Vulnerability management (VM) is an essential process through which organizations can reduce risk in their environments. But myths and misconceptions surrounding VM abound. For instance, organizations commonly approach vulnerability management in the same way as they do patch management. Others are guilty of believing that all attacks rely on vulnerabilities, while others still are under the false impression that all software patches will work without a hitch.
When held by digital security teams, these and other misconceptions can lead to mistakes in the vulnerability management process. Such errors, in turn, undermine organizations’ digital security posture more broadly. Provided below are three of the most common of these slip-ups.
Mistake #1: Not prioritizing risk properly
If there’s one thing that’s for sure in information security, it’s that there’s no shortage of known software vulnerabilities. Software providers rightfully respond to these flaws by routinely releasing dozens and dozens of patches in their security bulletins. For instance, Microsoft’s Patch Tuesday for June 2019 included fixes for a whopping 88 security vulnerabilities in the Windows operating system and related software. Meanwhile, Oracle Technology Network’s Critical Patch Update Advisory pushed out patches for 334 security flaws in July 2018 alone.
Given this number of vulnerabilities, organizations might feel inclined to fix as many vulnerabilities as possible. But this desire does not work in the favor of organizations’ digital security postures, as bad actors don’t develop exploit code for all vulnerabilities. In fact, a research study led by Kenna Security and the Cyentia Institute found that malefactors actively exploit less than two percent of vulnerabilities in the wild.
Kenna Security’s research finding reveals that digital attackers tend to craft exploit code for an extremely small percentage of known security holes. It, therefore, doesn’t make sense for organizations to treat all vulnerabilities the same. Nor is it beneficial for organizations to drop everything that they’re doing and direct all their focus to a flaw which the media has hyped up for no meaningful reason.
Instead, organizations should look to prioritize their vulnerability management efforts. TechBeacon recommends that organizations specifically focus their efforts on vulnerabilities that enable access over the network and from outside threat sources. Additionally, organizations should use a risk formula to calculate each vulnerability’s severity based on the threat it poses to their environment. This calculus should take related threat information, threat relevance, business value and role info of the target system into consideration.
Mistake #2: No accounting for zero-days
Organizations don’t just have to worry about wasting time while patching known vulnerabilities which digital attackers aren’t exploiting in the wild. They also need to concern themselves about security flaws of which they know nothing. Signature-based detection technologies don’t work against these zero-day vulnerabilities. Digital attackers know this, and they know that many organizations have no way of accounting for zero-day threats. That’s why these bad actors are increasingly leveraging such “undiscovered” security holes to devise increasingly clever ways to penetrate organizations’ networks without them knowing any better before it’s too late.
Traditional security measures clearly don’t work against zero-day vulnerabilities. Consequently, organizations need to outfit their vulnerability management programs with monitoring capabilities. Specifically, these features should monitor for suspicious activity involving their endpoints and the network as a whole. Organizations also need to balance these monitoring capabilities with a host-based intrusion prevention system that uses threat intelligence to stay on top of the latest threats. Finally, they should make sure they have robust incident response plans in place that can help them quickly address an instance where bad actors exploit a zero-day flaw.
Mistake #3: A disjointed approach to VM
It’s not easy for organizations to coordinate their VM efforts towards mitigating both known and unknown vulnerabilities. This is especially the case when organizations practice a disjointed approach to vulnerability management. More often than not, this mistake boils down to issues involving people and process rather than technology. TechBeacon explains that organizations commonly slip up by dumping loose vulnerability management duties onto the desks of already overworked IT security professionals. In many cases, organizations often complement these ineffective duty assignments with weak policies and an abundance of disparate solutions.
To avoid these problems, Trace Security and TechBeacon both support the idea of organizations assigning firm responsibilities to individuals who have time to make VM an essential part of their jobs. Organizations should also create an incentive plan for system owners based on the vulnerability scores of the assets they manage. As we explained for The State of Security:
People are often motivated by carrots, and there is nothing like presenting an award to an employee to make them feel good about their work and contribution. Besides, a little competition among peers is a good thing. Make sure you’re using workflow in the tool to assign remediation to system owners and track their progress fixing problems.
Beyond that, organizations need to develop an appropriate strategy by which they can uniformly approach vulnerability management. They can complement this approach by investing in a VM solution that’s right for them. This buyer’s guide can help in that effort.
Just the Beginning
Everything we described above will help set organizations in the right direction towards augmenting their vulnerability management programs. But organizations should not pursue these steps with the expectation that they’ll then be done. They need to realize that vulnerability management is an ongoing process, and they need to treat it as such.