The fourth annual Cyber Security Breaches Survey found that cybersecurity is increasingly a priority issue for UK organisations with 78 per cent of businesses (vs. 74 per cent in 2018) now rating it as a high priority. 32 per cent of businesses identified cybersecurity breaches or attacks in 2019 and it is costing them on average £4,180 a year. Stats like these focus the mind but there’s something else these companies need to be aware of which goes beyond the security defence budget. As vulnerabilities rise, the investment can’t only be about stopping these attacks from happening. Instead defence should also be about how to more quickly and effectively find and fix known software vulnerabilities within a company’s infrastructure so they can’t be exploited. This is known as vulnerability management.
Known software vulnerabilities are on the rise - NVD has already found over 400 new vulnerabilities in 2020 alone - yet the ability to quickly remediate these vulnerabilities remains a challenge for most companies. According to The State of DevOps Report (SODOR) 2019, only 32 per cent of respondents were able to remediate critical security vulnerabilities in one hour to less than one day with only 7 per cent able to remediate them in less than one hour. This is a big problem because leaving critical vulnerabilities unresolved for extended periods gives hackers the time to obtain even more valuable information.
The lack of attention to the security and mitigation risk of known vulnerabilities needs to be a bigger priority for executives and practitioners alike. The problem is that the vulnerability management workflow—from vulnerability reports run by security teams to vulnerability remediation done by IT operators —is fragmented and manual, making vulnerability remediation slow and leaving IT infrastructure exposed to external attacks for far too long. There are too many companies that still allow security teams to send an excel spreadsheet over to their IT teams to fix all the vulnerabilities they’ve found in the system. The results of this practice? Based on a Ponemon study, IT Operations spend on average 320 hours a week on a single vulnerability remediation.
As we move to an even more software-centric world, attack surfaces will continue to grow, and the number of vulnerabilities in the software that companies produce and consume will increase. If there is no plan in place for how a company can remediate known vulnerabilities proactively and at scale, the chances of a company’s reputation and finances being damaged increases.
So how can companies strengthen their security profiles to stay protected from vulnerabilities and address the growing threats?
Standardise and automate your environment
With the proliferation of technology, IT estates get more and more complex resulting in more ITOpps work than can be done manually, especially given the shortages in technical talent. One way to approach this is to adopt the DevOps practice of standardising on as few technologies as possible and this is also good for security. With fewer operating systems, you never again need to look at the vulnerabilities affecting the OS that you choose to remove, and you are left with a smaller list of potential vulnerabilities to deal with.
With fewer standard technologies, automating your environment is an effective way to manage your growing estate and allows you to more quickly remediate vulnerabilities when they come to light. Another DevOps principle - of automating where possible - is a definite friend to security as automating manual security processes, such as patches and update, which are often repetitive, time consuming, and can be forgotten, removes the risk of human error. Once vulnerabilities are identified, speed to resolution is what matters most and automation is a way to react fast as well as at scale. On a day to day level, basic cybersecurity checks lend themselves well to machine actions, freeing-up the experts to go threat-hunting, which is exactly the type of thing that humans are good at – spotting things that look odd or out of place and so indicate a vulnerability.
Follow a risk-based approach to prioritise what to remediate first
Gone are the days where Information Security and Information Technology professionals dealt with vulnerabilities on a severity first basis. The modern professional now has the daunting task of deciding what NOT to remediate. Realistically only those vulnerabilities that would cause material damage to the firm can be addressed. Therefore, the modern professional must adopt Risk-Based Prioritisation.
A risk-based approach takes into account the severity of a vulnerability as well as the context and criticality of the host or machine. It asks, is the vulnerability easy to exploit? Has the vulnerability been known in the wild for long? Are there widely available exploit kits for the vulnerability? Is there chatter on the dark web about the vulnerability and does the vulnerability affect critical parts of your business infrastructure? If the answer to these is yes, then that is the priority to remediate today.
By using automation and consistent information as the common language between security and IT, the business can better understand which part of their system is most vulnerable so they can prioritise accordingly. Following a risk-based approach allows you to remediate the vulnerabilities that might impact and hurt your business the most, like any sort of financial software, health records or even a customer database.
Close the gap
Software powers much of the world around us today, which means that the many companies that use software are left open to potential security vulnerabilities. Furthermore, often the software vulnerabilities that are out there are caused by human error, and although they might not be malicious, if exploited they can very much hurt organisations. It’s very much in companies’ interest to ensure that software vulnerabilities are taken care of and the sooner the better as when organisations mitigate their security risks early, IT Ops are empowered to reduce the number of vulnerabilities faster and at scale.
However, too many companies are still trying to remediate vulnerabilities manually but given how many vulnerabilities are about, this is nearly impossible and so they are left vulnerable to attack. A good solution is to automate vulnerability remediation so that repetitive and error-prone steps in the vulnerability management workflow are eliminated – for example, removing the potential of mistakes in a manual data handover between InfoSec and IT Ops.
As the saying goes, you're only as strong as your weakest link so having a huge cyber-defence doesn’t matter if you have a ton of vulnerabilities lurking in the most important parts of your infrastructure. Build out strong vulnerability management practices now, and help your company avoid the security mistake that could cost you millions.
Jonathan Stewart, Principal Product Manager, Puppet