Why is Vulnerability Management so difficult for laymen to understand? Why does it seem impossible for IT teams to gain leadership support for a standard, repeatable, operational process? What is the barrier to reporting metrics on vulnerability management to our executive boards in a clear, and concise manner?
In today’s world of constant Cybercrime attempts having a foundational process in place to ensure computer systems, are up to date and maintained with current patch levels is an absolute must. The challenge most organizations face can be summed up into the following categories: resources, priorities, business alignment, and maintaining a simple, repetitive, operational process.
Vulnerability – the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
This generic dictionary definition of Vulnerability holds true even in the logical world of computer systems. In my opinion, we do not have to go deeper into a cybersecurity specific definition to understand the basis, a vulnerability simply means exposure. No one like being exposed, nor should we like our companies exposed.
Protecting your organization and individuals from vulnerabilities is somewhat analogous to tending a garden. Each act requires the basics of continued care and frequent fertilization. While pulling weeds from a garden is definitely not glamorous, neither is ensuring your computer systems remain updated, current, and patched. Both tasks require constant attention in order to be effectively and successfully maintained. They require effort, progress-monitoring, and at times a strategy to keep control over pests and uninvited invaders. Lastly, each requires a well thought out plan for times when you are not focused on the task. If you go on holiday and leave your plants unattended, there will be most assuredly be weeds waiting upon your return. If your teams’ do not maintain a repeatable, ongoing, operational process for patching systems, there will be an increase in vulnerabilities.
Also of note, cloud based systems are not immune from being vulnerable. Foundational planning should be put in place to ensure an understanding of specific roles and responsibilities across your company when adopting cloud solutions. The main focus of this understanding is to reduce any oversight of who is actually accountable to maintain elements in the cloud solution: the cloud provider, IT and cybersecurity teams, businesses… This blog site is a good example, as it is cloud based; however, not all components are fully managed by the cloud provider. Certain elements require my direct care and attention to keep it current, patched, and healthy.
Exposing the challenges and risks of vulnerability management to company executives and board members can be daunting. There is an inherent yin and yang associated with the vulnerability management lifecycle. The infrastructure and IT teams try, although perhaps in vain, to influence business leaders to allow system downtime for patching activities. This can create numerous lengthy and unnecessary debates; driving cybersecurity teams to work on complex algorithms, attempting to rank systems or prioritize order for how to address each patch. It’s my belief that unless your organization is segmenting systems based specifically on regulatory requirements, very specific data sets that are critical, or specific transaction volume based processing, working through this highly granular scheme of system prioritization to reach group consensus on a patching priority can take the focus off the basic operational process. These efforts lead to team distraction and increases administrative cost. Moreover, the end-result is not typically as positive as being pragmatic and ensuring a solid basic process is in place. Just like with pulling weeds in your garden, it’s a basic, ongoing effort to address all of the weeds. Unfortunately, this struggle is very real for many organizations everywhere in the world. This battle produces delays in remediating vulnerabilities, which leads to major financial losses caused by cybercriminals exploits.
Experienced business leaders are comfortable with taking risks, as this is a fundamental skill needed in creating successful businesses. These leaders look to a variety of sources of information to help form solid decisions; balancing risk with reward. The CISOs challenges in sharing information regarding vulnerability management is to convey the message using terms that are easily understood by a non-IT audience, to add support to their decision-making personnel and information pool, and work cohesively to reduce risk company-wide. Additionally, business leaders are often unclear regarding IT terminology, the positive impact of interdisciplinary communication, and how to create and maintain a standard, secure and repeatable process.
There are vast numbers of research papers, complex formulas, large-scale examples, and working groups focused on vulnerabilities. My opinion and experience has shown basic, pragmatic, collaborative steps in vulnerability management can be highly successful in any setting. I am of the opinion that we have three fundamental metrics that matter regarding the effectiveness of Vulnerability Management:
1) Speed to effectively patch ‘all’ systems when a critical event occurs
2) Consistency of ongoing, repetitive patching
3) Visibility vs. visibility-gaps in identifying vulnerabilities within your
First, speed to effectively patch all systems when a critical event occurs – fairly straight forward; however, do not “cry wolf” when utilizing this process. This should used be when the severity truly is at the absolute top tier (use any criticality/impact score you’d like). The goal here is to rally all teams, third parties, etc. involved, to run a full-on sprint to the finish line with a specific patch set addressing a vulnerability. Knowing what the finish line is (visibility of all systems) while maintaining focus at full throttle all the way across the finish line is key. Your metric is simple. How long did it take from beginning to end, to patch all systems? This effort should occur within hours, not days, in any company regardless of its size. The operational process standards, to include automation, should be aligned to the size and scale of your company. This is a clear, simple metric that board members can easily understand, and executive leaders can support. Collaboration across teams, high-level playbook, testing through tabletops- all can be solid, supporting activities to achieving a repeatable response in hours.
Next, consistency of ongoing, repetitive patching. New vulnerabilities are identified and reported daily. This is coupled with an ongoing set of new and revised exploits in the wild. The thought that any company would ever get to zero vulnerabilities across their systems is simply not a realistic goal. Teams should align and collaborate on basic repetitive operational patching goals across all systems. Our current model is one where CVE score critical vulnerabilities are to be patched within 30 days and CVE score high vulnerabilities are to be patched within 60 days. We are not looking for zero vulnerabilities, we are however looking for consistent, repetitive cycles of patching to be a fundamental baseline across the enterprise. Again, the metric is simple: trending in vulnerabilities should show the teams are holding the line steady against newly identified vulnerabilities, a backlog of any known vulnerabilities should consistently trend line down, and a new vulnerability line should show incoming spike, with knock down as patches are applied, over and over (heartbeat). The measure should include a clear view of the consistency in the processes across the teams involved. Slow steady, accurate execution of applying patches and updates.
Lastly, visibility vs. visibility gaps identifying vulnerabilities within your company. Systems come and go, mergers and acquisitions, new cloud services, legacy equipment brought out of the closet, new network segment stood up by a business unit… all of these factors contribute to the continued ebb and flow of any company’s technology ecosystem. A constant battle of any vulnerability program is maintaining visibility of the whole ecosystem across a company. The operational process of “looking for the unknown” should always be a part of any successful vulnerability management program. In its most basic form this can be achieved through scanning, research, internal processes, governance, and at times, just plain hunting, in order to constantly footprint your company. Although some companies have a solid governance-based culture, There are very few companies positioned to “catch it all” in terms of governance processes meant to ensure nothing is newly installed without registration. Additionally, this level of control over business processes needing new technology can be costly, both in administrative overhead, as well as in political standing, as a business may work harder to ‘get around’ the governance. As well, our new world of cloud-based services has radically changed the speed and ease required for a business process to be digitally transformed with or without governance. Cybersecurity teams simply must include in their ongoing vulnerability management process the constant checks and balances of trust, but they also must continually verify what makes up systems across your company. This will not be resolved quickly or easily. As cybersecurity professionals we should look to add value to our business partners, and not be viewed as limiting their speed. Again, the easily digestible discussion point with senior leaders and board members in any company is this: We need clear visibility in order to assure risk reduction regarding cybersecurity vulnerabilities. The metric should not be seen as complex. Simply showing month over month how much “new” has been discovered can assist in highlighting the discussion, and demonstrate value in lightweight registration processes. The goal is maintaining repetitive process, showing results, and minimizing surprises across the company. Regardless of whether you believe a business should, or should not stand up the latest cloud SaaS tool to support their business process, it’s our job to help minimize the risk this tool presents when it is not maintained going forward.
In closing, vulnerability management does not need to be massively complex, and in my opinion it can be addressed in a collaborative, pragmatic way. Consistency and communication are key. Also essential, sharing basic metrics with senior executives and board members to aide in their understanding of how this foundational element reduces cybersecurity risk across the organization. If your current IT program is not making the forward movement you expect, take a break, go back to basics, and restart the foundational elements covered above. It can be done successfully in any size organization.
John W. Graham
Copyright 2004-2019 Securing Reality, LLC John W Graham. All Rights Reserved