Unlike technology as a whole which continues to advance at an astoundingly rapid rate, vulnerability management is one area of cybersecurity that is harmfully stuck in the past.
In the 90s the primary sources for vulnerability information were mailings lists like Bugtag and FD. With the volume in these public lists security professionals struggled to scan, identify and patch their systems – but the long gaps between exploit releases gave security teams the luxury of time. The early 2000s brought remote vulnerability scanning engines that were managed, woefully, in spreadsheets. In that time we had learned two things: first that there was more to vulnerability management than missing patches, and second that identifying missing patches and unpatched systems was the easy part. But over a decade later in the 2010s spreadsheets were still the predominant vulnerability management tool. And now here we are in 2021, and what is the state of the art for vulnerability management? If you guessed vulnerability scanning and spreadsheets – you’re unfortunately correct. Nearly 30 years and countless technical advancements later, and we’re still basically on clay tablets and chisels.
Today’s Vulnerability Landscape
The time between a software or system vulnerability being identified and a readily available, weaponized, exploit in the wild has shrunk to a sliver of time. Security teams no longer have the luxury of time to try to scan, find systems, manually triage, prioritize and then push patches. Never mind that patching is only a part of overall vulnerability management.
In spite of all the latest technology now available to us, the lessons we’ve learned over the three decades, and the renewed sense of urgency brought on by the COVID19 pandemic, the whole vulnerability management process is a train wreck. IT and cybersecurity professionals are still primarily focusing on missed patches and relying on spreadsheets for reporting and prioritizing vulnerabilities – and no one is being held accountable. Combine that with the work-from-home environment, and you have an avalanche of new vulnerabilities daily, more tools than you can effectively manage, insufficient resources and skills to dig yourself out – and all of it is driving increased business risk.
So, let’s get back to fundamentals, and attempt to understand the problem we’re trying to collectively solve for. First, a vulnerability can be any weakness in your infrastructure that could compromise business operations. And they can come from anywhere. Yes, missing patches are a major factor, but so are misconfigurations, penetration test results and bug bounty programs (if you have them). Vulnerability scanners are highly ineffective in dealing with anything outside missing patches, so they’re not your solution. Finding vulnerabilities is relatively easy, but what do you do with them once they’re uncovered, and when they’re so out of date that patching isn’t an option (also known as technical debt)?
Many IT leaders think the answer lies in purchasing state-of-the-art technology. No matter what the buzzwords, technology doesn’t solve a human problem. Most companies have a volume problem, as well as a culture problem – but we’ll address that in another blog. When you have potentially 10,000 or more identified vulnerabilities, prioritization becomes a pretty tough obstacle to overcome. Your fancy tech is only as good as the analyst who operates it, no matter how much magical “AI” secret sauce is in their marketing fluff. Don’t get me wrong, a strong and capable technology platform is crucial – but that comes after you’ve addressed the human-sized problem in the equation.
What you need is a Programmatic Reduction of Risk
Unfortunately, a significant portion of technology owned by organizations is outdated or worse, no longer being supported by your vendors. This is partly due to tight budgets, partially feature dependence and partially an if-its-not-broken-don’t-fix-it mentality. What may seem like a minor issue today can result in a massive breach tomorrow. While the business is asking for agility from its technology, CIOs everywhere are facing huge technical debt. And the longer it goes on, the more expensive it becomes to fix or replace. How do you extinguish all of these burning fires?
The CIO essentially has to declare technical bankruptcy. Take inventory, acknowledge there are problems, identify them and create a plan to fix them. Communication and accountability among business leaders and IT professionals is the key to implementing an effective solution. In many cases, this includes admitting that the organization lacks the in-house expertise to solve the problems.
The most forward-looking CIOs turn to a trusted provider for help. Lightstream is one such partner with the expertise to move your organization out of this quagmire, and our Rapid Risk Profile is often the best place to start your risk management assessment. This approach helps us to understand your biggest systemic risk so we can work together to create an informed path forward that aligns to your business goals and financial situation. The first step is easy, no-friction, and involves virtually no invasive technology. What we assess and identify are hallmark people, process, and program categories to understand your organizational and program maturity. Whatever stage your organization is at in its journey and program development, we can provide understanding and high-level guidance.
The immediate next step is to take a consultative and technical deep-dive, to understand not only what your organization does in terms of vulnerability management, but how it does it. We create your baseline, and provide a gap-assessment against industry-driven baselines. Lastly, we develop a bespoke roadmap that involves both short-term tactical remediation strategy to prevent catastrophic business disruption, and long-term program development to aid your business into effectively managing technical debt and vulnerabilities across the business. Lightstream’s suite of packaged services provides peace of mind, technical as well as program capabilities, and continuous evolution in your vulnerability management program. The key to effectively managing vulnerabilities is to go beyond patching and implement a lifecycle approach for identification, triage, mitigation and reporting.
Stop buying into the misconception that vulnerability management is about scanning and patching. It’s time to acknowledge the magnitude of the problem and the risks it’s creating for your business. Contact Lightstream today to find out how we can help you establish an effective vulnerability management program – protecting and future-proofing your organization while creating a culture of accountability.