Security vulnerabilities exist in all systems and software and must be managed as part of any holistic approach to running a Security program. The vulnerability management process consists of identifying, evaluating, reporting and remediating vulnerabilities in the most efficient and responsible way possible. Vulnerability Management gives us an opportunity to keep attacks ‘left of boom’, preventing them from becoming a costly breach.
In the U.S., a data breach costs a company on average $8.64 million, according to the Ponemon Institute’s 2020 Cost of a Data Breach report. So, if vulnerability management is so important, why do so many companies fall victim to seemingly preventable breaches?
In my research and experience, I have witnessed the simple, and unfortunate, fact that vulnerability management is hard. There are a lot of factors that must be taken into consideration. From vulnerability chaining to uptime (e.g., revenue). Availability is often given priority over security. After all, if the business isn’t making money Security doesn’t matter all that much. However, there must be a balance and a better understanding of downstream impacts for not properly managing these vulnerabilities. The consequences can be “a death by a thousand paper cuts.” Software and system vulnerabilities continue to grow and grow over time, to the point they become nearly impossible to manage if not taken seriously early.
I have seen this problem become so out of control it was easier for a company to just rid themselves of their data center. Just throwing it all away and starting over again was easier than attempting to regain control.
As anyone can see by this example, an organization must stay ahead with a solid vulnerability management program early in the game. If you don’t, you may end up with unmanageable risks and forcing you to make even more expensive decisions down the road.
[Related Reading: Vulnerability Management in the Cloud]
Protect More Than Just Your Perimeter
I often see companies become most vulnerable when they get really good at, and feel super protected with, establishing a hard perimeter, but neglect the internal network and end up with a hard shell and a “soft and gooey center.” Once an attacker penetrates that perimeter, and they will, they’re in complete control. The industry has been saying for years “the perimeter is dead” and in today’s world it’s not just dead, it’s been fully decomposed.
I led a forensic investigation many years back in which an attacker achieved domain administrator, full control, within minutes of gaining access to their back end. The attacker began the attack with a phone call to a manager of one of the remote stores with a pretext that required manager to sign a document for insurance purposes. Immediately following that call the manager received an email with a malicious PDF attachment. Each store had a connection to the company’s corporate back end via secure VPN. Once the manager opened the PDF the malware began to propagate, leveraging known vulnerabilities taking complete advantage of their perimeter-focused strategy which left the internal network vulnerable.
Majority of malware out there today are not exploiting a vulnerability that’s never been discovered (known in the industry as a “zero-day exploit”). There are vulnerabilities still existing in sites all over the world that have had patches available for years. As an example, remedies have existed for the popular EternalBlue exploit, used in the infamous WannyCry ransomware, for two or three years now, yet we still see those vulnerabilities used in breaches today.
Prioritize Your Assets
Part of the difficulty in dealing with vulnerability management has to do with confusion over the process. We often hear, “Where do I start?” from customers, which is understandable given how complex most enterprise networks have become.
There are different schools of thought on how a company should prioritize vulnerability management, and it often depends on the business needs. Some will focus on asset criticality — they know the “Crown Jewels” are in particular assets, so they focus on those first. Others will focus on assets with high vulnerability counts. Yet others will take the risky approach of focusing heavily on external assets, as mentioned above.
The objective is to get to a point where patching prioritization is an informed process and it’s also not the only trigger your vulnerability management process has to pull. Vulnerabilities can be mitigated in all sorts of ways: via tooling, segmentation, etc.
First, it is important to understand your data. This includes knowing where your critical data resides, the paths to accessing it, and the routes it flows. Once this is better understood you’re able to begin modeling out avenues of approaches to this data, highlighting the riskiest. You can also start taking into account advanced techniques like vulnerability chaining. Vulnerability chaining is when an attacker combines multiple vulnerabilities together in a major compromise. Their individual risks may be low but increase significantly in combination with each other.
This method of looking at your environment from the attacker’s perspective and identify paths to your most critical data is known as Threat Modeling. You pose questions such as: “If I were to come under attack, what would that look like? Where would they come from? If they succeeded in the attack, what is at risk?” You can utilize these threat models to evaluate which of your assets are high-risk. You might find assets you have otherwise neglected are direct paths to critical data. This is when vulnerability management truly starts to get exciting and rewarding.
Involve Security Personnel in Your Patch Management Process
When it comes to patch management, security personnel should definitely be involved in the process. They don’t necessarily need to drive the patch management process, but they should be informing it and helping with prioritizing where to patch next using some of the techniques described above. Security teams can not only bring this unique perspective, but also a unique data set to these conversations like, what types of attacks is the organization regularly experiencing and what assets are being most targeted. When contemplating which asset might need the most attention, understanding the assets which are publicly exposed and/or are under constant scrutiny by attacker bots are a great place to start.
As I touched on earlier, vulnerability management can also include things like configuration changes to harden assets or simply adjust routes. For example, you can look for opportunities such as limiting user admin rights. I still find a lot of companies with their Windows end users having administrator privileges on their machines, but these privileges really aren’t needed. If user admin rights were taken away many critical vulnerabilities, especially in Internet Explorer, become ineffective. While this strategy borders on configuration standards and gold images, it is still a vulnerability issue, and could save considerable money for a company. Your security team can bring these standards and perspectives to the table to help reduce risk and potentially offset existing vulnerabilities allowing for better patch prioritization.
Use a Vulnerability Management Solution to Prioritize Fast and Improve Your Security Posture
Alert Logic brings a benefit that others do not, which is the ability to evaluate active threats against existing vulnerabilities. This is done using Alert Logic’s Threat Risk Index, which is a vulnerability rating system designed to help a company determine which of their systems are most exposed and susceptible to a cybersecurity attack or breach. Going back to our discussion of prioritization, this functionality is probably the most accurate method of assessing where your vulnerability management program should be focused first.
Remember:
- Do prioritize your assets based on criticality, Asset Criticality
- Do build an understanding of where your critical data resides and how it flows throughout your environment, Data Flow
- Do build out paths to your critical data from potential points of entry from an attacker’s perspective, Threat Modeling
- Do bring your security team in on your patch management, Security Data Driven Decisions
- Don’t rely solely on patching systems to mitigate vulnerabilities; there’s often configuration changes that can mitigate big current, and future, risks with minimal effort; Configuration Standards & Gold Images
- Don’t just focus only on external vulnerabilities and a hardened perimeter, “soft and gooey center”
- Don’t hand out Administrator privileges without an explicit need, Least Privileges
