The Flaw in Vulnerability Management: It's Time to Get Real
Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, starting with endpoint vulnerabilities, we can build for a safer future.
Today, the risk of cyberattack is simply part of the cost of doing business. Companies spend millions of dollars every year on the most advanced software in an attempt at defense. But it's not enough.
The nature of attacks is persistently and rapidly changing, so preparing an adequate defense is like chasing smoke. Meanwhile, companies struggle to take care of their most vulnerable area, the endpoint. Routine software updates and maintaining current, compliant security configurations across all systems require significant resources and diligence, and security hygiene sometimes gets sacrificed on the long list of IT priorities with teams that are already stretched thin. As a result, companies can't take full advantage of many of the features in their security software.
Though very different problems, both lead us to acknowledge that because of the ever-changing nature of attacks and the difficulty maintaining all endpoints at all times, organizations remain at least somewhat exposed on any given day. Even small risks carry tremendous burdens that can prove devastating to the companies and users that are ultimately affected.
Vulnerability Management to the Rescue?
To help organizations shore up their endpoints, a number of vendors have created software to automatically detect system vulnerabilities. These offerings typically fall under the "vulnerability management" category and provide a necessary first step. Proactively scanning endpoints and pinpointing vulnerabilities for teams alleviates a lot of the resource drain associated with endpoint management. But this is only a step, not a complete solution.
According to recent research that tracked more than 316 million security incidents, it takes companies an average of 38 days to patch a vulnerability. More than a month to fix a problem after it has been identified! This is unacceptable given the potential impact and the amount of money pouring into security today. We must be able to fix vulnerabilities much, much faster if companies are going to have a shot at protecting data and intellectual property in the future.
Let's Get Real
It's time to be honest about what vulnerability management actually requires because it currently doesn't cover remediation in any meaningful sense. Opening a ticket doesn't count as resolving the vulnerability. That's passing the buck along for someone else to handle when they can get to it. Vulnerability management as it stands today should really be considered vulnerability assessment — finding but not solving problems or managing against threats.
So, why does this happen? Why is it so hard to fix an issue once it is identified? Primarily because departments within the enterprise remain relatively siloed. Security teams find issues, and then IT teams are asked to fix them. There is little collaboration between groups.
Aside from making it more difficult to fix an issue because of the lack of coordination between teams, this creates dreaded lag time in rolling out a fix. For every minute the problem is not addressed, viruses and malware can penetrate further into an organization's infrastructure as hackers actively try to weaponize vulnerabilities. Just look at all of the issues WannaCry caused simply because it was able to keep moving before people were able to remediate with software that had already been released.
Addressing the Future
It's time for vulnerability management to get an upgrade if companies want to effectively defend against malicious attacks over the long term. The solution is twofold. First, companies must rethink how teams are constructed so that security and IT groups can work together more efficiently. This is why the idea of SecOps is gaining traction. When these two groups — security and operations — collaborate, they can create and agree on at least some baseline remediations for their most common issues.
There also needs to be significant innovation coming from vulnerability management vendors to incorporate true remediation, whether this comes via their own advances or by strategic integrations with partners. Companies will require solutions that remediate vulnerabilities at scale; after all, fixes must be rapidly deployed enterprisewide or they are not true fixes. Modern remediation should take seconds to minutes, not days to weeks, and automation will be the key to making this level of efficiency possible.
Even with bold, aggressive innovation and organizational structure in vulnerability management, we may never be able to patch 100% of vulnerabilities within hours. But consider how much better off organizations would be if they could fix the majority of issues automatically, right as they occur. It would make a monumental difference in terms of costs and resources devoted to security. IT and security teams would then be much better equipped to deal with remaining issues in a timely manner.
It is unrealistic to believe that companies ever will be fully immune to a cyberattack. But by getting real about where we are with the basics, starting with vulnerabilities at the endpoint, we can build for a future that minimizes entry points for attacks and remedies issues as soon as they occur in order to mitigate damage. It's time to embrace the challenge and take the next step forward in vulnerability management.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 5 Things to Know About Cyber Insurance.
About the Author
You May Also Like