As organisations today continue to embrace digital transformation and deploy new technology into enterprise networks to improve customer and employee experience, new security threats are being rapidly introduced.
These new technologies are often introduced without any security considerations and the software they are running will also often contain vulnerabilities. Cybercriminals are aware of this and every time a new technology comes into place, hackers look to see if there’s a way to attack it or gain control over it before the vulnerability loophole is closed
In order to detect these security flaws many organisations will rely on vulnerability management tools and scanners, which are commonly used as part of an organisation’s normal security hygiene.
Typically, when a vulnerability is reported, it goes through a disclosure process. Then the organisation that has responsibility for that software or configuration provides a patch or some updates for it. In parallel, during that time of the reported disclosure and patch, vulnerability management vendors are updating their scanners – with scripts that will probe and collect information to determine if a target is vulnerable.
When ready, organisations run those updated scripts across their assets during an appropriate scan window. If a new vulnerability is discovered, prioritising and getting it remediated closes the opportunity for an attacker to gain access to the organisation’s networks. Essentially, the less time the company is exposed, the less time the hacker has to exploit that vulnerability.
Detecting zero-day threats
This is especially true when it comes to zero-day vulnerabilities, as they present new security challenges for organisations, particularly as hackers today rely on technology which can launch automated attacks within minutes of new disclosures. So, to ensure you don’t expose your organisation to new security risks, the speed of vulnerability detection should be considered as just as important as quantity - how many vulnerabilities are detected.
However, this is often misaligned when organisations are selecting their vulnerability management solution provider, opting for tools that produce an extensive list of vulnerabilities (that you can’t fix) rather than tools that provide a succinct list of vulnerabilities that you need to fix right now.
Therefore, rather than focusing only on the amount of vulnerabilities a tool can detect, organisations should also consider two important factors:
- Once a new vulnerability is discovered and reported, how does your vulnerability scanner provider reduce the time it takes to release a script and get it deployed into your environment?
- When the script is deployed, how can you reduce the time it takes to prioritise remediation needed? How can you shorten the time to remediation whether it is to start a patch, a configuration change or a compensating control?
Zero-day threats and attack automation
Although time frames are shrinking, it can still take weeks or even months from when a zero-day vulnerability is discovered until it is remediated. That holding period creates exposure time – the length of time when your organisation could be attacked.
But what about automated scanning? Shouldn’t organisations be alerted in real time as soon as a new vulnerability is discovered? Yes, and no.
Once a vulnerability is disclosed, there’ll always be a window of vulnerability (however small) before your solution provider can release the detection script and before you can find a suitable time to re-scan (without disrupting business operations). Nowadays hackers have distributed attack tools that enable them to launch automated attacks as soon as or even before a vulnerability is disclosed. The increasing levels of automation are shrinking the time it takes for them to take advantage of vulnerable systems, so the pressure on organisations to reduce the length of exposure time is mounting.
As a result, the best defence when it comes to detecting and mitigating zero-day vulnerabilities comes down to how your vulnerability management tool or partner can reduce the time to release a detection script, and how quickly they can diagnose your systems without having to wait for your next available scan window.
Best practice for accelerating Vulnerability detection (hence remediation)
Time is clearly of the essence when it comes down to the detection of zero-day vulnerabilities as the shorter the time frame before a vulnerability is patched, the less time a hacker has to exploit it. As a result, the biggest focus for organisations should be to reduce the window of opportunity for the attackers.
One of the best ways to do this is to work with a vulnerability management solution provider that is embedded in the security industry and becomes aware of vulnerabilities being discovered in software, even before they are formally announced. This means organisations can stay one step ahead of attackers and be in a better position when the vulnerability is made public. The vulnerability management solution provider can then get the script ready in advance and release it to customers as soon as the vulnerability is reported publicly, shortening the time to remediation.
Another way is to ensure your vulnerability management solution provider can diagnose your systems using blueprints from previous scans. The blueprint, if updated regularly, provides a clone of your environment from the last scan, and can be used as a basis to determine whether you are affected by the latest zero-day without waiting for the next scan window, to circumvent potential business disruption.
Zero-day threats can pose a significant security risk to organisations, particularly if they are not remediated quickly. However, when organisations work with vulnerability management solution providers that can detect zero days threats before they are publicly announced and use the blueprints to reduce time to diagnosis, they can stay one step ahead of attackers and have confidence in the security of their technology assets.
Srinivasan Jayaraman, Vulnerability Research Manager, Outpost24