- Security TWENTY
- Women in Security Awards
Continuous vulnerability management is a must, writes Chris Goettl, pictured, Director of Security Solutions, at the IT asset protection product company Ivanti.
One of the biggest mistakes an organisation can make is assuming that, with enough financial and human resources, they can keep their business protected from any threat. The reality is that business IT systems may be secure today, but the threat landscape is always changing and evolving. IT and security teams are operating with a constant stream of new information – software updates, patches, security advisories, threat bulletins and more. Unfortunately, hackers also have access to this information, and can use it to exploit the gap between the acquisition of new knowledge and remediation.
The fact is, threat actors have the ability to discover critical vulnerabilities that can be exploited within a business’ environment. After that, the clock is ticking when it comes to applying the relevant patches – the longer it takes to implement, the higher the risk. It only takes around 22 days for a hacker to create a functional exploit, and 50pc of exploits occur within 14 to 28 days of patch availability. If IT and security teams don’t treat vulnerability management and remediation as a continuous process, business infrastructure is at risk of being compromised as threat actors can find, weaponise and attack vulnerabilities faster than IT pros can patch. A continuous vulnerability management programme must be at the heart of any organisation’s security framework.
CIS lists continuous vulnerability management as one of its Basic Controls, defining it as the effort to ‘continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimise the window of opportunities for attackers.’ However, the time and resources needed to create a robust patching process, on top of the manual work that occurs between identifying a vulnerability to when a software update can be deployed, pose many roadblocks to creating an effective continuous vulnerability management programme. For example, when the security team provides a lengthy vulnerability report, the time needed for the IT team to de-duplicate and map Critical Vulnerability Exposures (CVEs) to patches, then research and test them before rolling them out, is one of the biggest causes of deployment delays. Not only this, but deciding which patches to prioritise can also cause major backlogs within the vulnerability management process.
Bridging the gaps between IT and security teams
Whilst IT and security teams have different priorities and agendas, effective collaboration between the two functions is key in expediting the patching process, and subsequently paving the way for realistic continuous vulnerability management. However, IT and security teams often operate in silos, impacted by a lack of communication and conflicting priorities, and things can get lost in translation between the two.
Each vulnerability assessment from the security team could contain tens of thousands of CVEs and IT teams can spend a lot of time manually translating these security reports into updates to improve security systems. This in turn can cause friction and delays between the two, as the time between vulnerability identification and patch deployment increases and security is compromised.
Automation is a key component in freeing up time for the IT team and closing the gap between IT and security. By implementing automated solutions, IT professionals will no longer be required to spend time manually working through threat reports provided by the security team and translating CVEs into updates.
An automated CVE-to-patch import solution can reduce the patching process from hours to minutes. Such solutions can map the patches related to CVEs and pull these into a list of updates that can quickly be approved by the IT team to remediate vulnerabilities in the business environment. This will rapidly improve the patching process and free up the IT team to focus their efforts elsewhere within the continuous vulnerability management programme.
An automated solution can also help bridge the gap between IT and security by combining patch data with patch reliability and security metrics. This can help enhance the rollout of important updates, by offering insights that would otherwise take time and effort to achieve. Automated tools can also help determine the reliability of updates and how quickly they can be rolled out, whilst identifying which patches require additional testing. The ability to refine the patching process based on reliable data and threat scoring will allow the IT team to optimise the entire patch cycle and empower them to cultivate a continuous vulnerability management approach.
IT and security teams may be speaking different languages when it comes to creating and implementing a robust vulnerability management programme. However, automated tools and a reliable patch management programme are crucial to ensure that they are on the same page and work together to foster a continuous approach to vulnerability management and remediation.