- Security TWENTY
- Women in Security
It’s difficult to fight an invisible risk. Intelligence changes the battle, turning invisible threats into an actionable attack plan. The big question for security professionals—with intelligence that creates visibility into software vulnerabilities, can you prevent attacks? The answer is an unqualified yes, writes Vincent Smyth, pictured, Senior Vice President, EMEA at Flexera, an IT asset management software firm.
Let’s take a look at the intelligence security teams need to know to avoid attacks.
#1—Vulnerabilities Continue to Grow
Documented software vulnerabilities increased to an all-time high in 2017, according to the Vulnerability Review 2018 – Global Trends, the annual report from Secunia Research at Flexera. The report reveals a vulnerability increase of 14 percent to 19,954, up from 17,147 in 2016. Exploitation of publicly known vulnerabilities is a root cause of security issues. Recent high-profile examples include the Equifax breach and WannaCry attacks.
#2—Attacks Cost Money
When an attacker manages to exploit a vulnerability, it’s expensive for businesses. It’s not only the cost of a successful breach. Incidents associated with exploitation of known vulnerabilities – even if they don’t lead to a successful breach – cost businesses millions of dollars every year. According to pwc, the average financial loss attributed to cyber security incidents was $2.5 million in 2015.
#3—Patches Available Disclosure Day
Despite the growing vulnerability landscape, minimizing the risk of an attack is possible. It’s known that most of exploits target old, known vulnerabilities – that means long after they’re publicly disclosed. In 2017, patches were available for 86 percent of the vulnerabilities on the day of disclosure. It‘s a clear indication that optimized processes can close vulnerabilities before the risk of exploitation increases.
#4—Attacks Start with Process Gaps
Since most vulnerabilities have a patch at the time they become public, a formal process to track vulnerabilities remains the key to gaining control over risks. Unfortunately, most companies lack a proactive method to track vulnerabilities in the software they own. Processes that automate software inventory, track potential vulnerabilities in that inventory and alert about important patches go a long way toward preventing a problem before it occurs. By moving from a reactive mode to proactive management, security teams mitigate risk, protecting reputations and avoiding costly fixes.
#5—Inaccurate Software Inventory Creates Risk
You can’t expect to protect your systems without knowing what you have. Getting an accurate picture of IT assets in inventory is easier said than done. Most companies cannot accomplish this without implementing Software Asset Management (SAM) processes and technology. Among other things, SAM solutions enable organisations to automate the process of discovering and inventorying their software (and hardware) assets – wherever they reside. If an organisation already has a SAM implementation in-house, security teams should be aware of this and utilize the discovery and inventory data as the common “version of the truth” for determining which vulnerabilities apply to them.
#6—Find the Threats that Matter
With thousands of vulnerabilities in thousands of applications, security departments can easily become overwhelmed with what “applies to us.” Every day, some 300 new vulnerabilities notices are reported globally. But in fact, on average, only about eight percent of these “reported” vulnerabilities turn out to be real. With that volume, it’s difficult to devote internal resources for tracking. Instead, organisations must find a trusted Software Vulnerability Management resource whose function is to perform this work, providing vulnerability intelligence – not just information. Software Vulnerability Management tools that are integrated with SAM tools can help companies map existing applications with critical threats to prioritize what needs immediate attention.
#7—Understand the Vulnerability Rating System
Vulnerability Intelligence means that reported vulnerabilities are actually verified with additional data, delivered in a format security teams can act upon and focused on vulnerabilities in products relevant to the specific environment. A key component is the rating of a vulnerability’s criticality because not all vulnerabilities are created equally. For example, a category rating system is often used that indicates extremely critical, highly critical, moderately critical, less critical and not critical. The ratings assess the vulnerability’s potential impact on a system, the attack vector, mitigating factors and if active exploitation exists prior to the release of a patch.
#8—Begin with a Conservative Patch Approach
The most effective programmes apply patches with an emphasis on testing in controlled environments. IT teams will benefit from a proactive approach of uncovering any performance hits or compatibility issues that a patch may cause. Patching is essential to reduce the attack surface, but it must be done prudently and with an understanding ahead of time of potential impacts on system performance and stability. Using established processes and tools ensures mitigation happens carefully and conservatively, with a focus on risk-based models. By using vulnerability intelligence, security teams can change risks from invisible into visible, gaining a powerful weapon to fight software vulnerabilities. It drives an important transformation, helping companies move from reacting to the next headline about a breach to knowing “we have it covered.” For security teams, that means a visible sigh of relief.
About the author
Vincent Smyth is Senior Vice President, EMEA at Flexera; covering the Enterprise, Government, ISV and Intelligent Device markets.