Why we need to revamp our approach to vulnerability management
Marco Rottigni, chief technical security officer, EMEA at Qualys on the need to revamp our approach to vulnerability management, particularly in the age of remote working
While lockdowns are laudable, those of us lucky enough to be working safely from home should consider our exposure to the digital threat landscape. Countless predators prowl it, seeking to compound our isolation with virtual assaults that disrupt the innovation we are trying so hard to preserve.
As we authenticate remotely, we expose ourselves to opportunists ready to exploit the vulnerabilities in our software. As even the greenest member of your IT team will tell you, vendors work tirelessly (mostly) to plug such gaps, regularly releasing fixes for installation, so the solution is simple — make sure all your software is up to date.
The challenge we face — especially in the remote-working dynamic in which we now find ourselves — is the complexity of the task. Even in ideal circumstances, where all our employees are working in the same building, authenticating to the same physical server, we face problems. Many of the endpoint solutions we use do not play well together, leading to false positives and delays in detection and response.
Add in dozens, hundreds — perhaps thousands — of unvetted, employee-owned devices that daily join your corporate environment, and you begin to see the threat. The lending platform Lendf.me discovered recently that software vulnerabilities are not something easily dismissed, when it suffered a US$25-million loss at the hands of cybercriminals who exploited such a flaw.
Break it down
What we need is more visibility, richer reporting, more intelligent monitoring and slicker response-orchestration. We need to trawl our real-time environment activity and overlay a reservoir of accumulated industry intelligence; and we need this to be, wherever possible, automated. We need to merge vulnerability management with real-time detection and response to unify our cyber security strategies into a single, coherent posture: vulnerability management, detection and response, or VMDR.
The VMDR approach starts by looking at the four stages of vulnerability management. We begin with visibility, because you can’t protect your assets if you don’t know what you have. Decades of upgrades to applications and platforms; the emergence of new ones; the rise of the cloud and the data centre; the emergence of mobile devices and virtual environments. This digital biodiversity adds multiple layers of complexity to IT estates. How do you begin to understand such sprawling ecosystems? How do you build a global asset inventory?
The second stage is vulnerability assessment. Everything within your digital miasma is a potential inroad — each piece of hardware, each application and each employee. Once you can see it all, your challenge is just beginning. How do you establish update statuses for each entity? How do you learn what patches have been applied and which have not?
Third, we move on to prioritisation — how do you sensibly tackle all the vulnerabilities in front of you? Assuming you do not have endless manhours at your disposal, you need to prioritise patching. You must cover an overlap between those flaws that could lead to the greatest business impact, and those that are most frequently exploited by attackers. You need to keep in mind that attackers chase value, so sometimes they will latch onto an old vulnerability, which may appeal to them far more than the prestige of successfully leveraging a zero-day.
And fourth, remediation. How do you decide between patching and configuration? And how do strategise for when an attack occurs?
Pull it together
The challenge of VMDR comes from the fragmentation of the four steps, which are often split across IT, security and possibly compliance teams, who may all procure their solutions in isolation. But if we consider a single platform that unifies the workflows of these disparate functions (IT, security and compliance), then we are really on the road to a game-changing threat posture. The discovery, prioritisation and patching of our most critical vulnerabilities in real time, at a global scale, across diverse technology ecosystems — that should be our goal.
VMDR automatically identifies devices, across the digital landscape, in real-time and allows organisations to maintain up-to-the-minute accuracy on global IT asset inventories. Teams can reliably detect software vulnerabilities, out-of-date certificates and misconfigurations in the moment and prioritise them. Imagine having multiple views of your environment and the events within it, based on your corporate role: views of vulnerabilities by age and severity; monitoring patches over time; images of the cloud; instantaneous reports of the compliance posture of remote workforces. All are possible with VMDR.
By collecting metadata on everything we do and everything that occurs within our environments and comparing it with meticulous research on vulnerabilities and their exploitability, we get a clearer picture of our security status. Add in cyberthreat intelligence and the picture gets clearer. Include metadata geolocation information from devices and applications and the picture gets clearer still. In VMDR, context is everything when trying to deliver actionable intelligence in real time. By presenting all this gathered and industry-pooled information in visually rich views of the enterprise, our prioritisation becomes more intelligent.
What opens up is a world of smart decision-making and targeted mitigation across a diverse digital sphere of on-premises devices, cloud, mobile, containers, Web apps and APIs. As such, VMDR has a far richer return than the more traditional CVE-based solutions that tend to deliver a false sense of safety because they operate in isolation without tapping into historic data.
On premises, cloud, hybrid — it doesn’t matter. Virtual or physical — it doesn’t matter. Vetted, corporate-issued PCs or wild, rebellious employee devices — it doesn’t matter. All are visible; all are manageable; all can be adequately protected to the satisfaction of line of business, IT, security and compliance functions.
As we look to our future, which is likely to include a surge in the digitisation of our professional and personal lives, how safe will our digital assets be in that world? Will our environs be riddled with holes or patched and ready to go?