Despite years of government issued alerts, subject matter expert directives, and even repeated lamenting of cybersecurity podcasters, unpatched vulnerabilities are still a leading cause for breaches. Why, with so much awareness, is this still a problem? Simply put, vulnerabilities can’t be 100% solved by just adding more activities to your teams’ schedules. In fact, anyone who thinks vulnerability management is a simple matter of routine scanning and remediation that suddenly yields a network resistant to holes and attacks likely hasn’t dealt with what it really takes to remediate a complex environment, day-in and day-out. The reality is that most organizations are working diligently to perform internal and external vulnerability scanning, gather reports, and meet regularly with their teams to discuss and document remediation progress. Many IT leaders spend between 3-10 hours every month (depending on the size of their organization) just updating spreadsheets with the data from the most recent round of scanning and patching, so when audited later in the year, they will hopefully have all the evidence they need in one place. The question is this – if most people are doing everything they can, why do most of those same organizations often go report-to-report with the same vulnerabilities un-remediated?
Not Enough Time
In most cases, there just aren’t enough hours in a day, or days in a week. Especially as networks have been made more complex by greater numbers of teams working remotely, the tasks required to stay operational and mitigate daily risk have increased, too. To address these additional demands, many organizations are speeding up previously scheduled digital transformation or cloud projects, but all of that takes time too. So, garnering enough additional hours on top of these projects to perform routine scanning, meet with teams, and document findings/progress is a wonder. By the time simpler, more straight-forward patches are rolled out, it will already be time to scan again for most teams–likely leaving a number of previously identified issues unaddressed once again.
Networks are Constantly Changing
To add to this struggle for time, there is the challenge of keeping up with the ongoing changes inherent to any network: new endpoints, shadow IT, platforms that come and go to support the employees who keep their businesses running. Those changes require ongoing policy, documentation, and governance updates. When you consider each of those endpoints and systems as having newly discovered vulnerabilities month over month, and realize that each update and patch must be researched, tested, planned, and executed, it becomes clear that this is a monumental task. When the whole team is already maxed, there are simply going to be patches that don’t get installed, new assets that may go undiscovered on the network (and you can’t patch what you don’t know you have), systems that haven’t been updated, and so on. The bigger the network, the higher the chances something is slipping through the cracks–and certainly not for lack of diligence.
Gaps in Specialized Knowledge
Even if your teams had enough extra time to do everything, do you have enough team members who have been highly trained on every asset in your environment? For example, do you have someone dedicated only to firewalls or software, so they can stay up-to-date on the necessary knowledge and skill required to handle specialized remediation for 3rd party software or firewalls? The simple, straight-forward remediations are simpler to perform, but some elements in a complex network require highly specialized product knowledge that most IT teams don’t have in-house, even in an enterprise environment. If those patches aren’t tested and rolled out properly, something is likely to break, and when something breaks, that means downtime for the business. No IT team wants to deal with the fallout of downtime, so again, some things are going to slip through the cracks or get put off for future cycles. This is yet one more reason why even the most diligent of teams often goes from report to report with holes in their network that can lead to a crippling cyber-attack.
When Positives Can’t Be Remediated
False positives, as well as true positives whose risks have already been mitigated, can be a detriment to the efficiency and accuracy of your reporting. These include the following scenarios.
- False positives: Unauthenticated scans, which can’t get inside your environment to understand whether or not you have remediated an issue, detect the presence of a particular device on your network. That device has a known vulnerability, so your scan is always going to flag it – regardless of whether or not you have already performed updates, simply because your scanner can’t read that information.
- Previously mitigated true positives: A genuine vulnerability exists which can’t be patched or updated for a business reason, but you already have a compensating control in-place to mitigate the risk.
Both scenarios muddy the waters for auditors, who will have to dig into your spreadsheets, request more information, and try to correlate your historical documentation with what’s been flagged in reports. Their job is to validate that you have performed due diligence in addressing each vulnerability, and the last thing you want to do is make this a confusing process for them. Not only can it affect your standing, but audits that take longer are costlier. Further, false positives can impact your risk scores unfairly, which you will have to continue explaining to your stakeholders.
Why We Decided to Do Something About It
At TRUE, we believe in helping our clients reach their goals for organizational growth through security, and we recognized that in order to make those goals a reality, their vulnerabilities needed to be addressed in a way that helped them make better use of their internal resources. To that end, we developed a platform that addresess core struggles around vulnerability management. TrueMVP combines technology, automated processes, visibility, a time-saving project management portal, real-time reporting, efficient documentation management, and technological expertise in the form of one-on-one guidance to help IT teams protect the very assets that enable their businesses to thrive. Through collaboration with our clients and a commitment to helping them stay ahead of attacks, experts in our TRUE Security Operations Center set out to solve 7 key struggles with our new solution.
- Save time in tracking and management to make more time for remediation tasks.
TrueMVP leverages built-in mechanisms that save time across the management and documentation processes required of IT teams to effectively track identification-and-remediation of vulnerabilities month-to-month. With this documentation automated, centralized, and easily adjusted, teams can spend more time rolling out the actual patches and updates, and less time digging through spreadsheets. This data needs to be updated quickly, stored easily, include ways to see who owns each patching task (as well as where they are with it in real-time), and automatically prioritize by criticality. That prioritization is essential to providing assurance that you are addressing your greatest areas of weakness as they relate to your most important assets.
- Assign risk attributes, so you know where the most risk is within your environment.
Attributes such as external connectivity, critical functionality, sensitive data, and more play a role in how you should address vulnerabilities within your environment. This will help you avoid wasting time on less critical vulnerabilities, addressing first things first.
- Automatically aggregate data from multiple scanning toolsets into a single management, visibility, and reporting portal.
Larger and mid-sized organizations use an array of scanners that need to be aggregated into a single pane of glass. There are network vulnerability scanners, application vulnerability scanners, and cloud vulnerability scanners. Combining these to give a true picture of your security and vulnerability posture saves time, eliminating the task of toggling between toolsets to pull reports and combine them within spreadsheets, which are notoriously tedious to work with and inherently prone to error.
- Produce, with the click of a button, real-time progress reports that can be tailored to various groups of stakeholders.
Reports should be adjusted for relevance to everyone who needs a vulnerability status update – from technologists, to leadership, to auditors. If reporting can be automated through preconfigured views, it is another time-saver that keeps your IT teams from having to spend hours building and adjusting reports for each group of stakeholders.
Trending reports – how you are trending, overall, at 30-60-90 days. What you are looking for here (what your stakeholders will want to see) is a reduction in vulnerabilities over time.
Time to Remediation reports – this is what auditors want to see– evidence that you were able to remediate within 30 days of identifying a vulnerability.
- Keep scans accurate with asset discovery capability.
You need a way to constantly identify and document new assets on your network and incorporate them into your scanning efforts. Effective network security always begins with asset discovery and ranking of criticality, but network users sometimes forget to declare a new asset. If some assets aren’t visible, how can you scan them for vulnerabilities? You could have unpatched and highly vulnerable assets connected to your network, providing a wide-open door for attackers, without ever knowing it.
- Keep scanning tools from continuing to identify previously addressed issues that are no longer relevant.
How TrueMVP Helps Eliminate False Positives:
- Flag the false positives to keep authenticated and unauthenticated scanning tools from continuing to identify vulnerabilities that have already been addressed.
- Mitigated/accepted vulnerabilities can be flagged, so they don’t continue to show up on reports.
- Centralize remediation documentation through a repository that connects historical vulnerabilities directly to the steps taken in such a way that auditors can see clearly and quickly what has happened and why.
That way, you only have to deal with an issue once, reducing wasted time and money for everyone. Having a platform that allows you to simply click a button and record the evidence once and for all, gives you cleaner reports and keeps you from wasting time on the same issues over and over. It’s fully auditable and in the system, so you can go back in time and demonstrate to auditors that it’s been addressed.
- Provide access to specialized knowledge/expertise.
To deal with the more complex or nuanced patching or mitigation tasks, your team needs access to well-trained technical guides who can walk them through each step of the more difficult remediation tasks, such as patching core infrastructure or other highly specialized systems. Installing a standard OS patch definitely helps hit the high points, but attackers don’t care if the gaps they exploit are standard, or if they are more complex. They will exploit unpatched systems anywhere, and they can generally count on finding vulnerabilities in the areas where you are less likely to have specialized knowledge.
In short, you need a platform that 1) automates the lifecycle of a vulnerability, 2) saves you time, 3) expands the knowledge base of your existing team, and 4) ensures that from scan to scan, you catch and remediate what would otherwise fall through the cracks. Using a combination of tools, expert analysts, a communication and management portal, and regular support meetings, TrueMVP automates management of the lifecycle of a vulnerability, scans your network for new or unknown assets, prioritizes vulnerabilities by criticality, helps you manage tasks, supports your team with expert know-how, and saves you precious time that can be reallocated to remediation.
We would like the opportunity to support your team in vulnerability management. To learn more about TrueMVP or ask a question about vulnerabilities in your environment, schedule a consultation with one of our experts.