By Srinivas Mukkamala, Co-Founder and CEO, RiskSense
Vulnerability management doesn’t always get the attention it needs until it’s too late. Vulnerability management is siloed and is slow to adapt to digital transformation and the associated attack surface risk. Applications, software-as-a-service, cloud, containers, open-source and DevOps continuous integration and development all need to be assessed in order to achieve cohesive visibility into risk. These pitfalls allow exposure points that adversaries leverage to infiltrate. In worst-case scenarios, this allows for ransomware attacks. Unfortunately, these attacks are becoming all too common. Data theft is on the rise as double extortion is prominent among ransomware groups, terrorizing victims regardless if they pay ransoms or not, and disclosing stolen data. Vulnerability management needs to evolve to help organizations combat this growing problem.
Prioritizing and getting visibility to vulnerability exposure risk, across infrastructure and applications, and remediating what matters the most is everyone’s goal. However, it’s easy to stay busy yet not know if the outcome is really making a difference. The larger the organization the more they suffer from these problems. It’s just harder to shift and evolve their programs. Because, while they do spend on vulnerability scanning tools and services, they just have not prioritized evaluating and changing these programs until recently. Gartner published a list of Top 10 Security Projects for 2020-2021 that reflect the programs that enterprises should look at to drive business-value and reduce risk. After securing your remote work force, risk-based vulnerability management was the second recommended project.
I’ve seen organizations that perform their vulnerability scanning proficiently and with regimented timing. However, the IT and development teams cannot keep up with the bulk assessments and overload of data. The remediation tickets for high priority changes get backlogged and the two teams become confrontational. The vulnerability scanners provide some threat intelligence enrichment to the plugin findings, but they lack exploit context and cannot scale. When this organization was able to consolidate and ingest all of these findings, easily track business criticality, filter across business groups, asset types, and exploitability, they became more productive and collaborative. Having the right tool for the job in housekeeping is absolutely a time-saver. Risk-based vulnerability management isn’t achieved if you do not have the transparency or means to look at vulnerabilities in the context of business. Security analysts, IT groups, developers, and even executives should be able to visualize risk data, assess vulnerability susceptibility, and create the reports and dashboards that they care about. When data is actionable and accessible it will bring teams together and expedite vulnerability remediation.
With housekeeping, you can easily see where the most foot traffic is and other signals for prioritizing cleaning efforts. With vulnerability management, it’s not so easy. This is why organizations need to consider the threat-context of each vulnerability. This includes the details not just of their exploitability but also how the adversaries are using these vulnerabilities in-the-wild. There is no national database where you can easily look up a CVE by their exploitability. It’s even harder to read the signals from threat intelligence and keep an active knowledge base. There are not enough security professionals to source this talent in-house, and detailed threat-intelligence feeds are out of budget for all but top tier enterprises. This leaves a knowledge gap that is giving ransomware and malicious actors plenty of opportunities. It’s a deep weakness that is now coming to light with each new insight from a ransomware attack or breach.
Now consider application vulnerabilities, where CWEs are utilized to express the code risks, and may not have corresponding CVEs. Understanding application scan findings takes another talent, mostly possessed by the development team, to know the code location, how it renders in the application, and how often it would be called upon based on the business utilization. Traditional vulnerability management must catch up to the realities of digital transformation and deliver full-stack vulnerability management that provides the prioritization and adversarial risk with a cohesive view across infrastructure and applications. What good is risk housekeeping, if you cannot cover your entire organization normalizing data from both CVEs and CWEs.
Another pitfall of vulnerability management is how risk acceptance is handled. Without having a validated way of managing the requests for delays in patching and deferment of addressing vulnerability findings, organizations will only see their partial risk picture. I knew someone who did some cleaning before their cleaning service was due to arrive. This lack of full visibility to the situation happens when acceptance practices inadvertently hide the true scope of exposure because tools only implement risk acceptance as a check-box item. The details of who initiated the request, did an authoritative role approve, and the timing and plan of action of when the vulnerability will be addressed in the future is missing. Risk-based vulnerability management is not only about delivering better vulnerability prioritization, but also allowing organizations to view their in-scope risk and alternatively view all risk including the conditional exceptions. Immediate remediation priorities are important but bad decisions about managing vulnerability risk is just as critical.
Too many organizations rely on vulnerability CVSS scoring, looking at the potential risk and ease of execution of a vulnerability. Up until now, patching those that had the highest score was prudent. The adversaries aren’t leveraging only the high or critical vulnerabilities, they use all kinds and are expanding across all types of products and vendors. The focus must be on measuring the adversarial risk a vulnerability brings to an organization. The difficult part is that this is based on continually evaluating the trends, activities, and the vulnerabilities in use across the growing ransomware families, malware variants, and APT groups. Vulnerabilities under the radar are easily exploited, old and low scoring, that are capable of RCE/PE. Mapping the vulnerability findings of a business to those actively used by threat actors will have to be the new expectation for risk-based vulnerability management. We need this to block malicious exploitation and reverse the ransomware trends we unfortunately see every day in the media.
About the Author
Srinivas Mukkamala, Co-Founder and CEO, RiskSense
Srinivas Mukkamala, Co-Founder and CEO of RiskSense, the industry leader in full spectrum risk-based vulnerability management. He is a recognized expert on cyber security and artificial intelligence (AI). He was part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying these concepts to cybersecurity problems. Dr. Mukkamala was also a lead researcher for CACTUS (Computational Analysis of Cyber Terrorism against the U.S.) and holds a patent on Intelligent Agents for Distributed Intrusion Detection System and Method of Practicing.