Three key challenges in vulnerability risk management

Vulnerability scanning provides visibility into potential land mines, but often just results in data tracked in spreadsheets and independent remediation teams scrambling in different directions. It is time to change from a “find” mentality to a “fix” mentality. Here’s how.

1 asses risk
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Vulnerability risk management has re-introduced itself as a top challenge – and priority – for even the most savvy IT organizations. Despite the best detection technologies, organizations continue to get compromised on a daily basis. Vulnerability scanning provides visibility into potential land mines across the network, but often just results in data tracked in spreadsheets and independent remediation teams scrambling in different directions.

The recent Verizon Data Breach report showed that 99.9% of vulnerabilities exploited in attacks were compromised more than a year after being published. This clearly demonstrates the need to change from a “find” to “fix” mentality. Here are three key challenges to getting there:

* Vulnerability prioritization. Today, many organizations prioritize based on CVSS score and perform some level of asset importance classification within the process. However, this is still generating too much data for remediation teams to take targeted and informed action. In a larger organization, this process can result in tens of thousands – or even millions – of critical vulnerabilities detected. So the bigger question is – which vulnerabilities are actually critical?

Additional context is necessary get a true picture of actual risk across the IT environment. Organizations might consider additional factors in threat prioritization, such as the exploitability or value of an asset, the correlation between the vulnerability and the availability of public exploits, attacks and malware actively targeting the detected vulnerability, or the popularity of a vulnerability in social media conversations.

* Remediation process. The second and perhaps most profound challenge is in the remediation process itself. On average, organizations take 103 days to remediate a security vulnerability. In a landscape of zero-day exploits and the speed and agility at which malware developers operate, the window of opportunity is wide open for attackers.

The remediation challenge is most often rooted in the process itself. While there is no technology that can easily and economically solve the problem, there are ways to enable better management through automation that can improve the process and influence user behavior. In some cases, there are simple adjustments that can result in a huge impact. For example, a CISO at a large enterprise company recently stated that something as easy as being able to establish deadlines and automated reminder notifications when a deadline was approaching could vastly improve the communication process between Security and DevOps/SysAdmin teams.

In other words, synchronizing communication between internal teams through workflow automation can help accelerate the remediation process. From simple ticket and task management to notifications and patch deployment, the ability to track the remediation process within a single unified view can eliminate the need to navigate and update multiple systems and potentially result in significant time savings.

* Program governance. The adage, “You can’t manage it if you can’t measure it” is true when it comes to evaluating the success of a vulnerability risk management program. In general, information security programs are hard to measure compared to other operational functions such as sales and engineering. One can create hard metrics, but it is often difficult to translate those metrics into measurable business value.

There is no definitive answer for declaring success. For most organizations, this will likely vary depending on the regulatory nature of their industry and overall risk management strategy. However, IT and security teams demonstrate greater value when they can show the level of risk removed from critical systems.

Establishing the right metrics is the key to any successful governance program, but it also must have the flexibility to evolve with the changing threat landscape. In the case of vulnerability risk management, governance may start with establishing baseline metrics such as number of days to patch critical systems or average ticket aging. As the program evolves, new, and more specific, metrics can be introduced such as number of days from discovery to resolution (i.e., time when a patch is available to actual application).

Practitioners can start improving the process by making some simple changes. For example, most vulnerability assessment tools offer standard prioritization of risks based on CVSS score and asset classification. However, this approach is still generating too much data for remediation teams. Some organizations have started to perform advanced correlation with threat intelligence feeds and exploit databases. Yet, this process can be a full-time job in itself, and is too taxing on resources.

Technologies exist today to help ease this process through automation by enriching the results of vulnerability scan data with rich context beyond the CVSS score. Through correlation with external threat, exploit, malware, and social media feeds and the IT environment, a list of prioritized vulnerabilities is delivered based on the systems most likely to be targeted in a data breach. Automating this part of the process with existing technologies can help cut the time spent on prioritization from days to hours.

Today, vulnerability management has become as much about people and process as it is about technology, and this is where many programs are failing. The problem is not detection. Prioritization, remediation, and program governance have become the new precedence. It is no longer a question of if you will be hacked, but rather when, and most importantly, how. The inevitable breach has become a commonly accepted reality. Vulnerability risk management calls for a new approach that moves beyond a simple exercise in patch management to one focused on risk reduction and tolerable incident response.

NopSec provides precision threat prediction and remediation workflow solutions to help businesses protect their IT environments from security breaches. Based on a flexible SaaS architecture, NopSec Unified VRM empowers security teams to better understand vulnerability data, assess the potential business impact, and reduce the time to remediation.

Join the CSO newsletter!

Error: Please check your email address.

More about Verizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Michelangelo Sidagni, CTO, NopSec

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place