By Raghuram Srinivas, Senior Vice President Product Management, MetricStream
The severity, scale, and sophistication of cyber-attacks are increasing. The Indian Computer Emergency Response Team (CERT-IN) showed, in its India Ransomware Report for 2022, a 51% increase in the number of ransomware attacks. These attacks are taking place across several sectors, including critical infrastructure. CISOs tasked with defending their organization’s assets are under fire.
While keeping all threats and threat actors in check may be difficult, proactively identifying and addressing vulnerabilities is critical to safeguarding an organization’s assets and IT infrastructure. In the US, the National Institute of Standards and Technology (NIST) released a graph that showed a record-breaking 20,158 vulnerabilities in the US in 2021, recorded in the NVD database. Remediating 20,000 new vulnerabilities, over and above existing ones, in a year is arduous for organizations of any size. For context, a Tenable scan generated around 109,000 vulnerabilities across 2600 server instances in the cloud at just a mid-size organization. These statistics reveal how important it is for organizations to get a handle on their vulnerability management program.
Where and how does one start with vulnerability management?
It is natural for CISOs and cyber professionals to gravitate towards vulnerability scanners to achieve vulnerability management. However, given the above statistics around the volumes generated by the scanners, CISOS need to ensure they have a well-organized cyber framework. Prioritizing and acting upon vulnerabilities becomes as important as identifying them. They also must ensure that threat intelligence and IT controls frameworks are robust enough to manage cyber risks and build cyber resilience. CISOs tend to often overlook these prerequisites before investing in vulnerability scanner systems.
What makes a business vulnerable?
Unquestionably, CISOs should make proactive identification and remediation of vulnerabilities a top priority for their organizations. It is critical to identify and patch vulnerabilities before threat actors exploit them. Patching vulnerabilities is possible only with solid vulnerability management programs.
However, several organizations still rely on manual and siloed approaches to vulnerability management. This approach is often prone to errors and inadequacies. Organizations tend to use multiple scanners to detect network vulnerabilities or application vulnerabilities. When discovered, each vulnerability is dealt with separately. Without a central repository, it becomes difficult to track them effectively.
The absence of an organized, comprehensive, and updated inventory of assets compounds the problem. Without the visibility of the most vulnerable assets, organizations cannot take preventive action promptly. They will continue to be at risk.
Often organizations are not regular with their vulnerability management approach. This oversight can lead to a vulnerability debt as teams try to combat the wave of new vulnerabilities, which continue to emerge and get exploited. Organizations find it challenging to keep up as they are already overwhelmed with a huge backlog.
Typically, an organization would want to patch all vulnerabilities. But the escalating number of new vulnerabilities makes it challenging for even well-resourced security teams to remediate all.
Ineffective prioritization leads to poor vulnerability management. Security teams must prioritize vulnerabilities into categories, such as high, medium, and low, and link them to critical assets. Without this, they may end up addressing vulnerabilities that pose no real risk. This would be a waste of time, effort, and resources.
Best practices in vulnerability management
Organizations should consider the following steps to manage vulnerabilities efficiently and proactively:
Build a central repository of critical assets
Organizations should create and maintain a centralized repository of critical assets and map them to associated vulnerabilities and risks related to API connections, areas of compliance, controls, and other business functions. This repository will ensure easy access to critical data. It will also deliver complete visibility into vulnerabilities across the enterprise.
Use diverse scanners to uncloak vulnerabilities
Vulnerability scanners are tools that simplify and automate the process of identifying vulnerabilities. There are a host of vulnerability scanners. For example, database vulnerability scanners, cloud vulnerability scanners, network vulnerability scanners, and web application scanners are some of them. Organizations should use the best combination to enable full coverage of all assets. This approach will help them gain a comprehensive picture.
Prioritize vulnerabilities as per critical assets
It is crucial to prioritize vulnerabilities against critical organizational assets. Prioritization will ensure the optimum utilization of resources else security teams might end up addressing vulnerabilities that might not pose an immediate threat instead of critical ones. Clubbing an asset’s vulnerability severity rating with its business criticality rating helps. This process will give a consolidated rating, which security teams can leverage to prioritize and trigger remediation strategies.
Execute a continuous approach with cohesive workflows
Vulnerability management is not a one-off activity. It must be a continuous, iterative identification, assessment, prioritization, and remediation process. Developing cohesive and organized workflows is imperative to track vulnerabilities. It should start right from their identification to their remediation and closure. The process needs to be repeated at a pre-defined frequency once done.
Use automation to patch vulnerabilities
Automated patch management tools help address new and critical vulnerabilities. They can seamlessly deploy patches to the identified vulnerabilities. They can replace the manual process involved, especially in scheduling a scan and addressing the vulnerabilities. These tools are great for a proactive and continuous approach to managing vulnerabilities.
Uncloaking vulnerabilities is a necessity
Vulnerability management is crucial for a robust IT and cyber risk management program. Uncloaking vulnerabilities is vital and will continue to gain more organizational focus from a security and compliance perspective. As the cyber risk landscape evolves and becomes more sophisticated, the need for more advanced capabilities, such as solutions enabling resolving a vulnerability patch with a single click, will grow and are expected to become the centrepiece of vulnerability management solutions.