In 2018, 16,515 new common vulnerabilities and exposures (CVEs) were published. By November of last year, more than 300 vulnerabilities per week were being reported, and we're on pace for an even bigger 2019. That means updates and patching must be seen as security imperatives.
But keeping every OS, application, and browser version across every machine and device configured exactly right all of the time is a huge, seemingly impossible job. To even get close, enterprises need strategies that make it easier to find, prioritize, fix, and report on vulnerabilities in ways that make sense for their business and existing resources.
To help, let's lay out a road map for improving the update process required to reduce the security risks posed by vulnerabilities.
Change the Culture
Instead of viewing updates and patching as something tedious that should be done but perhaps not urgently, it's important that employees understand the role vulnerabilities play in company security and how their management is part of the larger security strategy. This mindset should extend beyond just the IT department to every employee.
The Center for Internet Security (CIS) recommends gap or risk-based training, in which IT staff try to identify where the bulk of security issues are — whether it is with people sharing passwords, updating their own machines, or putting sensitive data on a USB drive that could get easily lost or mishandled — and provide training against the biggest challenges. This helps employees understand important practices, why they should be implemented, and provides them with relevant, real-world situational guidance. It should be a partnership where all employees feel supported so that cooperation happens when it is vital, even if this means rebooting an employee's machine right in the middle of a project in order to patch a critical issue.
Security awareness training also should be more than one-and-done during onboarding to be effective. Employees are so bombarded with new information related to their specific job functions that security is likely not top-of-mind. For culture to shift, training needs to be ongoing. It doesn't have to be overwhelming or threatening but rather as simple as spending a few minutes in an all-hands, a quarterly email of best practices, or a biannual seminar.
In addition to getting employees on board with basic practices, teams have to actually find existing vulnerabilities. There are a number of open standards to help identify the ever-expanding list of vulnerabilities as well as proper configurations to guard against them. Security Content Automation Protocol (SCAP) is one of the most common and provides a framework of specifications that support automated configuration, vulnerability and patch checking, compliance, and measurement. It is highly useful for definitions of common exposures and in determining what situations are applicable to your environment. There are a number of other standards that are useful in establishing a baseline for configuration as well: CIS (mentioned earlier) provides guidance, and the technical information guides released by the Defense Information Systems Agency are also quite useful.
Once you establish a baseline, the CVE database and the National Vulnerability Database, which pull from a wide range of sources, can assist in identifying vulnerabilities. Microsoft also posts its own authoritative security updates. But a quick look at these databases will spark fear in the heart of anyone charged with vulnerability management based on the complexity and sheer volume of vulnerabilities involved.
Seek Automated Solutions
Automated vulnerability management solutions have emerged to help. These solutions pull from the respective databases to identify and analyze the vulnerabilities affecting your endpoints. Automated products on the market can be slow and interfere with network performance, which has not won them a legion of fans, but with advances in technology, a new generation of vulnerability management solutions is poised to rapidly accelerate the speed of detection and increase the number of vulnerabilities they can search — and they do it without negative impacts on performance. As a result, scans don't need to wait until the end of the day or the weekend, and remediation can occur much, much faster than the industry average of 38 days.
If you have the option of adding an automated vulnerability management solution to your arsenal, be sure to do your research to find a product that fits your needs. No automated solution will get you to 100% detection, but the prospect of reaching 80% to 90% detection in a fraction of the time should have team members rejoicing.
The Process Is Just Beginning …
Now that you've found vulnerabilities, the job is just getting started. You still have to figure out how to assess and prioritize, remediate, and report on what you've found. As you can see, today's world of vulnerability management is anything but simple; however, there is an opportunity to turn the tide by paying attention and addressing the little things that become big problems. Doing so will help keep your company as secure as possible.