Address the Root of Your Vulnerabilities in a Resource-Tight Period
Cyberthreats are omnipresent for any enterprise. Monitoring all ingress and egress points while not stifling the ability to conduct business is an eternal balance that security professionals attempt to strike. Couple this with the continued security issues around remote work during the COVID-19 pandemic, and security teams have their hands full in addressing the full gamut of enterprise concerns.
Hostile threat actors are more likely to be targeting your organization’s low-hanging fruit with respect to your vulnerabilities. These actors want to get in, take what valuable information they can, and leave. In Verizon’s 2020 Data Breach Investigations Report, most cyberattacks are shown to be financially motivated and leverage existing vulnerabilities. As the report notes, it makes the most sense to remove these low-hanging vulnerabilities as soon as possible. In this regard, patching is one of the best methods to protect your digital assets.
As discussed in another note, the attack vector for vulnerabilities is an expanding issue. COVID-19 has forced many enterprises to move their workforces to remote situations. Beyond the myriad issues associated with remote work, an additional component of network security must be addressed: software containers. Software containers, while useful for hosting the necessary components for an application to run, do have additional security challenges that must be considered. Inherently, these containers are siloed from one another, and as such updating them presents different challenges from servers or virtual machines. Security teams have had to put in extra effort to accommodate for all these sudden changes in addition to shifts in resourcing priorities. So, how are security teams expected to meet demands while dealing with increased pressures placed upon them?
Source: Qualys VMDR at SoftwareReviews
Marc Rottigni, CTSO EMEA at Qualys, lays out his foundational approach to tackling this increased pressure. Rottigni contends that enhanced visibility into your network is the ideal place to begin relieving vulnerability pressure. Register your assets, platforms, endpoints, and container deployments. If you know what is on your network, you will be able to effectively monitor them with passive network scans, device agents, and other container scans. If your assets are being tracked, you can continually assess them with vulnerability scans, and you can make updates as they become necessary.
The visibility also allows you to prioritize updates on the areas that are most in need of attention and desirable to attackers. As Rottigni states, “you can use actionable data to direct information to the most appropriate individuals within your organization, so they can act accordingly.” This includes integrating all of your relevant teams into the vulnerability scanning process, not just the security team. This helps to have integrated development rather than an ad hoc approach to vulnerability management.
Naturally, this approach does take a good deal of restructuring of your organization’s workflows, but Rottigni says that Qualys’ Time to Remediate (TTR) will expedite and improve this difficult process. TTR tracks the quality of your responses, how frequently you are patching, and how often you are implementing difficult fixes across the network. Done well, the increased visualization can offer guidance on the performance of the business and potential improvements. Capitalizing on this guidance is the key to moving forward and adapting a more traditional vulnerability management process to the new normal.
Undoubtedly, the shift to remote work has increased the number of vulnerable access points that businesses face. Security teams are under increased pressure to meet the same security standards while on reduced budgets and lower staff numbers, and all while being out of the office. COVID-19 has changed the way security teams must operate. However, does increased visibility into your network address all these problems?
While Rottigni’s approach is sound – visibility does allow for informed decisions – in practice, there is a great deal of separation between having insight into your network and actually being able to do anything with that information. Often security teams are understaffed, underbudgeted, or even lack the skills to take full advantage of whatever insight may have been generated from a network deep dive. Furthermore, consider problems like shadow IT, BYOD, loud service, and remote work. These problems cannot be addressed with just a simple increase in network visibility. These same issues have been exacerbated by COVID-19, further reducing the efficacy of visibility into the network. Even accounting for automation of the visibility processes – which undoubtedly is a paid service that businesses may be unable to afford – having the knowledge and being able to do anything with that knowledge can remain a difficult hurdle to overcome. Rottigni is correct in that, in an ideal world, network visibility will provide increased insight into where to focus first, but enterprises do not always exist in a state where they have executive buy-in or even the minimum resources to execute a robust vulnerability management strategy.
We must also consider the future of vulnerability management. These same problems will exist whether working remotely or in the office. Switching from either location will increase the difficulty in remediating the vulnerability vectors. Foundational insight and organizational changes should be addressed before committing to in-depth network analysis. For businesses that are already strapped for resources, analyzing your underlying policies and analyzing potential vulnerability vectors are simple, low-effort best practices that could garner more effective risk mitigation than having full network visibility. While network visibility may be low-hanging fruit, addressing the root of your vulnerability problems at a structural level should come first. This will ensure that any changes made will become embedded into practice and stick through the long-term. Check out Info-Tech’s Build an Information Security Strategy for more information on how to understand your inherent and business risks and pressures to address these foundational flaws and develop a robust approach to protecting the organization.