Vulnerabilities are the primary cause of most breaches. We should refocus our attention on how vulnerabilities are being managed and should track this metric to provide visibility as to how to reduce the biggest risks of being breached. The primary issue in vulnerability management is that organizations are not prioritizing their patching and mitigating controls, nor are they mitigating the exploitation of commonly targeted vulnerabilities. The answer is a risk-based approach. This whitepaper highlights the biggest risks and aligning them with your Vulnerability Management Program.
The dogmatic approach to vulnerability management, based on attempting to deal with large volumes of vulnerabilities in aggregate, seems sound and is based on common sense; however, it has led to friction between IT security and operations teams. This comes from the implied and actual resources required to “patch everything,” based on the large numbers of vulnerabilities present in all organizations. Many organizations recognize the importance of a vulnerability management plan and supplement it with robust vulnerability management cycles and security measures, which we will define through the following sections.
Analysis
Vulnerabilities are more often leveraged by attackers if they are relatively easy to exploit and present in software with a large installed base. Consequently, these have the best chance of going on to make it to the “exploitation mainstream.” This happens because easily weaponized exploits are then circulated via various public and private forums and numerous attack creation tools.
As a rough metric, our research has uncovered that there are likely to be (depending on your technology stack) only about 50 to 300 vulnerabilities in each year about which you should be critically concerned. They are the ones that are most often used and reused for all kinds of nefarious activity from various threat actors — for example, banking trojans, ransomware and botnets.
Today’s vulnerability assessment tools do a good job highlighting many more than these high-risk vulnerabilities. In aggregate, across an organization, they often measure tens of thousands of vulnerabilities that you must figure out how to manage.
Prioritize the Patching of Vulnerabilities
The core tenet of information security is that it exists to preserve the confidentiality, integrity, and availability of your company’s IT assets. A breach is arguably one of the clearest demonstrations of impact across all three of these tenets. The impact is real to individuals, organizations, clients, and partners alike. Although not all breaches result from a vulnerability being exploited, most do, and within this majority, they come from known vulnerabilities, rather than “zero days.”
Traditional logic states that you should patch in order of the severity of the vulnerability — for example, critical vulnerabilities first, then high, then medium and so forth. Although it would be great if we could patch everything, this is clearly not working, and, in fact, it’s not even possible for most organizations. We are far from a world in which this will be achievable. However, attack path modelling and an understanding of the cyber kill chain shows that the most-effective approach is to focus on the vulnerabilities being exploited in the wild.
However, pragmatically, if you could focus your efforts on patching (or have a compensating control) the vulnerabilities that are being exploited in the wild, then it would:
- Be an effective approach to risk mitigation and prevention.
- Be a smaller number to deal with, which means more effort could be put into dealing with a smaller number of vulnerabilities for the greater benefit of your organization.
The Zero-Day Problem
Vendors claim that net new samples of malware are zero day but forget to add to the end of this that it’s just “new” malware variants that are exploiting the same vulnerabilities. Malware variants are leveraging older (and known) vulnerabilities. What isn’t changing are the underlying vulnerabilities that are being exploited to gain a foothold in your organization. This is where there are clear examples of “not telling the whole truth,” Because they are not actually “new” per se (or zero day), but are existing threats dressed up differently to appear “new” to technology that is geared toward detecting threats using signatures.
For all vulnerabilities that have been noted to have exploits available and then displayed by severity, the “medium” ranked vulnerabilities have been exploited more often in aggregate. This is because there are more medium-ranked vulnerabilities in an organization’s network. Also, the other problem with these medium-ranked issues, such as SQLi and XSS, is that they are rife in custom-developed applications that many enterprises use to run critical processes. Guidance such as the OWASP Top 10 is critical to pay attention to for applications you’re developing yourself.
Actions to Take
The answer is surprisingly simple to articulate and execute on. We recommend adjusting your IT operations priorities, so that you patch or remediate (or have a mitigating control) for the vulnerabilities that you have in your organization.
Although small, zero days do occur, and need to be accounted for. Some systems have a runtime in your environment that’s longer than the vendor’s willingness to supply security patches, or you may not be able to pay for support for patches for some technologies. Finally, mission-critical systems that run your digital business cannot simply be made unavailable on an uncontrolled schedule. Therefore, a strategy to deal with these realities is required. Multiple methods can help mitigate this issue, including application whitelisting, identity, access, and privileged user monitoring.
Use IPS to get Virtual Patching
Although it is a well-established technology, IPS technology has been closely linked to vulnerability and prevention / detection of its exploitation since its inception almost 20 years ago. Although there has been a change in demolition of IPS in other organizations’ s firewall or integrated threat management systems, IPS still needs to be integrated with amendments to control seamless security restrictions.
Vulnerability Assessment Analytics
In the meantime, controls such as risk assessment statistics can tell you which risks fall into the “you have and are exploited” category and where they are in your network. Next, security technologies, such as IPS and others, can be used to ensure that targeted risks have reliable compensation controls.
Exploit Kits
It is widely known that “exploitative resources” have been an important part of malware delivery for a long time. This threatening tactic shows that a malicious computer program is only presented with a small set of high-risk risks and, in general, a year or more. There are no large numbers of exploit resources; however, they bring in a lot of computer malware.
Non-computer program data
For about a decade, we were in a period of “industrialized obfuscation” or “serial variant” of malware. This is where a malfunctioning computer program can only be slightly modified or repackaged, or have polymorphic markers, and is now regarded as an unsafe “new” computer program. This means that a malware program does not change much in the family; however, it often contains hundreds of thousands or millions of family samples or a computer program that is not suitable for a computer. However, what is consistent is the amount of risk provided to bring in a malicious computer program and other threats. If you can get the data and analyse it on an average, then the problem statement says “look at how many threats are still using a small number of risks.”
Kanoo Elite, with its years of experience in providing Risk Management Framework and assisting organizations to protect their environment, we are industry leaders to help you formalize your risk management plan to better anticipate and manage the risks facing your organization. All in all, with our integrated capabilities, we help your Information Security operations to prioritize real-time risk controls, detect incidents quickly, and make risk intelligence more effective in your organization. Our risk management solutions also inform a range of security functions such as strategic planning, staff awareness, and board reporting.