Cyber Security
Network vulnerabilities - Get your priorities straight
D By Chris Gibbs, Managing Director of Australia and New Zealand at BMC software
e-prioritising tasks which aren’t urgent makes a lot of sense as an efficient way of working; and in most areas of life too, particularly as 21st century decision fatigue and stress threaten to overwhelm many of us. Where this doesn’t amount to an effective strategy is in managing IT and network security. In this environment, pushing non-urgent tasks to the wayside can actually land a business in a lot of hot water. According to the recent Verizon 2016 Breach Investigations Report, the top ten security vulnerabilities accounted for 85 percent of successful exploit traffic. The remaining 15 percent was attributed to more than 900 common vulnerabilities and exposures (CVEs). This demonstrates that by following a priority- only strategy, staying focused on the top 10 vulnerabilities only without effectively detecting all of the CVE risks to your network, you can leave your systems and data critically exposed. The irony is, the vast majority of these CVEs can easily be resolved by a simple patch or through basic coding best practices –assuming you have identified the risk, of course. Broadly speaking, the industry is beginning to recognise the threats at hand and take the steps to protect themselves, although not as quickly as they should. In a recent Forbes Insights and BMC security survey, 60 percent of C-level respondents globally, said that expanded vulnerability discovery and remediation was a primary initiative in 2016, while only 30 percent were prioritising the allocation of more resources to defending against zero-day exploits. To break the high-priority habit, here are the top four best practices for ensuring a comprehensive vulnerability management program: 1. Scan early and scan often: If your vulnerability scan data is not comprehensive and up-to-date, any attempts to protect the network are likely to be doomed. You won’t be able to accurately identify the real threats to your network or prioritise their remediation. For applications that your organisation is developing, be sure to scan as early as possible in the Software Development Lifecycle (SDLC) in order to increase overall security while also reducing remediation costs. 2. Make sure data is consumable and actionable Presenting a laundry list of vulnerabilities to a stakeholder almost guarantees vulnerability management failure. It’s nearly impossible to use such a document to accurately assess risks and coordinate with the operations team to remediate those high-risk vulnerabilities. Essentially, this is like having hundreds of “urgent” emails to
46 | Australian Security Magazine
address by end of day – we are left with the issue of how to figure out what is actually crucial, versus what can wait. How can enterprises decide what vulnerabilities to prioritise when they all pose a risk to the organisation? To mitigate this, vulnerability scan outputs need to be in a form that is easily consumed by both the security and operations teams. It must include details such as the severity level and age of the vulnerability, and the information also needs to be actionable. This requires creating a fast, automated (and thereby repeatable) process connecting a high-risk vulnerability to its remediation. 2. Develop context Context is key when it comes to understanding the nature of a problem and making the most effective response. Once we know the number of vulnerabilities, the severity level and age of a vulnerability, responding effectively still requires answers to additional questions like: Which assets might be affected? Where are they on my network? Is a patch available? If so, when can it be deployed? If not, can the risk be mitigated through the real-time protection offered by a firewall or intrusion prevention system? Only by knowing the context can you ensure you will make the right response decision. 3. Increase your “vulnerability intelligence” As you improve your ability to develop context and respond to vulnerabilities based on actionable data, your overall level of “vulnerability intelligence” goes up, enabling you to make even better security decisions. It also allows you to continuously adapt your vulnerability management approach as threats evolve in order to accelerate the discovery-to-remediation timeline and reduce overall risk. As vulnerabilities continue to increase, and as attackers continue their two-pronged approach of looking for low hanging fruit through CVEs even as they evolve their strategies, it is critical to have a sound vulnerability management strategy based on comprehensive, up-to-date scan data and the ability to quickly and easily see the threat context. This is the only way you can avoid the “priority trap” and be sure you are making the right decisions in mitigating both the most common current threats and the CVEs that can lead to a significant security incident. By taking on board these four best practices, you’ll be able to more successfully navigate the increasingly dense, diverse and dangerous world of cyber security threats. It’s just a matter of reconsidering where your priorities lie.