By Syed Abdur, Brinqa
Cyber vulnerabilities have a way of piling up. Vulnerability assessment and scanning tools report them in droves from every corner of the technology infrastructure – network, applications, cloud, containers, mobile, IoT, etc. Penetration testing programs proudly display vulnerabilities as the mark of a job well done. Threat intel sources generously send lists of them to you. Vendors send out notices and patches. It’s overwhelming. Even with the best of intentions, you could easily build up a backlog of hundreds, if not thousands, of vulnerabilities to remediate. In larger companies, this number is frequently in the millions. You want to take care of them all, but some are more important than others.
Practical remediation strategies can help you deal with this daunting challenge. They give you effective, realistic ways to reduce your backlog of vulnerabilities intelligently and efficiently. These include strategies such as incorporating business context and leveraging threat intel to help you identify and prioritize the vulnerabilities that pose the biggest risk to your organization. By grouping vulnerabilities for remediation and integrating existing IT Service Management (ITSM) tools and processes, organizations can help reduce the overhead associated with tracking and remediating vulnerabilities, freeing up valuable cybersecurity resources. Strategies such as developing and enforcing rules and policies for SLAs and ownership assignment, and automating the validation of remediation efforts, can significantly improve the consistency and effectiveness of your vulnerability management program.
Overcoming the “Remediation Gap”
The backlog of un-remediated vulnerabilities is only partly a matter of numbers. Yes, there are a ton of them. However, structural issues can affect the remediation process as well. The time between a vulnerability being detected i.e. discovered and reported to the right platforms and the creation of a ticket that tasks a person with fixing the problem can stretch into months—during which time the system in question is exposed.
Manual processes are the major culprit here. Assessing the severity and impact of individual vulnerabilities manually is error-prone and can lead to inconsistent results. This problem is exacerbated by IT staffers lacking a complete, unified set of information about the nature and impact of a vulnerability. Even a well-organized team can work only so efficiently when they have to manually toggle between multiple systems to take care of remediation.
New solutions are emerging that address the remediation gap by automating key aspects of the vulnerability prioritization and remediation process. These solutions normalize and correlate the disparate data that define vulnerabilities, presenting a complete picture to InfoSec professionals. For example, the information that fully describes the risk posed by a vulnerability affecting an ERP solution might be spread out across the vulnerability scanner, firewall logs, endpoint detection, and response solutions, multiple threat intel feeds, and ticketing systems.
Seven Practical Remediation Strategies
The right approach to vulnerability remediation will give priority to the most pressing risks in the most efficient way possible. The remediation efforts will be validated, so all relevant stakeholders can be confident the matter was properly handled. The staffers doing the remediation work will be adequality informed about what they’re doing so they understand the priorities and impacts of their processes. The work will be consistent, with clear ownership of tasks and responsibilities. The following seven practices help ensure these outcomes.
- Incorporate business context—Not all vulnerabilities affect a business equally. In fact, the same vulnerability can pose very different risks to a business depending on where it exists in the technology infrastructure. Does a vulnerability impact the availability of a critical business function? Does it threaten to expose sensitive or confidential information? Does a vulnerability, if unpatched, put your organization at risk of failing compliance? These questions are impossible to answer by looking only at the technical aspects of a vulnerability instance. The good news is that the information needed to build a comprehensive business context for vulnerability analysis already exists in your organization. Business continuity and disaster recovery initiatives measure the business impact of technical assets. Data protection programs keep track of where sensitive information resides in your organization. Audit programs monitor assets that determine compliance with the various standards. By identifying and incorporating this information during vulnerability analysis and prioritization, you can drastically improve the effectiveness of your vulnerability remediation efforts.
- Leverage threat intel—Just as business context helps you understand and communicate the internal impact of vulnerability to your organization, threat intel represents the external, global implications of a threat. Is a particular vulnerability being weaponized by a known malicious actor? Are there malware and toolkits that leverage a vulnerability for exploit? Is there a spike in chatter around a vulnerability on the dark web? Updated much more frequently than vulnerability databases, threat intel can also help identify risks, e.g. “Zero Day” exploits, that may not yet be accounted for by vulnerability scanning systems. By incorporating threat intel in the vulnerability analysis and prioritization process, organizations can respond to threats faster and proactively stay ahead of malicious actors.
- Consolidate vulnerabilities—The backlog of vulnerabilities invariably contains multiple tickets that address the same issue. With a system that can identify comparable vulnerabilities and group them together, the volume of remediation work can be reduced dramatically. If you fix one vulnerability, that might automatically knock down dozens of other tickets that convey the same information.
- Develop and enforce SLAs and ownership rules—It’s a good practice to be clear and consistent about the organizational aspects of vulnerability remediation. A Service Level Agreement (SLA) can help establish how promptly a particular vulnerability will be addressed. Ownership is the necessary twin rule to match the SLA. The IT organization needs to be able to say, “Yes, we will remediate this within 24 hours and John ‘owns’ the process.” That way, John knows exactly what is expected of him. To make this work, however, your vulnerability management program should provide mechanisms to codify this knowledge as rules or policies, and apply them automatically during vulnerability analysis and ticket creation.
- Use existing ITSM tools and processes—Most organizations already have an IT Service Management (ITSM) platform such as JIRA or ServiceNow to track IT tasks, software bug fixes, and the like. It’s wise to use this incumbent ITSM to manage remediation work. Adding another ticketing system adds to confusion and inefficiency. And, as often happens, remediating vulnerabilities aligns with other IT maintenance processes, so it makes sense for all tickets to be on the same system.
- Validate intelligently—This may sound obvious, but a sound remediation strategy will include a validation step. You should make every effort to avoid turning validation into a second, backlog-ridden workload. One way to do this is to automatically update tickets by verifying vulnerability status on subsequent scans. To further shorten the loop, you can trigger micro scans that check for specific vulnerabilities on target systems instead of waiting for regularly scheduled scans to validate fixes.
- Automate—Eliminating manual steps in the vulnerability analysis, prioritization, and remediation process is arguably the most significant way to overcome the remediation gap. Automation saves people time and helps reduce errors that occur as staffers toggle between systems and re-key data from one place to another.
These strategies work together synergistically. Applied correctly, they contribute to keeping the vulnerability backlog to a minimum and proactively closing the remediation gap. It is possible to get better at remediating vulnerabilities—reducing risk exposure in the process. All it takes are the right tools and the best practices outlined above.
About the Author
Syed Abdur, Director of Product Management
BIO: Responsible for driving product strategy and technical direction of the Brinqa product lines. Ownership includes development roadmaps, product design, feature design, strategic technical integrations.