Today's IT environment is markedly different to that of the 90s. While changes to infrastructures and applications have helped us reach new highs, they've also brought along several challenges.
Nowadays, self-contained siloed data centers and networks no longer the norm and long deployment cycles are a thing of the past. Companies are working with CI/CD practices and implementing DevOps methodologies to deploy almost continuously, orchestrating collaboration between several teams and stakeholders at times. However, in order to manage these processes, teams must use more tools than ever before, resulting in much more complex, intertwined processes.
These changes have had a deep effect on the threat landscape. IT teams must protect a greater number of assets than ever: not only on-prem, but also cloud-based assets that increasingly incorporate third-party software. To make matters even more challenging, we've witnessed both a dramatic rise in yearly vulnerability disclosures as well as a substantial drop in the time it takes threat actors to exploit vulnerabilities.
These challenges require companies to reevaluate their approach to vulnerability management.
Vulnerability Management Programs: The First Generation
In the late 1990s, and even the early 2000s, we were seeing only around 1,000 vulnerabilities detected a year. Back then, vulnerability management programs were mostly manual, even for large enterprises. Software was manually scanned, threats were detected and IT decided what required attention, and these issues were solved. There was no real need for automation. It might have been hectic at times, but teams managed to get the job done.
Limitations of the Old Approach
With the shift to modern environments, Security and IT teams soon found the old approach to be ineffective. Manual methodologies of analyzing, prioritizing and remediating vulnerabilities ceased to be practical.
1. CVSS Scores Aren't Live or Wild
Until recently, many companies relied on CVSS scores as the sole, or main reference for assessing vulnerability criticality. The problem is, it were never designed to be a measure of risk! This scoring mechanism analyzes isolated conditions, and focuses on technical severity of vulnerabilities alone, and doesn't factor in the significance that the assets on which the vulnerabilities reside have or their importance to the business. Moreover, CVSS scores don't indicate which threats are actively being exploited in the wild. Focusing solely on CVSS scores, and disregarding what's going on in the wild with a given vulnerability could result in devastating implications for a company.
This is why is it has become crucial to implement risk-basked vulnerability management. The greatest threats are the ones that can do the greatest damage right now. Given the limited resources we have, we should always focus our remediation efforts to where they would have the greatest effect.
2. The Challenges That Come With Patching
The traditional "find it, fix it" approach, aiming to patch all vulnerabilities is no longer viable. In addition to the practical improbability of actually remediating everything, reality is, patching is a risky business:
- Risk of downtime: While patching plays a critical role in keeping your network safe, it is also likely to result in downtime. In the past, it was common to take web-based services offline for several hours for maintenance, but nowadays that's unacceptable.
- Risk of interference with other assets: When applying a patch to a certain asset, there's a chance that it will interfere with another asset in the network, resulting in unexpected results. This is true to a greater extent for cloud-native companies
- Risk of faulty patches: Certain patches may contain flaws that weren't exposed when tested. This risk is increased when there's a demand for quick deployment.
3. Costs: Financial and Otherwise
Legacy vulnerability management programs were not only ineffective, they were also very expensive! In 2019, the average company spent around 413 weekly hours on vulnerability management processes - the equivalent of around ten and a half full-time employees! These processes are very manual, time consuming and often quite repetitive. Even with the largest, best trained staff, vulnerability management programs pose a major challenge that can cause anything from frustration, errors, and major financial damage.
In a recent report, we've shown how to cut costs through automated vulnerability remediation:
4. Divided Teams
Communication gaps between Security, IT and DevOps teams make vulnerability management programs that much harder. This stems from a different mindset, language used and goals. This is why cross-team alignment is so critical to make sure our programs tick.
Vulnerability Management Program: The Field Today
Today’s best vulnerability management programs have been designed with the following principles in order to overcome the difficulties described above: improved prioritization of vulnerabilities, automation of remediation, and visibility.
The Value of Risk-Based Vulnerability Management
Risk based vulnerability management is a key component of any effective vulnerability management program. It ensures that remediation resources are targeted at the threats that pose the greatest risk the company.
It's crucial to understand that vulnerabilities as forever subjective, and exploiting the same vulnerability on different environments, or even different assets in the same environment would have a different impact. Using objective metrics alone, like the raw CVSS score, will inevitably skew your data. This is why teams ought to prioritize vulnerabilities according to the specific risk they pose to their business.
Automation is Required
Next, modern vulnerability management platforms need to fully support and implement automation through the entire process, from threat detection through to resolution. Automation quite simply saves time and money. In can ensure that the appropriate measures are applied both in a timely and an accurate manner.
Automation is fast becoming the only viable method to meet today's challenges, promoting consistency and efficiency, while minimizing the margin of error.
Complete Visibility is Essential
Lastly, modern vulnerability management platforms must provide complete visibility to the network, its assets and how they interact. Without a complete mapping of all the different components in your network, your remediation efforts with inevitably fall short.
Visibility is crucial when it comes to remediation tracking - knowing which measures were taken on which tool, when and by who - be it a new ticket opened or a patch that was deployed. The variety of tools used within a vulnerability lifecycle might make this task challenging, yet it a key component of a healthy, robust vulnerability management program
A Final Note
Legacy vulnerability management programs were not only ineffective, they were expensive. In 2019, the average company spent around 413 weekly hours on vulnerability management processes - the equivalent of around ten full-time employees, at a cost of almost $30k a week. Remediation processes are still mainly manual, time consuming and often quite repetitive. Even with the largest, best trained staff, vulnerability management programs pose a major challenge that can cause anything from frustration, errors, and major financial damage.
Our goal at Vulcan is to help companies modernize their approach to vulnerability remediation so they stop putting out fires and strategically manage vulnerability-related risk. For further detail: