Effective vulnerability remediation is essential to security. The trouble is, it’s tough!
Vulnerability management is often under-sourced and under-tooled and yet stands at the epicenter of protecting an organization from a breach.
Cybersecurity stakes continue to rise. The average cost of a data breach in the United States in 2020 rose to $8.64 million, up 5% over 2019. And regulators are imposing increasingly stiff fines for lapses in personal data security. The vast majority of exploits take advantage of old, known vulnerabilities.
So, it’s no wonder why security leaders are striving to make their vulnerability remediation programs more effective and dramatically improve cyber hygiene. In this blog, we identify the five most common mistakes keeping IT security teams from effective vulnerability remediation.
Avoid these mistakes, protect your company, and avoid the dreaded headlines.
Let’s get started!
Focusing only on the latest headlines
Many organizations set out with the best of intentions but get waylaid by the ‘latest and greatest’ vulnerabilities.
Heartbleed. Poodle. Shellshock.
These ‘headliners’ might seem like your biggest concern. But ultimately, you’re far more likely to be breached as a result of unpatched software or an outdated operating system.
To put this in perspective, think about human illnesses. Swine flu and Ebola might seem like a huge issue, but you’re still far more likely to come down with a common cold.
Ultimately, you’ll leave your organization severely vulnerable to much more commonly abused threats by over-focusing on these headline vulnerabilities and committing too many resources to resolve them.
Inefficient risk prioritization
The sheer number of vulnerabilities that need to be addressed in a typical enterprise can overwhelm even the most experienced IT shops.
Even if an organization is committed to proactive bug management, it can still fail to address the worst vulnerabilities before they are exploited. This can happen if you don’t properly prioritize remediation based on risk.
This means a formalized ranking system based on variables like the following.
- Severity of vulnerability
- Software’s importance
- Sensitivity of the data it holds
- Sensitivity of systems running the software
Kenna Security’s research finding reveals that digital attackers tend to craft exploit code for an extremely small percentage of known security holes. It, therefore, doesn’t make sense for organizations to treat all vulnerabilities the same. Nor is it beneficial for organizations to drop everything that they’re doing and direct all their focus to a flaw that the media has hyped up for no meaningful reason. Instead, organizations should look to prioritize their vulnerability management efforts.
Poorly placed scanners
Many times people in trenches who are performing vulnerability assessments don’t have a big-picture view of network topology. They might not be aware of where internal firewalls, IDS/IPS sensors, and WAN connections sit. This can cause big problems.
These teams try to perform scans from a central location and get erroneous results because other security tools and network bandwidth block an assessment. NAT environments and connection limitations can also wreak havoc on a scan even if they get whitelisting rules in place. Properly architecting vulnerability remediation is key to providing meaningful and accurate results.
Not automating remediation
Let’s just come out and say it: Manual patching doesn’t work. Given the sheer volume of vulnerabilities, the limited resources of security and IT teams, and the often complex procedures to navigate, manual patching can only ever be a slow, infrequent, and frustrating process.
If you’re stuck manually patching your applications and systems, It is practically guaranteed that they’re not fully up-to-date and secure. You can ensure patching happens promptly without requiring massive resources by looking instead to automate the remediation process from start to finish.
Lack of collaboration
This shouldn’t come as a surprise, but no one can handle remediation all by themselves. First of all, the task is too massive. In 2019 alone, 17,000 vulnerabilities were added to the U.S. National Vulnerability Database.
Second, even if you trim that list to the highest-risk vulnerabilities, you still have to work with other members of your company to arrange the best time for the remediation to take place.
Third, security teams need IT and operations to get remediation done, but the groups are often working in silos. While security teams are raising red flags about vulnerabilities and attempting to remediate them, IT and operations teams are often more concerned with business continuity. Without a handshake between them, vulnerabilities don’t get remediated.
It’s all in the plan
Software vulnerabilities are an unavoidable fact of life for enterprise IT Teams. New ones are found all the time and older ones are still being exploited. It’s a “drinking-from-the-firehose” situation that can no longer be ignored.
In the end, avoiding these vulnerability remediation mistakes comes down to planning.
If your process is well-planned, well-resourced, and well-documented, you’ll find problems are kept to a minimum. Sure, things will go wrong now and again, but you’ll be in a very strong position to deal with them.
In the long run, it’s much easier to fix your process now than it will be to continually fight the fires caused by a lack of planning, resources, or documentation.