Knowing what NOT to do can sometimes be just as helpful as knowing the right thing to do. Oftentimes, CISOs and Vulnerability Managers have plans and practices in place that can actually be making matters worse by focusing on the wrong things. Let’s review some of these mistakes so you can avoid them in your own organization.
Mistake #1 – Focusing on the wrong metrics
To effectively communicate the risks associated with vulnerabilities, the risks need to be quantified using metrics. However, this narrative needs to be told with the relevant metrics. A simple count of total vulnerabilities doesn’t provide the necessary context of severity or likelihood of exploitation.
- Vulnerability Severity Rating : Focusing on the average CVSS score across the enterprise network doesn’t consider the impact a vulnerability may have on high value assets in the organization. This metric also doesn’t include applicable data such as whether a vulnerability has an exploit in the wild or indicate it’s subjective technical severity. Reporting on the number of critical vs. non-critical vulnerabilities in your environment is also an ill-advised practice, as it suffers from the same challenges stated above.
- Vulnerability Scanning: Vulnerability scanning is important aspect in vulnerability management, however, it can be a time consuming task. Reporting on the number of times these scans are run is not a good enough indication of an organization’s security issues. Moreover, unless action is taken based on the scan results, the number of scans doesn't have any meaning on its own - it's actions taken based on the scan results that improve an organization's security posture
Mistake #2 - Trying to remediate every vulnerability
Old school thinking of ‘remediate everything’ may have worked back when there were 1000 vulnerabilities per year, but these days there could be that many in just a few weeks . It’s simply not logistically feasible to try to remediate every vulnerability. Fortunately, not all vulnerabilities need to be fixed.
Because of the sheer volume of vulnerabilities being constantly released, the principles of risk management need to be incorporated to create a risk-based approach to vulnerability management. Organizational objectives need to be factored into providing a holistic view of the actual risk of each vulnerability as it relates to the priorities of the organization.
Patching and upgrading carry their own inherent risks that could cause an outage. Patching vulnerabilities that your organization can afford to leave unpatched only increases the chances that something will break, not to mention wasting time that could be better spent addressing business critical vulnerabilities.
Mistake #3 – Worrying about the latest ‘critical’ vulnerability in the news
These days, some vulnerabilities get the attention of mainstream news outlets that can end up creating a lot of hype over the potential impact of a particular vulnerability.
A prominent example from last year are the Spectre and Meltdown vulnerabilities – sparking warnings of performance slowdowns, chips needing to be replaced, and doomsday predictions of potential impacts. While the level of potential impact was actually quite severe, the reality was that there had not been any active exploits and no malware or breach was discovered or leveraged. In hindsight, the overall initial reaction to these vulnerabilities was chaotic, impractical, and actually caused problems.
The news focused on the severity of the flaws and the pervasive scope of affected organizations, rather than the actual impact the vulnerabilities could have and what a reasonable remediation plan would be. This event provides a lesson for Vulnerability Managers to ensure short-term priorities should focus on vulnerabilities that are actually being exploited, or have a high probability of being exploited, with serious potential impacts on the enterprise.
Mistake #4 – Not collaborating on policies with business leaders
Vulnerability policies and processes shouldn’t be developed in a bubble. Ownership of this responsibility should not fall to just one person in IT, and it certainly shouldn’t be seen as just another task on top of many other IT duties. It’s no longer acceptable to just involve business leaders in vulnerability discussions every quarter- proper cyber awareness and hygiene must be understood by the C-Suite and made a priority. Remediation policies should be developed jointly with the business leaders in advance, and not ‘negotiated’ on an ad hoc basis.
A good vulnerability management program includes risk assessment that is based on defining business critical impacts. Vulnerability Managers need to work together with business leaders to determine what’s business critical and what’s not. It's helpful to base discussions with business leaders on solutions, not problems. Dan Lohrmann, the former CSO of the State of Michigan, says "communication that talks about business priorities and reducing risk is usually well-received when compared to technical jargon." Getting business leaders involved also ensures that they ‘buy in’ to the final plan, and solidifies their ability to see the value vulnerability management provides to the business as a whole.
As vulnerability management has grown more complicated, the cost of following any of these worst practices has grown. Don’t get stuck focusing on the wrong target and start pursuing the only goal that really matters- risk reduction and vulnerability remediation.