Everyone remembers the Equifax breach, the WannaCry attack and now even PageUp has joined the ranks. When they occurred, most security teams took at a look at their own software security risks to ensure they weren’t also vulnerable. But a one-time check isn’t enough. Rather than an annual health check on the system’s security, preventing a software attack must be an always-on strategy to keep any and every risk at bay.
Monitoring the hundreds of new threats reported daily and reviewing hundreds to thousands of internal software applications is certainly no small task. Plus, not all threats are equal, so there’s the additional step of pinpointing the top priorities for your organisation.
For many, going back to basics holds the solution to managing risks. This approach includes four core components—know your software inventory, find the risks, identify priority risks and apply a “smart” methodology to patches. Taking these simple steps creates the foundation to protect against the risks we continue to see escalating in number and impact.
Vulnerability risks are rising
Vulnerabilities in 2017 increased 14 per cent to 19,954, up from 17,147 in 2016, according to the Vulnerability Review 2018 – Global Trends. That’s the highest level to date and has a huge impact – particularly financially. According to Ponemon, the average cost of a data breach in Australia was $2.51 million in 2017. Even without a successful breach, events related to exploitation of known vulnerabilities run into the millions each year.
These risks highlight the need for organisations to mitigate this impact, using processes that bring control and today’s technology to gain insight on where to take action.
Knowledge is Power
The first step is deep knowledge of what software your company has in place. Without that basic information, it’s impossible to protect your systems. However, with the scope of software used in today’s organisations, tracking down that inventory can be difficult. Most companies implement Software Asset Management (SAM) processes and technology to automate the process of discovering and creating an inventory of their software (and hardware) assets – wherever they are.
For the best results, this information should be shared across the organisation, including IT, security and risk teams. A single ‘version of the truth’ gets everyone on the same page with risks.
Once an accurate inventory is in place, a formal process to track vulnerabilities is key to controlling risks. It starts with using available information. In 2017, patches were in place for 86 per cent of the vulnerabilities on the day of disclosure. But despite this knowledge, many organisations don’t use a proactive method to track these patches for the software they own.
By applying Software Vulnerability Intelligence to software inventory, an automated process can be created that automates tracking potential vulnerabilities and alerts the IT team about important patches. The important information comes to the technical team, avoiding a highly detailed, manual tracking process that can miss information or slow action. Once this information is flagged, the next step is identifying what’s a priority.
Identify Priority Risks
Hundreds of vulnerabilities are disclosed globally each week – in the first quarter of 2018 alone, Secunia Research issued over 1,500 advisories. Then there’s the thousands of old vulnerabilities in thousands of applications that need to be tracked. The big question for security departments is: “What applies to us?”
It’s hard to prioritise the time to sort through what’s important with all the competition for internal resources. That’s where expert intelligence can make a real difference, using a trusted Software Vulnerability Management solution to automate finding and evaluating risks in software inventory.
Patching plays a key role in protecting the attack surface, but a careful approach is essential. Testing first in controlled environments remains highly effective, offering an advanced understanding of potential impacts on system performance and stability. Patches can cause performance hits or compatibility issues, so IT teams will benefit from a cautious methodology. Since taking these steps is about mitigating problems, it’s important that a risk-based model is extended into the patch process.
Although the threat landscape continues to change and develop, managing the basics is still essential to keeping risks at bay. While it can be easy to get overwhelmed by the endless security solutions out there, building a foundation of effective practices is key to protecting your organisation.