A decade ago, most enterprises could get away with addressing vulnerability management in silos. One team would scan servers and desktop computers on the enterprise network. They would look for misconfigurations in systems and vulnerabilities in commercial software applications. When problems were discovered, they were thrown over the wall for system administrators and operations groups to fix. Application developers were responsible for policing internally-developed applications. Other specialists worried about the susceptibility of employees to social engineering attacks. Rarely was anyone responsible for analysing how different types of vulnerabilities might interact to expose critical data and intellectual property.
That vision of vulnerability management is too inefficient and expensive for today’s enterprise. Computing environments are far more complex. IT and security groups must monitor a much larger attack surface. Infrastructures and applications can change on a daily, even hourly basis. Cyber criminals and hackers have learned how to exploit chains of weaknesses in systems, applications, and people. Therefore, traditional vulnerability management tools and practices are too limited, too siloed, and too slow to keep up with these challenges.
Time To Rethink Vulnerability Management
As a result, security organisations must rethink their vulnerability management programs. They need to monitor dynamic computing environments, respond in minutes, and address weaknesses in people as well as technology.
They also need to monitor complex, dynamic computing environments. Responses are required in minutes or hours when issues are discovered — not days or weeks. They must address weaknesses in people as well as technology. Also, security professionals must be able to think like attackers in order to understand which vulnerabilities pose the greatest risks to the enterprise.
Key Principles Of A Modern Approach
One of the key principles for a modern vulnerability management program and the overarching practice of SecOps is “complete ecosystem visibility.” That means integrating vulnerability assessment scanning solutions with virtual services as well as IaaS platforms and other cloud environments. Similarly security teams should be able to monitor more types of data on more types of endpoints without multiplying the number of agents and assessment solutions they use.
Integrating scanning tools with internal ticketing systems automates the handoff of vulnerability tasks to the IT operations team. As a result they have access to more data, faster, with less chance of losing information. Teams also need to address web application vulnerabilities as rich web applications can be an Achilles heel. Legacy tools are frequently unable to effectively test rich web applications. A modern vulnerability management program needs tools that can address these issues.
Security groups are also often hard-pressed to keep pace with the speed of change of production applications. These can be put into production on a weekly, daily, hourly, or even minute-by-minute basis.
One way to address these challenges is to work towards a DevSecOps approach. The concept is to adopt tools and processes that allow software developers, security staff, and the operations people who manage application deployment to work together. They should integrate security into every phase of the software development life cycle (SDLC).
Above all, with a modern vulnerability management program formed through the SecOps mindset, organisations can:
- Step up their game with network scanning to include complete ecosystem visibility, simplified assessment, and automated remediation workflows.
- Better address web application vulnerabilities – by analysing more complex applications and by adopting DevSecOps practices. This will help them keep up with applications that can change daily or hourly.
- Increase resilience to phishing and other social engineering attacks through education and simulations. As well as mitigating user risks by linking incident detection and response capabilities with vulnerability management.
- Assess overall risk using customised risk scoring and pen testing to prioritise vulnerabilities based on their real risk to the specific enterprise.
Evolving towards such a program requires thinking through the value of each area and finding opportunities to integrate the different areas. However the rewards are dramatic, giving security groups the ability to:
- Monitor today’s vastly expanded attack surface.
- Keep up with quickly changing infrastructure and applications.
- Work collaboratively with IT operations and application development groups to identify and remediate vulnerabilities of all kinds, faster.
- Reduce the ability of attackers to exploit the largest attack vector in most organisations: the users.
- Accurately determine which vulnerabilities pose the greatest risk to the enterprise. To make best use of remediate resources in the short term, and to focus on the most effective defences in over the long term.
Email us for more information and receive Rapid7 ‘s Whitepaper on The Four Pillars of Modern Vulnerability Management – a comprehensive approach to reducing vulnerabilities across your ecosystem.