Top Barriers to Effective Vulnerability Risk Management

    When it comes to the effectiveness of traditional vulnerability risk management programs, the challenges are often rooted in the process itself. Simply put, there are many manual steps (and often missteps) – from vulnerability scanning and detection to verification, impact analysis, and remediation – all of which can consume up to 40 percent of the IT organization’s resources.

    Given the labor-intensive list of to dos, many IT organizations use vulnerability management tools merely as a means to help document system compliance with industry or government regulations. Vulnerability management has become a “one-and-done” task, contributing to a less than effective outcome, as new technologies – and threats – are constantly being introduced into the environment.

    NopSec CTO Michelangelo Sidagni explores how the manual aspects of vulnerability risk management cause broader challenges that can overwhelm IT departments and cripple their remediation efforts.

    Top Barriers to Effective Vulnerability Risk Management - slide 1

    Risk Management Challenges

    Click through for the top barriers IT pros must face when dealing with vulnerability risk management, as identified by NopSec CTO Michelangelo Sidagni.

    Top Barriers to Effective Vulnerability Risk Management - slide 2

    A Vulnerable Landscape

    Cyber crime is a low-risk, high-return growth industry with an estimated annual cost to the global economy of more than $400 billion, according to The Center for Strategic and International Studies and Intel Security. While more than 7,900 IT security vulnerabilities were identified in 2014, countless other vulnerabilities went undiscovered and continue to do so. Referred to as zero-day vulnerabilities for their “unknown” classification, these gaps pose potentially significant security risks to organizations and governments around the world. Heartbleed, Shellshock (or the Bash bug) and POODLE are just three examples of high-profile vulnerabilities that rocked the IT industry last year.

    Whether the threat is known or unknown, cyber criminals exploit these vulnerabilities to gain unauthorized access to user accounts, devices and systems. Consider that just one unpatched server gave hackers access to 76 million customer profiles. Staying ahead of the aggressive threat landscape is a never-ending requirement for any organization.

    Top Barriers to Effective Vulnerability Risk Management - slide 3

    Barrier #1 – A Reactive Mindset

    So why are traditional vulnerability risk management programs now failing? Too many organization focus on recovering from an attack rather than preventing a breach in the first place. Taking a reactive approach, IT and security teams focus most of their efforts repairing systems and mitigating damage after an attack has already occurred.

    However, while an alarming majority of applications do have security vulnerabilities, most issues are the result of setup errors rather than the application code itself. Organizations need to proactively identify and remediate vulnerabilities stemming from server misconfigurations, improper file settings, sample content, outdated software versions, and other items related to insecure deployment. Reactive initiatives are not enough – it is time to prioritize prevention.

    Top Barriers to Effective Vulnerability Risk Management - slide 4

    Barrier #2 – Resource Constraints

    Organizations are spending too much time and money on manual verification and analysis of vulnerabilities. The manual tasks involved in collecting, analyzing and prioritizing scanner data results can be overwhelming. In fact, the average manual tracking and reporting process takes a typical IT department weeks of work. However, it only takes a hacker a few days to exploit a vulnerability.

    IT teams spend an excessive amount of time trying to tame massive (usually outdated) spreadsheets just to find out that they were not able to find and fix a vulnerability before a hacker exploited it. Organizations can dramatically reduce the turnaround time between identification of critical vulnerabilities and remediation by prioritizing the risks unique to their business environment.

    Top Barriers to Effective Vulnerability Risk Management - slide 5

    Barrier #3 – Lack of Context

    Most vulnerability detection tools fail to deliver intelligent context of the vulnerabilities in terms of actual business impact. IT teams are left scrambling to figure out which of the thousands of vulnerabilities across their environment should be addressed on any given day. It is a hit-or-miss approach where misses can translate to millions of dollars spent recovering from a data breach if one occurs.

    Organizations need contextual intelligence. IT teams should be able to immediately view the most ominous threats for their own environment based on known attack vectors in the wild.

    Top Barriers to Effective Vulnerability Risk Management - slide 6

    Barrier #4 – Volatile Threatscape

    Organizations are trying to fend off a never-ending barrage of new attacks and vulnerabilities. As organizations introduce new technologies, the number of vulnerabilities increases and new classes of vulnerabilities are introduced, thereby creating additional complexity. Meanwhile, human vulnerabilities can occur both outside (cyber criminals) and inside (employees) the organization.

    However, most organizations do not even use the patching and configuration tools available to help prevent security breaches. New technologies and risks are proliferating, but security efforts are not keeping up.

    Top Barriers to Effective Vulnerability Risk Management - slide 7

    Barrier #5 – Security Expertise Shortage

    Unfortunately, there is currently a lack of expert intelligence in the IT security community. Security expertise is specialized, expensive, and requires constant infusions of knowledge, information, and perspective from external sources.

    Talented security engineers are difficult to hire and almost impossible to retain over time. Organizations need to groom a rare bread of security intelligence experts or tap external resources to share their knowledge.

    Top Barriers to Effective Vulnerability Risk Management - slide 8

    Barrier #6 – Latency Handicap

    Another challenge involves the remediation itself. Once identified, it takes the average company 60 to 70 days to remediate a security vulnerability, allowing cyber criminals ample time to access the network and inflict damage. Critical vulnerabilities can remain unpatched in businesses for months – even years – after they’ve been discovered and publicly announced. That is, if they’re fixed at all.

    When IT teams are blind to real-time threats, they are inevitably reactive. Preventing breaches and security incidents becomes impossible.

    Top Barriers to Effective Vulnerability Risk Management - slide 9

    Barrier #7 – Data Overload

    Vulnerability scan data generates thousands of static data points – 95 percent of which are completely irrelevant. This data deluge leaves IT teams hunting for a needle in a haystack as they try to clean, validate and prioritize vulnerability data.

    Eliminating false positives and other non-relevant information is a critical first step in any vulnerability management initiative. More data does not always equal better insight.

    Top Barriers to Effective Vulnerability Risk Management - slide 10

    Barrier #8 – Expanding Attack Surface

    The rise of cloud services, mobile applications, BYOD and the Internet of Things further complicates an organization’s ability to protect itself and expands its attack surface – the collection of areas vulnerable to compromise by attackers. Most organizations also do not address third-party security, leaving an organization at higher risk when it shares access to systems and applications with parties outside of the organization.

    The security of today’s organizations relies on their ability to identify vulnerabilities in everything that is connected to their networks and applications.

    Top Barriers to Effective Vulnerability Risk Management - slide 11

    Quickly Moving From Threat Detection to Remediation

    Responding to attacks only after they have occurred is a dangerous game. As the incidence of security vulnerabilities continues to escalate, so does the potential for a data breach.

    We cannot allow cyber criminals to continue claiming victory in the undeclared digital war. Organizations need to move from detection to remediation of IT security vulnerabilities faster – before they are exploited. To do so, IT departments need to institute a continuous process for addressing security vulnerabilities.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles