In a perfect world, software would be completely secure and attacks would be impossible. However, software is too complex to be designed or coded perfectly when humans are involved. Even the most secure applications will have problems.
To manage this, there are many best practices that have been developed over time. These have been generally the same for years: keep accurate records of your IT assets, scan regularly, apply software patches, and manage vulnerabilities as they are discovered. However, these best practices can be much harder to apply at scale.
The bad old, good old days
Covid-19 has shown how these practices can easily become unfit for purpose, taken for granted or misapplied. Coping with today’s distributed and remote workforces means a lot of adaptation is needed.
For many companies, IT asset management is a hard slog. It involves building up an accurate inventory of all IT assets and then keeping that list up to date. However, without this asset list, no company can state for certain that it is secure. After all, if you have IT assets that you don’t know about, the so-called shadow IT, how can you be sure those assets are secure and up to date? Similarly, scanning your assets and web applications for potential security issues was a necessary process that could highlight issues.
Patching has been with us since the first software programs were developed – the word patch comes from paper tape where changes in the program were literally stuck over each other, literally patching the paper. Today, regular batches of patches come out from Microsoft, Adobe, and other vendors to provide companies with a way to manage fixes. However, it can take weeks or even months for patches to be deployed in operational use.
Lastly, managing the remaining vulnerabilities involved looking at how to deal with IT or software assets that were vulnerable but could not be updated. This may be due to patches not being available, software being at a different version, or other problems caused by the updates themselves. Mitigations like stopping connections from the Internet, closing vulnerable ports or restricting network access are all common attempts to prevent issues.
With Covid forcing mass remote working and the closure of offices, the old rule book has been either jettisoned or substantial rewrites attempted to keep up.
With employees working from home using corporate assets, or their own devices, obtaining an accurate list of IT assets is more important than ever. IT asset management has been automated to run at scale across everything that connects to corporate IT - from home PCs accessing the corporate network through to cloud services, software containers and other assets that live on the network and create data, such as Internet of Things connected devices.
All of these devices have to be tracked, and that tracking has to take place in as near real time as possible. While scheduled scans might have been enough in the past, today’s distributed environments can change so rapidly that potential problems have to be discovered continuously. Vulnerability scanning, therefore, has to take place continuously as well.
Patching also has to take place faster to employees that might be anywhere, on any device. The rollout and remediation process has to be part of the whole approach to vulnerability management, as patches should be pushed from the center out to all users and put in place automatically.
Prioritization around patching also has to evolve to meet specific company needs. Defining which patches are the highest priority is not a ‘one size fits all’ approach as you have to consider your specific requirements around risk, around which applications you have in place, and how quickly those updates can be implemented.
This involves having a meaningful conversation with the business on what risk really means to them. Are there specific applications that must be protected at all costs? Are there systems that can wait longer as they have additional mitigations? And are there compliance requirements to bear in mind?
Once you have answered these questions, you can build up a patching priority framework that takes the asset and vulnerability data you have, and grades those issues depending on risk. Using this data not only helps your security function more efficiently – it can provide context and data on how security is protecting the organization back to the wider business too.
Planning for the future
As CISOs, the Covid-19 pandemic has forced us to reconsider what security really means to our organizations. The shift to remote working has led to some difficult decisions being made. The economic impact and potential recession that is predicted, both mean that security will have to provide more proof that it is delivering on its goals.
While security has often been ‘recession-proof’ in the past - and analysts such as Gartner predict that cloud security spending will continue to rise - the reality for many CISOs will be that they will have to find cost savings and efficiencies across their teams. This is key to the evolving role of the CISO if they truly want a seat at the table. Approaches that automate processes and consolidate on tooling and data will be needed.
For CISOs, planning and executing more effective responses will be essential. To achieve this, better visibility is necessary, followed by improving your risk management processes so that you can concentrate on what is most important.
Alongside these changes, it is also worth thinking about how we apply best practices like these in the future. Rather than seeing them as goals to live up to – and goals that are invariably problematic to track and deliver – these processes should have minimum standards associated with them instead.
This approach involves using data to benchmark how your team performs around these requirements and sharing that data internally and externally where it makes sense. It relies on real time visibility of assets and vulnerabilities, as well as the ability to remediate those problems just as quickly. Without this insight, it will be hard to keep up with the ‘new normal’ ushered in by the Covid-19 pandemic.
Benjamin Carr, Chief Information Security Officer, Qualys