Security and IT teams are currently fighting a flood of software vulnerabilities. In 2018 alone, a record 16,555 were reported. Of these, thousands affected every cloud-native SaaS or enterprise company. Some of these vulnerabilities were only potentially dangerous, but others affected tens of thousands of customers.
In one serious incident, data related to 380,000 British Airways reservations, including payment information, was stolen in 2018. Businesses, and especially large enterprises, are responding to these threats by investing significant amounts of time and money to stem the tide. Unfortunately, these efforts have not been successful for the most part. In this blog, we explore why this is and what can be done about it
With so many vulnerabilities out there, companies must understand why the old approaches don’t work and find new, more effective ways of remediating the most serious problems.
Moving Past a “Fix Everything Approach”
The traditional approach to vulnerability remediation can be summarized as “Fix everything according to severity.” There are several reasons why this approach has not worked. The first is that it is simply impossible to remediate every vulnerability. With the rapid growth of the cloud and mobility, the number of products that companies use has skyrocketed. That increase was accompanied with a growth of over 200% in the number of vulnerabilities within the past two years alone. Some of these products are essential for many businesses and must be installed, even if they may already have vulnerabilities. Real-life experience has shown that the flux of vulnerabilities is too much to handle, even for the best security teams out there.
Moreover, not all vulnerabilities need to be fixed. Each potential problem affects businesses differently. In many cases, vulnerabilities that are considered severe and a "must-fix" by “objective” metrics in reality have limited or no impact on the enterprise’s bottom line.
Traditionally, security and IT teams would prioritize every vulnerability with a Common Vulnerability Scoring System (CVSS) rating of “Critical” to be fixed before addressing any ranked “Medium.” But in reality, it's important to remember that the actual severity of a vulnerability depends on the enterprise's environment, which CVSS rankings cannot consider. Security teams must understand the true risk that a vulnerability poses to their environment. Without a way to assess the actual impact of a vulnerability, you could spend your time and money on the wrong problem.
Finally, some approaches to patching can actually make matters worse. Although the patches themselves might remediate a vulnerability, inserting them into a production environment can backfire for several reasons. First, it often happens that patches have flaws that do not appear in testing environments. Moreover, any patch installed in a specific environment must interact with the software that is already present. Installing patches on an emergency basis, without coordination between security, IT, and DevOps teams can lead to complications in development, including higher costs.
The danger is increased for companies lacking tools that provide full visibility of their entire network. In such cases, it is impossible to know how a patch will affect other software and resources. Without proper planning and full visibility of a company’s network resources, this can result in downtime or worse, a server outage and damage.
Introducing Risk-Based Approach to Vulnerability Response
Fortunately, there’s a better way. One that will help you reduce the risk to your business and save you time and money: using proper vulnerability intelligence and a risk-based approach.
Instead of automatically remediating all “critical” vulnerabilities first, prioritize vulnerabilities by their true risk to the business. This will ensure that you allocate your company’s resources more effectively.
In order to properly assess your risk correctly, coverage is key. While enterprises use a variety of tools to manage their environment, the reality is that there are many inconsistencies between them. These inconsistencies can lead to undetected vulnerabilities and by that to unpatched vulnerabilities. Having proper coverage for your environment is the basis for implementing an efficient vulnerability response and management program
Once you identify the vulnerabilities that are actually dangerous, you can remediate them, preferable using automation wherever possible. Automation really pays off at the enterprise level, as it lets you remediate at scale, cutting costs and manpower, as well and ensuring that changes are made consistently. Moreover, automation makes it easier to fix a certain recurring problem in a particular way, as well as solving a set of problems in a predefined order. With smart automation, teams can reduce repetitive mundane tasks.
A risk-based approach to vulnerability response, relying on smart automation is your company’s best option. It keeps everyone focused on the threats that really matter, saves time and money, and helps manage the vulnerability flood.