As card-carrying “cyber” security professionals, we have a compulsion to share and revel in depressing news, at least once in a while. Here is my contribution today: is vulnerability management – as practiced by many today – a truly hopeless endeavor?
For example, some recent research reveals that “companies, on average, have the ability to close about one out of every ten vulnerabilities.” How is that for sad news? However hard you run, 90% of vulnerabilities stay because as you fix the old ones, new ones appear. Rinse, repeat, forever.
Let’s try to look for a – slight though it may be – ray of hope here:
What can we do?
- Prioritize better – finally we see a lot of movement here, we’ve been pushing for this since literally 2011. Vulnerability assessment vendors finally woke up to this problem, took them a while. This is about figuring out which of the vulnerabilities lead to “real” [however defined] risks and only dealing with those (or dealing with those first). This will actually make the practice genuinely risk-based. Note that the ultimate value of this practice is limited – after all, if you can patch only 10%, 90% will remain unpatched and they do NOT represent zero risk.
- Patch faster – apart from reducing friction between security and ops (there is lots), expanding IT ops numbers, speeding up testing, making your slaves work faster, there is not all that much you can do here. At some point, risks of patching rear their ugly head and scream bloody murder.
- Change security – reduce reliance on removing vulnerabilities as your risk treatment as we hint here. Impossible, you say? Back in 2003, a HIPS vendor ran their website on unpatched IIS just to prove the point. If you think for a bit, you can reduce damage from any single or multiple vulnerabilities – and you’d be safer from those elusive zero-days too (I am saddened to report that this line of thinking is almost forgotten now in real life)
- Change IT – immutable infrastructure and other “emerging” IT trends may increase resilience of future infrastructure, but my impression is that a lot of this is still on the drawing board, at least as far as mainstream organizations are concerned. The new ideas around automatic infrastructure recovery – which are, well, ideas at this time – may help here as well.
- Something else new.
Anything else we can do? Otherwise, it is back to the rat race or the squirrel wheel….
Related blog posts:
- Upcoming Vulnerability Management Research (2019)
- Does Vulnerability Assessment Even Matter?
- We Scan and We Patch, but We Don’t Do Vulnerability Management
- WannaCry or Useful Reminders of the Realities of Vulnerability Management
- Critical Vulnerability Kills Again!!!
- What is Your Minimum Time To Patch or “Patch Sound Barrier”
- Patch Management – NOT A Solved Problem!
- On Vulnerability Prioritization and Scoring (2011!)