IT departments are overwhelmed by the abundance of vulnerabilities that continue to grow at a rapid pace every day. They struggle to identify the most critical threats they must address right away at any given point to protect their organisations from a compromise. Attempting to eradicate 100% of vulnerabilities sequentially, by treating them all as equally important, is impractical, myopic and dangerous.
Some vulnerabilities represent a minor risk, while others must be addressed immediately. Ignoring serious vulnerabilities for extended periods of time while you tend to trivial ones is like deciding to paint a house whose roof you know is in danger of collapsing. Moreover, the damage potential of vulnerabilities fluctuates constantly. For example, a vulnerability considered unimportant for months can suddenly become critical if an exploit kit for it becomes widely available. Consequently, organisations that fail to properly prioritise vulnerability remediation open themselves up to devastating cyber-attacks. They risk sustaining extensive damage to their operations, financial standing, brand image, corporate reputation and customer and partner relationships.
To that end, here are the 5 requirements for prioritising vulnerability remediation.
A comprehensive and continuously updated view of all your IT asset
When attempting to prioritise vulnerability remediation, it’s what you don’t know that derails your efforts. At the most basic level, this means being aware of all the hardware and software in your organisation, from high-end systems to mobile apps. There can be no phantom servers, PCs, smartphones, tablets, printers, applications, middleware and the like lurking in your network without your knowledge. You must have a complete, unobstructed view of your IT environment at all times, and be instantly aware of its changes.
In addition to having a complete list of your IT assets, you need granular, detailed access to the components of each one. You must also understand how extensively each asset is interconnected with and dependent of other systems. Finally, it’s critical to know the role of each asset in your overall IT environment and how valuable and important it is to your organisation. This contextual knowledge and detailed data form the foundation upon which you can then begin the process of prioritising vulnerability remediation. Absent this underlying information structure, your attempts to assess vulnerability risks will be ill-informed and ultimately erratic and ineffective.
Knowledge of the constant stream of vulnerability disclosures
Just like you must have a clear and deep knowledge of your organisation’s IT assets, you also need to plug into the firehouse of external vulnerability disclosures so that you are aware of the latest threats in the wild. This disclosure information flows uninterruptedly from multiple sources, including industry groups, government agencies, academic researchers, technology analysts and security vendors.
For example, you must be aware of zero-day vulnerabilities being actively exploited, publicly available exploit code, actively attacked vulnerabilities, lateral movement vulnerabilities that let hackers use a compromised system to attack other machines on the same network, vulnerabilities with high data loss potential, DDoS attacks and malware outbreaks.
The ability to correlate external threat information with the vulnerability gaps that exist in your IT environment
Let’s say you have a comprehensive, detailed view of your IT asset landscape. And you’re also up to date on the universe of thousands upon thousands of disclosed vulnerabilities. That is a great start, but you’re far from done. Now you must connect the dots. And to do so manually is an arduous task.
You need to mesh both sets of internal and external data, your IT asset information and disclosed vulnerabilities, and correlate them. And you need to be doing this continuously, so you’re alerted whenever there is a match. You also must be able to proactively conduct specific searches, combining multiple variables, to find assets that may be potentially at risk. This will give you a dynamic snapshot of all the vulnerabilities that exist in your IT environment at any given moment.
Dashboards and reporting tools to visualise your threat landscape
Once you have correlated your internal and external threat data and identified impacted IT assets, you must be able to drill down on the data, mine it for patterns, slice and dice it, aggregate it in custom reports and represent it graphically. This multidimensional and iterative analysis of the data will allow you to extract insight and gain an awareness of your security posture that you otherwise wouldn’t have had access to.
You should be able to measure your progress and remediation efforts with real-time trend analysis and generate scan and patch reports for your stakeholders. After all, the goal is not just to identify vulnerabilities and assets, but rather to prioritise which ones you are going to remediate first.
Precise assessments of your organisation’s threat scenarios
Finally, you’re now ready to factor in various criteria for assessing how critical certain threat scenarios are in your organisation’s specific context using actionable intelligence. The goal is to be able to prioritise your vulnerability remediation tasks in a continual, contextual, automated and precise process.
Consider these two opposing scenarios. Let’s say there’s a vulnerable database software that is being savagely exploited in the wild, causing chaos in many companies. And you happen to have one instance of it. However, in your environment this database is only present in a system of marginal importance that is isolated from the rest of your infrastructure. You determine that if that asset were compromised, the risk to your organisation would be trivia. Likewise, you may encounter the opposite scenario, in which a vulnerability that isn’t attracting much attention in the industry may be a critical one for your organisation.
Vulnerabilities are an inevitability. And if staying ahead of the vulnerability curve wasn’t challenging enough, the acceleration of remote working means IT security teams are now under more pressure than ever before. The good news is that following these five steps will allow organisations to take full control of evolving threats, so security teams know which vulnerabilities to remediate first.
By Marco Rottigni, Chief Technical Security Officer, EMEA, Qualys.