Every busy person who prioritizes tasks recognizes that the lowest priority items are often put off indefinitely. This may be an effective life strategy, but it is a dangerous way to manage network vulnerabilities.
Verizon’s 2016 Data Breach Investigations Report found that the top 10 vulnerabilities accounted for 85 percent of successful exploit traffic. The remaining 15 percent was attributed to more than 900 common vulnerabilities and exposures (CVEs).
If you merely follow a prioritization strategy, focusing only on the top 10 vulnerabilities without effectively detecting and managing the CVE risks to your network, you may leave your network critically exposed. The irony is that the vast majority of these CVEs can be easily resolved either by a simple patch or through basic coding best practices — assuming you identified the risk, of course.
The IT industry at large is beginning to recognize the threats at hand and take steps to protect themselves, although not as quickly as they should. In a recent Forbes Insights and BMC security survey, 60 percent of the 300 C-level respondents said that expanded vulnerability discovery and remediation was a primary initiative in 2016, while only 30 percent placed putting more resources into defending against zero-day exploits as a primary initiative.
To break the high-priority habit, here are the top four best practices you should adopt to ensure you have a comprehensive vulnerability management program in place that will help you successfully navigate the increasingly dense, diverse and dangerous world of cybersecurity threats.
1. Scan for Threats Early and Often
If your vulnerability scan data, whether from an authenticated or unauthenticated scan, is not comprehensive and up to date, any attempts to protect the network are likely doomed.
You won’t be able to accurately identify the real threats to your network or prioritize their remediation.
For applications that your organization is developing, be sure to scan as early as possible in the software development lifecycle in order to increase overall security while also reducing remediation costs.
2. Make Sure Your Data Is Consumable and Actionable
Simply having a laundry list of vulnerabilities in a spreadsheet and sending it to various stakeholders almost guarantees vulnerability management failure.
Even assuming each new scan report is opened by the right person, it is nearly impossible to use such a document to accurately assess the risks and coordinate with the operations team to remediate the high-risk vulnerabilities.
Essentially, this is like having hundreds of “urgent” emails to address by end of day — you are left with the issue of how to figure out what is actually crucial versus what can wait. How can businesses decide which vulnerabilities to prioritize when they all pose a risk to the organization?
To mitigate this, vulnerability scan outputs need to be in a form that is easily consumed by both the security and operations teams. It must include details such as the severity level and age of the vulnerability, and the information also needs to be actionable. This requires creating a fast, automated (and thereby repeatable) process connecting a high-risk vulnerability to its remediation.
3. Develop Context for Responding to Vulnerabilities
Context is key when it comes to understanding the nature of a problem and making the most effective response decision. If someone shouts “fire” you need more information before you can know whether you should run toward the fire to help or run away from the fire to protect yourself, or whether you should call the fire department or grab an extinguisher.
Where’s the fire? How big is it? How quickly is it spreading? Is anyone in danger or hurt?
The same is true of vulnerabilities. Once you know the number of vulnerabilities, and the severity level and age of a vulnerability, responding effectively still requires answers to additional questions.
Which assets might be affected? Where are they on the network? Is a patch available? If so, when can it be deployed? If not, can the risk be mitigated through the real-time protection offered by a firewall or intrusion prevention system?
Only by knowing the context can you ensure you will make the right response decision.
4. Increase Your ‘Vulnerability Intelligence’
As you improve your ability to develop context and respond to vulnerabilities based on actionable data, your overall level of “vulnerability intelligence” goes up, enabling you to make even better security decisions.
It also allows you to continuously adapt your vulnerability management approach as threats evolve in order to accelerate the discovery-to-remediation timeline and reduce overall risk.
As vulnerabilities continue to increase, and as attackers continue their two-pronged approach of looking for low-hanging fruit through CVEs even as they evolve their strategies, it is critical to have a sound vulnerability management strategy based on comprehensive, up-to-date scan data and the ability to quickly and easily see the threat context.
This is the only way you can avoid the “priority trap” and be sure you are making the right decisions in mitigating both the most common current threats and the CVEs that can lead to a significant security incident.