Patch Where it Hurts: Effective Vulnerability Management in 2023
A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.
Good vulnerability management is not about being fast enough in patching all potential breaches. It’s about focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company’s attack surface the most. Company data and threat intelligence need to be correlated and automated. This is essential to enable internal teams focus their remediation efforts. Suitable technologies can take the shape of a global Vulnerability Intelligence Platform. Such a platform can help to prioritize vulnerabilities using a risk score and let companies focus on their real organizational risk.
Three facts to have in mind before establishing an effective vulnerability management program:
1. The number of discovered vulnerabilities increases every year. An average of 50 new vulnerabilities are discovered every day so we can easily understand that it’s impossible to patch them all.
2. Only some vulnerabilities are actively exploited and represent a very high risk to all organizations. Around 6% of all vulnerabilities are ever exploited in the wild: we need to reduce the burden and focus on the real risk.
3. The same vulnerability can have a completely different impact on the business and on the infrastructure of two distinct companies, so both the business exposure and the severity of the vulnerability need to be considered. Based on these facts we understand that there is no point in patching every vulnerability. Instead, we should focus on those that pose a real risk based on the threat landscape and the organizational context
The objective is to focus on the most critical assets and the assets having a higher risk to be targeted by threat actors. To approach a risk-based vulnerability management program we need to consider two environments.
The Clients’ landscape represents the internal environment. Companies’ networks are growing and diversifying and so is their attack surface. The attack surface represents all components of the information system which can be reached by hackers. Having a clear and up-to-date view of your information system and of your attack surface is the very first step. It is also important to consider the business context. In effect, companies can be a greater target depending on their business sector due to specific data and documents they possess (intellectual property, classified defense…). The last key element to consider is the unique context of the company, individually. The objective is to classify assets according to their criticality and to highlight the most important ones. For instance: assets that if not available would cause an important disruption to business continuity, or highly confidential assets that if accessible would make the organization liable to multiple lawsuits.
The threat landscape represents the external environment. This data isn’t accessible from the internal network. Organizations need to have the human and financial resources to find and manage this information. Alternatively, this activity can be externalized to professionals who will monitor the threat landscape on the organization’s behalf.
Knowing the vulnerabilities which are actively exploited is a must since they represent a higher risk for a company. These actively exploited vulnerabilities can be followed thanks to threat intelligence capabilities combined with vulnerability data. To have the most efficient results, it’s even better to multiply the threat intelligence sources and correlate them. Understanding attacker activity is also valuable since it helps anticipating potential threats. For instance: intelligence concerning a new zero-day or a new ransomware attack can be actioned on a timely basis, to prevent a security incident.
Combining and understanding both environments will help organizations define their real risk, and pin-point more efficiently where preventative and remediation actions should be deployed. There is no need to apply hundreds of patches but rather ten of them, selected ones, that will drastically reduce an organization’s attack surface.
This is a story from the trenches found in the 2023 Security Navigator report. More on vulnerabilities and other interesting stuff including malware analysis and cyber extortion, as well as tons of facts and figures on the security landscape, can be found in the full report. You can download the 120+ page report for free on the Orange Cyberdefense website. So have a look, it’s worth it!
Note: This informative story was expertly crafted by Melanie Pilpre, product manager at Orange Cyberdefense.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.