Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Transcription

1 Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War

2 In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent stream of new security vulnerability discoveries are due to a number of causes from flaws in software development and improper configuration of hardware and software applications to the inevitable unintended errors made by IT users. Vulnerability risk management has re-introduced itself as a top challenge and priority for even the most savvy IT organizations as new technologies such as mobile and cloud continue to proliferate and further expand the attack surface for cybercriminals. While organizations once found it difficult to detect vulnerabilities and threats across the IT infrastructure, scanning technologies were introduced to help solve the problem. Vulnerability scanners provide the visibility into the potential risk land mines across the network, applications and endpoints. But the question of what to do next has created an overload of data tracked in spreadsheets, inefficient business processes, and communication breakdown between internal teams in charge of remediation. Today, new challenges confront IT and security professionals tasked with vulnerability and threat management. This guide will challenge organizations to rethink how they manage vulnerability risk and offer new insights to move forward. We will explore the current state of vulnerability risk management and recommend new insights to help organizations take the next step to building a successful program.

3 The Evolution of Vulnerability Management Security vulnerabilities have been prevalent since the invention of computer networks. In the past, organizations performed penetration testing at regular intervals to identify weaknesses across the IT infrastructure from external and internal threats. Vulnerability scanners were then introduced to provide an automated way to detect vulnerabilities on an ongoing basis. Then, government and industry stepped in as data breaches started to proliferate, passing regulations requiring organizations to institute vulnerability management programs. The term vulnerability management is often confused with vulnerability scanning. Vulnerability management is the closed-loop process which includes vulnerability scanning, but also takes into account other aspects such as remediation and risk acceptance. Today, vulnerability management has become People VRM 2.0 as much about people and process as it is about technology, and this is where many programs are failing. The problem is not detection. Prioritization, remediation, and program governance have become the new precedence. Introducing a new era: Vulnerability Risk Management 2.0. Technology Process

4 To Be or Not Be Hacked Should Not Be the Question Cybercriminals had a banner year in Development of malware was unprecedented with over 600 new samples created every minute. Over 1 billion records were compromised in data breaches. Even more, among known attacks, 99.9% of exploited vulnerabilities had been compromised more than a year after being published. These numbers speak volumes to the digital war that organizations must defend against today. To be or not be hacked is no longer a question of if, but rather when. The inevitable breach has become a commonly accepted reality. Vulnerability risk management calls for a new approach that moves beyond a simple exercise in patch management to one focused on risk reduction. To effectively close the window of vulnerability, organizations must begin to look at success as a measure of risk reduction, and not the number of patches applied. 603 Number of new malware pieces created every minute (Source: 2015 Internet Security Threat Report, Symantec) % of exploited vulnerabilities had been compromised more than a year after being published (Source: 2015 Verizon Data Breach Investigations Report) PRECISION FIND THE NEXT THREAT BIG PREDICTION THREAT BEFORE AND REMEDIATION. IT FINDS YOU. Learn NopSec more at is changing the face of vulnerability risk managment. Learn more at

5 Vulnerability Risk Management 2.0: A New Approach Much of the last decade has been spent on detecting vulnerabilities across the IT environment. This has done little to help organizations move closer to the real problem of patching the systems and applications that hackers are most likely to target. Vulnerability risk management has entered a new era, and the issues have changed. Security practitioners have moved from asking, How do I find the problem to How do I fix the problem, thus creating a need for new tools, technology, and processes to answer the question. Vulnerability risk management 2.0 comprises three core areas: prioritization, remediation, and governance. VRM 2.0 Prioritization Remediation Governance

6 Vulnerability Risk Management 2.0: A New Approach Prioritization In the land of cybersecurity, not all vulnerabilities are created equal. While the Common Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin the process of prioritizing threats, it is by no means the best measurement of risk on its own. Factors such as known exploits, malware attacks, and the criticality of an asset also need to be considered. Even social media is a proven indicator of vulnerability risk. For example, a critical vulnerability is mentioned an average of 748 times on social media versus 89 times for vulnerabilities classified as high risk. Some organizations do correlate CVSS scores with threat intelligence, but it is often a manual process tracked in spreadsheets and can consume valuable time and resources that can be redirected to more effective activities. Technologies such as NopSec Unified VRM can eliminate the labor-intensive tasks associated with prioritization. By transforming security into business risk, organizations can focus resources based on likelihood of breach, rather than on simple CVSS scores. Using machine learning techniques, and incorporating influences from both open source and commercial threat intelligence feeds and social media, NopSec Unified VRM saves countless hours manually correlating these factors into actionable steps. 8X Critical vulnerabilities get 8X more mentions on social media than vulnerabilities classified as high risk in

7 Vulnerability Risk Management 2.0: A New Approach Remediation The lack of a unified view directly contributes to the breakdown of communication between internal teams tasked with remediation. This is apparent in that it takes an average of 103 days to remediate a vulnerability, and in some cases, it is even longer. For example, one out of three vulnerabilities in the financial industry take over a year to fix. Workflow automation is essential to help accelerate the remediation process. From simple ticket and task management to notifications and patch deployment, automated remediation within a single platform can significantly reduce the time spent navigating and updating multiple systems. Synchronizing communication is also key to provide much needed visibility between internal teams. Imagine being able to assign a group of critical vulnerabilities for remediation to a system administrator including complete information on the threat, the top assets prioritized by risk, and direct links to available patches all in a single click, and from a single platform. 1 out of 3 vulnerabilities in the financial 33 % industry take over a year to remediate

8 Vulnerability Risk Management 2.0: A New Approach Governance The adage, You can t manage it if you can t measure it is true when it comes to evaluating the success of your vulnerability risk management program. But what does success look like? For most organizations, this will likely vary depending on the regulatory nature of their industry and overall risk management strategy. Program governance is necessary for many reasons, but two key focus areas are critical. First, for the teams actually involved in remediation, communication and goal setting is critical. For example, looking at hard metrics such as vulnerability aging can help internal teams identify the gaps and address them to improve the process. Program governance is critical to make success visible to the CISO and other key executives that have a stake in ensuring the security and reputation of an organization Second, governance helps IT and security teams translate information security goals into tangible business information. This is an essential step in bridging the communication gap between the teams doing the work and C-level executives. IT and security teams demonstrate greater value when they can move from communicating the number of vulnerabilities patched to the percentage of risk removed from critical systems. Establishing the right metrics is the key to any successful governance program, but it also must have the flexibility to evolve with the changing threat landscape. In the case of vulnerability risk management, governance may start with establishing baseline metrics such as number of days to patch critical systems. As the program evolves, new, and more specific, metrics can be introduced such as number of days from discovery to resolution (i.e., time when a patch is available to actual application).

9 Regulatory Compliance: Friend or Foe? Government and industry regulations have compelled organizations to take action on cyber security, and nearly all of them have some flavor of vulnerability risk management requirements. So much time is spent on checking the box mentality and preparing for audits that little room is left for measuring the real risk posture of an organization. Today, 32% of organizations are spending more than onequarter of their IT security budget on addressing compliance, but has security risk been drastically reduced as a result? The debate still remains as to whether the drawbacks outweigh the benefits. Consider PCI DSS standards for vulnerability management which requires remediation of any vulnerability with a CVSS score of 6.0 or higher. This simple standard does not consider other risk factors such as the business value of an asset or the external threat environment. By eliminating this set of vulnerabilities, how much risk has actually been reduced? Remember, Heartbleed was given a CVSS score of 5.0. The perils of non-compliance and resulting fines or residual brand damage is stifling innovation and making it difficult for organizations to take a risk-based approach to vulnerability risk management. For practitioners, technologies that enable prioritized recommendations, workflow automation, and governance can help simplify compliance as well as deliver real visibility into risk reduction. (Source: SANS Institute) 25 % 32% of organizations spend more than one-quarter of their IT security budget on compliance mandates

10 Ready for a New Approach? Whether you are just starting to build out your vulnerability risk management program or looking to give your existing one a boost, see how NopSec Unified VRM can help bring your organization to the next level. Visit or info@nopsec.com for more information or to request a demo today.

11 For additional information or to schedule a demo, visit or info@nopsec.com.