Why it’s time to be complacent about digital security vulnerabilities
There is a growing realization in the industry that it is better not to remediate all digital security vulnerabilities. Sounds contrarian but makes a lot of sense when we look at the math behind vulnerabilities. For instance, 2020 DBIR report revealed that 2.5% or fewer alerts involve exploiting a vulnerability. NVD database has 150,000 reported vulnerabilities, less than 10% of them are exploitable. A smaller percentage of exploitable vulnerabilities get used in ransomware, malware, and targeted attacks.
This raises the question of the generic approach of fixing all vulnerabilities that are detected. The system of fixing vulnerabilities on high-value assets no longer works; attackers can start by compromising lower-value assets and linger in the environment.
The effort to mitigate a vulnerability is also significant. It takes several person weeks of effort to remediate vulnerabilities, ranging from impact analysis of patch to the actual patching activity or secure configuration of systems. Not to mention the effort that comes up when patch reversals happen due to disrupted functionality. The time taken to remediate is also high. One industry estimate puts the average time to fix at 176 days. That’s an average time to fix of almost six months. This is a long window of opportunity for cyber-crime syndicates to breach any organization.
In short, the way we look at vulnerabilities and manage them needs to change. Modern Chief Information Security Officers (CISOs) gravitate towards more innovative ways of executing a vulnerability management program. One such example is the concept of prioritizing a vulnerability. It might be more prudent to focus on the smaller set of vulnerabilities being exploited and be complacent about fixing the more extensive collection of thousands of vulnerabilities that cyber-crime syndicates are not looking at.
Atos listened to leadings CISOs to hear about the trends they saw. We added our observations as a Vulnerability Management Program provider working with leading enterprises across the globe.
Vulnerability assessment is now getting centralized and run as continual operations instead of a periodic stop-start program. De-duplication of vulnerabilities and prioritization becomes essential in the context of continuous scanning operations. A good prioritization engine can pick out the 2% of vulnerabilities that truly require remediation, saving time and money while beefing up protection. The prioritization process performs continuous evaluation of vulnerabilities against external and internal parameters to re-score the prioritization value. Sample prioritization parameters include exploited vulnerabilities, vulnerabilities used by ransomware, APTs, high-impact attack campaigns, CVE scores, and asset criticality. Certain vulnerabilities can become critical to fix in the context of changes to some external or internal parameters. For example, a flash plugin vulnerability might bubble up and become critical in the context of ransomware spreading based on exploiting the vulnerability. Another trend we noticed is industry leaders scan for Indicators of Compromise (IOC) to identify if a breach has already happened on any of the systems. This process is over and above the regular scans for vulnerabilities and security configurations. This is the new reality in the light of continuous hits from ransomware and other malware.
Virtual patching using IPS or WAF is also being used to remediate vulnerabilities without patching all affected machines effectively.
An approach that recognizes the need for machine and human strengths
It’s also important to realize that effective vulnerability management means more than just hooking up a scanning software tool and setting it to repeat indefinitely. While automation is a critical part of VM, there will be scenarios where human skill sets and judgment will become necessary. Here’s one example: choosing to apply virtual patches via an IDPS (intrusion detection and prevention system) to mitigate several vulnerabilities in one go, rather than trying to apply corrections one by one to a large population of machines and systems. This judgment will require a level of risk thinking and cannot be achieved with automation – at least not yet.
The double whammy of better vulnerability management
Complacency is a risky commodity in any area of business. The good news is that in vulnerability management, complacency is a virtue. Don’t spend remediation effort on vulnerabilities with a low prioritization score or have not bubbled up to be severe enough to fix. Instead of boiling the ocean, it is better to focus on fixing vulnerabilities that can cause harm and let the system bubble up vulnerabilities that require attention. This approach can help you can save costs and improve protection.