Ever since computer software established itself as the backbone of modern commerce, communications and entertainment, it has been a target for “hacktivists,” organized cyber criminals, rogue nation states and terrorist organizations. Their primary attack vector is exploiting design flaws and weaknesses in applications in order to steal data, commit fraud and disclose sensitive information.
With each major public data breach, our attention focuses on how to prevent these incidents. Often, the debate involves vulnerability management and how both software suppliers and end user organizations can make software code more secure. This raises the question, "Is vulnerability management the Achilles heel of cyber security?"
Vulnerability Management from Vendor Perspective
From a software vendor perspective, vulnerability management has become an essential part of the software development cycle, while increasing the complexity of quality assurance processes and snowballing development costs. Taking shortcuts is no longer an option. Design flaws and weaknesses not only impact a vendor’s brand reputation, but directly impact a supplier’s bottom line as frequent patches represent a major financial burden.
As part of the ongoing vulnerability discussion, some industry groups (i.e., the Payment Card Industry Security Standards Council) are calling for software suppliers to establish a vulnerability sharing environment. This approach is designed to counter similar vulnerability information sharing among cyber criminals.
Yet mandating the disclosure of vulnerabilities before fixes and patches are available is a flawed approach. It sets up a situation where if leaked, this information would provide the blueprints attackers need to exploit these flaws. Thus, the current approach of vulnerability sharing after a fix is available seems to be the best way to provide end user organizations the necessary means to address risks to their business.
Vulnerability Management from User Perspective
Increasingly though, software suppliers struggle to predict and test all possible environmental factors when assessing potential vulnerabilities in their code. In turn, a lot of the responsibility for analyzing the potential business impact of specific vulnerabilities is offloaded to end user organizations.
From an end user organizations’ perspective, vulnerability assessments have become a required preventive measure. However, trends such as the consumerization of technology and “bring your own device” (BYOD) are pushing vulnerability assessment processes to their breaking point.
The Big Data Challenge
The biggest inhibitor of effective vulnerability assessments lies in the fact that the number of vulnerabilities in organizations has grown exponentially over the past few years. This is largely due to the increasing number of IT assets under management, which are creating a Big Data challenge.
To ensure proper coverage, end user organizations in many cases are relying on multiple tools to produce the necessary vulnerability assessment data. This only adds to the volume, velocity and complexity of data feeds that must be analyzed, normalized and prioritized. Relying on human labor to comb through mountains of data logs is one of the main reasons that critical vulnerabilities are not being addressed in a timely fashion.
According to the Verizon 2012 Data Breach Investigations Report, 92 percent of breaches were discovered by a third party and not through internal resources. Given this, how can organizations bring vulnerability management under control?
Streamlining Vulnerability Management
The first step is to transition from a vulnerability assessment to vulnerability management approach. Vulnerability management goes beyond scanning for vulnerabilities and encompasses Big Data analysis and remediation workflows.
Relying solely on the knowledge of existing vulnerabilities, provided by vulnerability scanners, is only the first part of a streamlined vulnerability management process. Without putting vulnerabilities into the context of the risk associated with them, organizations often misalign their remediation resources.
This is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit critical vulnerabilities. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw.
Therefore, vulnerability management needs to be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, your organization’s compliance posture and business impact:
- Without a threat, the vulnerability cannot be exploited.
- Another limitation is reachability. If the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.
- In this context, an organization’s compliance posture plays an essential role, as compensating controls can be leveraged to impede the reachability of a threat. According to the Verizon 2012 Data Breach Investigations Report, 97 percent of the 855 incidents reported in 2011 were avoidable through simple or intermediate controls. This illustrates the importance of compensating controls in the context of cyber security.
- Business impact is another factor in determining the actual risk posed by a vulnerability. Vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less critical assets.
Using an Integrated Approach
On paper a risk-based approach to security sounds straightforward. Unfortunately, the data required for each of the decision factors that make up a risk-based approach to security is scattered and disconnected. That’s because it is being produced by a variety of silo-based tools such as vulnerability scanners, penetration testing tools, IT-GRC systems and configuration management databases.
Many organizations have the data required to implement a more streamlined vulnerability management process. However, sifting through all the data sets, normalizing and de-duplicating the information, filtering out false positives, aggregating it, and finally deriving business impact-driven remediation actions is a slow and labor-intensive process.
The emergence of integrated risk management systems is taking vulnerability management to the next level. They combine risk intelligence, using Big Data that is gathered and correlated from security operations tools, with automated remediation that establishes bi-directional workflows with IT operations.
These systems drive operational efficiencies by automating continuous monitoring and ticketing to remediate only business-critical risks. Using this automated approach, organizations can free up IT and security personnel to focus on critical tasks and turn their security technicians into risk strategists.
Torsten George is vice president of worldwide marketing and products for integrated risk management vendor Agiliance.