Getting smarter vulnerability management by applying some intelligence
Brian Chappell explains how technology can help us make sure we are focusing on the right things that will deliver the biggest bang for our buck, after all, only a small percentage of the vulnerabilities we have are easy to exploit.
Brian Chappell, director technical services EMEAI & APAC, BeyondTrust
Work Smarter, not harder. That was the promise of IT back in the 80s and it's yet to deliver. For a lot of that time I, like you, have worked harder and harder to deliver secure systems and much of the effort is not in making the changes but in determining what the changes should be. Each morning my inbox is flooded with news of threats and breaches, malware and vulnerabilities. Add to that blogs, industry press and we are left with a seemingly endless torrent of information that we need to sift through to find the things that are relevant to us. All of that before we get to the reports from the tools we have inside our networks that are looking for the vulnerabilities we actually have.
It's not uncommon to see vulnerability reports with thousands of identified vulnerabilities at all severity levels; high, medium, low and info. It's quite common to start with the high severity and plan to work down to the info level ones, using CVSS values to filter within those lists for the most dangerous vulnerabilities we have. It's also not uncommon to find organisations struggling to get through the high severities let alone make it to the medium or lows. Every day new vulnerabilities are being identified and added to the lists we are trying to manage. The question is not how we get through the lists quicker but rather, are we approaching the problem in the right way?
When dealing with vulnerabilities we have a particular challenge, we are trying to resolve something before it becomes an issue. We are trying to pre-empt the attack and close the doors before the hoards arrive at them. Fortunately, the hoards in question are only armed with keyboards and the doors are solid oak, once the doors are closed we are relatively safe; not completely but about as safe as we can be. If we take the analogy one step further, if some of the doors are easy to spot as faulty from a distance it's fair to say that we'd go and check those doors first. As the hoards come screaming forward they are going to head for doors they can see offer entry but while I'm sat in the keep, how can I tell which doors are easy to see from the far woods?
This is where we need tools to help us. Returning to the security landscape of our IT environment, only a small percentage of the vulnerabilities we have are easy to exploit. So easy, in fact, there are toolkits, which offer collections of exploits available for sale. Hackers use vulnerability scanners to find the vulnerabilities that have known exploits and then use those toolkits to slip into your network. It's a drive-by attack. Even if your company is a high profile target for hackers and they've specifically targeted you (this is the exception, not the norm), they are going to look for the easy way in. It's been reported before, around 97 percent of all reported intrusions are the result of well-known and entirely preventable vulnerabilities. What's worrying is that figure doesn't seem to be declining as sharply as it could.
Let's face it, all of the vulnerabilities identified in your environment are well-known otherwise they wouldn't have been identified in your network (tools that claim to find new vulnerabilities are more likely to lead you down the rabbit hole and away from the things you should be fixing, let's just say 'false positive' and walk away). What we need is to find tools that correlate those vulnerabilities with the toolkits; they only have a limited number of exploits, if we can close those off first then we eliminate the majority of the drive-by attacks and vastly reduce the risk to the high profile targets.
This is where tooling needs to be smarter, it needs to take the tsunami of data and provide us with the key information we need to make good decisions, quickly. If your vulnerability tooling doesn't have a column for known exploits (including dark web toolkits) then dump it now, you are going to be working through the high severities forever and it'll be a medium or low severity that the hacker gains access through. Remember that a foothold is a foothold, it doesn't really matter how it was obtained. On average, just 4.7 percent of vulnerabilities are used in attacks. If you can identify your 4.7 percent and tackle those first you are on-track to remove yourself from that 97 percent, your systems will not be providing a brightly painted door that's signposted as “Not properly locked, easy access.”
I started this piece bemoaning the failure of IT to deliver on its promise to help us work smarter not harder but I do believe that IT is beginning to deliver on that. It's now up to us to be smarter and find the tools that help us work smarter; it's only then that it'll start getting easier.