Managing information security is difficult, particularly the process of identifying and patching vulnerabilities, which is the main threat affecting enterprise IT teams.
According to Verizon’s 2016 Data Breach Investigation Report, the top 10 known vulnerabilities accounted for 85% of successful breaches, even though patches are available for all of them.
How can infosec teams do a better job of managing vulnerabilities and preventing these breaches?
Here are 5 steps that can help create an alignment between IT and business leaders, and improve the organisation’s security posture today and into the future.
1. Build a complete list of all your IT assets
This sounds simple, but tracking and updating IT assets at scale has become much more difficult because enterprises’ adoption of cloud computing and mobile devices has blurred the boundaries of the traditional IT perimeter.
To counter this, organisations must spend some time understanding what assets they’re using today and how they’re managing them. This is particularly important for teams without a configuration management database (CMDB).
>See also: Security testing should be a priority for businesses
This asset inventory becomes useless unless it’s continually updated, a thankless and never-ending task if performed manually. Automating the information gathering process is essential.
Companies with multiple offices, mobile workers or cloud deployments should look for tools to help in the information gathering process. For these companies, it’s not enough to just list devices permanently attached to the corporate network.
Cloud-based tools that can watch both internal and external assets can help account for all the IT assets residing in the cloud and at mobile endpoints.
2. Comprehensive knowledge of vulnerability disclosures
Alongside maintaining a list of relevant IT assets that is up to date, it’s important to know what vulnerabilities are out there.
Machines are exposed to so much malware – 431 million new malware samples were detected last year, according to Symantec – that it’s more efficient to look at root vulnerabilities when it comes to prioritising time and effort.
Staying current with the constant stream of vulnerability disclosures is a challenging task. It’s helpful to subscribe to mailing lists that list updates and patches from major vendors, and to sign up for threat intelligence services.
3. Correlation of external threat information
Once you have a list of current IT assets and a catalogue of your existing vulnerabilities, it’s time to compare the two to see how your organisation is affected.
Focusing on vulnerabilities affecting specific assets makes remediation efforts smoother and more effective, letting you plug security holes by working smarter, not harder.
This prioritisation process involves assessing the severity of each issue, how many people within the organisation will be affected, and the support requirement for deploying the relevant patches.
For example, a remote code execution issue in Microsoft Office would probably be the highest priority due to the ubiquity of office on company PCs.
>See also: Top 9 tips for effective patch management
In comparison, an issue within a project management tool that is hard to exploit and only used by a couple of employees can be pushed down the priority list.
In the middle of these two extremes are the widespread issues that represent low risk for exploit alongside serious issues that would target high-value individuals within the business.
Fixing issues that could affect CEO or CFO positions can help prevent attacks that rely on social engineering or spear phishing vectors to be successful.
By looking at threats this way, security teams can help prioritise patching and update efforts, particularly for those critical IT assets that spend time outside the comforting environs of the corporate network.
4. Deploy dashboard tools to visualise your threat landscape
Humans are inherently visual. Visualisations make it easier to explain complex scenarios, prioritise where efforts should go, and display how effective those actions have been over time.
For security teams, making use of threat intelligence and vulnerability management data can help ensure that IT assets are patched and updated in a reliable, timely, and efficient manner.
However, visualising this data can make it easier and faster to prioritise compared to using the data sources on their own.
Visualisation also makes it easier to show these results both internally within IT and to other stakeholders within the business. For those who are not technically savvy, a good dashboard or visualisation around security preparedness can help bridge gaps and secure support over time.
5. Assessments of your organisation’s threat scenarios
Alongside these tactical steps to improve management of vulnerabilities, it’s important to think about the long-term strategy for the company or organisation when it comes to dealing with software issues and malware attacks.
This can be driven by the business that the company is in—for example, does the company produce sensitive intellectual property that has to be protected? Are there customer records with Personally Identifiable Information that need full security measures like encryption in place?
>See also: The evolving face of cybercrime
Depending on the market that you work in, there will be different levels of risk and different challenges as well.
Companies dealing with sensitive customer information every day—from banks and retailers through to public sector bodies, for example—will have a different set of pressures compared to those who work in business supply chains or logistics.
It’s important to apply a “hacker mindset” approach — that is, to think about what data the company holds, how it could be accessed, and what steps can be taken to stop these attacks.
This includes looking for secondary routes into the organisation, such as suppliers or external service providers that can be attacked and used as a conduit into the company’s internal network.
That’s why it’s important to conduct audits to ensure that proper vulnerability management processes are in place at those third parties. By going through a list of relevant threat scenarios, it’s possible to improve overall security planning and stop vulnerabilities from being exploited.
Alongside this, it’s also important to look at the regulation and compliance landscape.
For example, all companies and public sector bodies will have to implement data protection policies that comply with the General Data Protection Regulation (GDPR) introduced by the European Union in 2016.
The rules here govern all organisations that hold customer data for European citizens, so almost all companies will have to conform to GDPR.
GDPR’s goal is protecting customer data.
However, many companies can’t track all data being held on IT assets over time. While an accurate IT asset list and CMDB can’t help track individual files, they can help ensure that all devices used are protected and up to date over time.
By implementing stronger vulnerability management processes and keeping devices secure, the risk of GDPR compliance failure events can be reduced significantly.
Taken together, software vulnerabilities are one of the biggest challenges that company IT teams can face.
Each individual asset can be managed effectively, while a patch on its own is not difficult to deploy.
However, the sheer scale in terms of the number of devices and the volume of updates makes the situation difficult.
To counter this, effective prioritisation of patches combined with better IT asset management processes can cut the risks that software vulnerabilities represent, and reduce the overall burden of security management.
Sourced by Jimmy Graham, director of product management, Qualys