Cyberattacks come in many different forms and it’s important for businesses to understand where they’re vulnerable in order to mount an effective defense.
We spoke to Ed Williams, cybersecurity specialist at Trustwave, to find out more about vulnerability management, why it’s important and how it fits into an organization’s overall security strategy.
BN: Why is vulnerability management so important?
EW: Vulnerability management’s assessments offer an automated way of finding issues. It can be done hourly, daily, weekly, monthly or annually across, normally, internet facing infrastructure and applications. It’s really critical for organizations to get their vulnerabilities checked. The reason why they should be done regularly is vulnerabilities come out all the time. Infrastructure changes all the time too, we know people spin up things, take things out and spend money. So it’s a really good idea to get a handle on these things and assess for vulnerabilities. What is probably just as key is actually fixing them before they cause a problem.
BN: How does this tie into asset management and auditing your system to understand exactly what is there?
EW: Once organizations understand their assets then they can do something about the security of those assets. I think organizations sometimes use vulnerability management and asset management interchangeably but they’re not the same thing.
Asset management is probably the most important thing organizations can do. If they don’t know what assets they’ve got, then they can’t become secure with them. Where we see compromised environments there are normally two things that initial conversation, “Oh, I thought we turned that asset off,” or, “I don’t even know what that asset is.” It’s so important to get asset management done, have the discussions and then fix the issues as well, whether that might be as simple as patching or doing something else that would reduce the risk.
BN: What’s the starting point for vulnerability management, would it be the CVSS database?
EW: It can be CVSS or some large, mature organizations have got their own scoring system, they can all be equally valid. If something’s on the internet that tends to be high risk and should be treated as such, then you can work backwards.
Something that can get lost in the nuance though is it’s quite easy to chain issues together. So, something that might start off as a low risk can lead to something else, maybe a password brute force attack that can lead to a compromise. It’s important to have a bit of context in these things. Similarly there’s a lot of focus on internet facing stuff and so internal needs tend to be ignored. I would argue internal control should be treated just as tightly.
BN: How important is the frequency of checks?
EW: Zero days get a lot of news, but many older CVE vulnerabilities are still being exploited, some from as long ago as 2014. It’s really important to patch the things that you’ve got, but also to determine your risk tolerance and how quickly you’re spinning things up. How well you manage your assets goes hand in hand with the frequency of checks but the key is fixing the issues.
It’s complicated where you’ve got containerization and you’re spinning things up really quickly that might only be there for a couple of days. It’s hard to put processes and procedures around that. As a security industry we tend to see vulnerability scans and pen testing as essentially transactional. We will give you a report then is up to you to fix the issue. When we do better with our clients is when there’s much more of a dialogue as in, “Oh, we got this pen test, is this a good score?” Then we can work through those findings and those issues together.
BN: How much of a role is there for artificial intelligence in terms of prioritizing these threats?
EW: AI and machine learning I think is the next frontier. It’s going to be a big thing because of contextualization of the environment. Also the cost of training new AI is coming down dramatically, so I think there’ll be major use of AI and AR for security. I think blockchain is going to be in there somewhere around assets too. I’m not sure what that will look like yet but I know in terms of businesses I’m speaking with that it’s giving my team focus a focus on blockchain. But these things are just extra tools in an organization’s kit to help it defend, you’ve got to get the basics right still.
BN: Vulnerability management is being adopted by larger enterprises but will it become more mainstream?
EW: Definitely, I think as cost declines it will be less prohibitive to do security. I do think as well, within the industry, we do sometimes forget the basics. Patching is a good policy that gets you 80 percent of the way, but we mentioned zero days and they’re still difficult to defend against. It’s also very difficult to defend against a lot of ransomware attacks. There are still hard nuts to crack. I do think there’s a lot of snake oil in cyber too, “Get this brand new, shiny thing. This will solve the problem.” But there’s no silver bullet, there hasn’t been a silver bullet in 15 years. I think what we’ll see is that ML is going to help but there’s not going to be a one stop everything for everybody.
Image credit: billiondigital/depositphotos.com