance of a breach. But vulnerability management isn't a well-oiled machine. As the team lead or project manager, the security team must oversee the entire remediation process, even when the ball's not in their hands.
Whether a vulnerability is simple or complex, it's often complicated by the internal politics playing out across IT operations, DevOps, security, and other distinct IT functions. The only way to scale remediation processes is for security to quarterback remediation plays and see the process through. Detection and prioritization are worth very little if remediation occurs at too slow a pace to neutralize the threats posed to the enterprise by vulnerabilities. Long-standing silos won't go away overnight, and IT teams won't reorganize around vulnerability remediation. But they don't need to if security ensures the various stakeholders involved in a given remediation campaign are doing their part.
Choose the Play
As the quarterback, security teams identify the nature of the vulnerability, the business assets most at risk, the potential impact on the enterprise, and the patch, configuration change, or workaround that will resolve the breach. Armed with this knowledge, they pull in the right players from other IT functions, align on the necessary fix, and coordinate the remediation campaign, efficiently and effectively. When security and IT teams align on a remediation strategy, the shared context and agreement on execution provides the foundation needed to remediate vulnerabilities at scale. Even if the fix goes wrong, problems get resolved faster when the lines of communication are open.
Fixing complex vulnerabilities often requires multiple coordinated elements. The Boothole vulnerability is an excellent example of this: Boothole's sheer pervasiveness makes it incredibly difficult to patch in enterprise settings. It's a cross-platform vulnerability that requires both hardware and software fixes — including firmware and OS updates — that must be performed in precise order. Security, DevOps, and IT teams must work together to minimize its business impact and avoid compromise. As the quarterback, the security team needs to think and act like a team captain: What's the best approach? Should you monitor network traffic? Write a PowerShell detection script? Are Linux systems also affected? Who can help and how? Most importantly, how do we keep everyone on point?
Because every vulnerability is unique, it's critical to build a team around the infrastructure stack affected by the vulnerability — this may include third-party vendors, app developers, Web developers, network engineers, the IT operations team, and more. Rather than defending the field against emergency breaches, security practitioners can assemble cross-functional teams that drive ongoing remediation efforts toward the ultimate goalpost: reducing risk across the enterprise.
But there are very few quarterbacks who can execute that game-winning drive without help from above; they receive assistance from an offensive coordinator who can see the entire field of play from a vantage point outside of the fray. This is critical to the quarterback's success. Likewise, a vulnerability remediation coordinator, such as a CISO who requires visibility into the entire remediation process, can oversee the remediation campaign from scan to fix. A good coordinator will see many aspects of the campaign that are outside the quarterback's purview.
Move the Ball Down the Field
Just as a quarterback doesn't leave the field when the ball leaves his hand, security sees the remediation play through to completion. As they become more experienced and comfortable executing remediation plays, they'll learn how to make the best use of their players to move the ball down the field faster, improving how the team executes each remediation play.
Because that's what the best quarterbacks do.