I remember giving a presentation when I first started working in cybersecurity in 2003 (note: it was called information security back then). I talked about the importance of good security hygiene, focusing on deploying secure system configurations, managing access controls, and performing regular vulnerability scans.
When it came to the Q&A portion of my presentation, a gentleman in the first row raised his hand. He mentioned that his company was diligent about vulnerability scanning but then asked me: “How do you determine which vulnerabilities to prioritize and which ones to ignore?”
I don’t remember exactly how I responded but I am certain that my answer wasn’t very good.
The vulnerability management dilemma from 2003 remains a big problem to this day. As part of a recent ESG research project on cyber risk management, 340 cybersecurity and IT professionals were asked to identify their organization’s biggest vulnerability management challenges. Here are some of the results:
- 43% of respondents indicate that one of their biggest vulnerability management challenges is prioritizing which vulnerabilities to remediate. Sound familiar?
- 42% of respondents indicate that one of their biggest vulnerability management challenges is tracking vulnerability and patch management over time. In other words, many organizations find it difficult to manage processes from vulnerability scanning, to trouble ticketing, to change management, to patching, to incident closure. Oh, and these processes require strong collaboration between security and IT operations personnel. As Bruce Schneier says, “security is a process, not a product.” In this case, the processes are broken.
- 42% of respondents indicate that one of their biggest vulnerability management challenges is patching vulnerabilities in a timely manner. It’s not uncommon for a large enterprise to have thousands or even tens of thousands of vulnerabilities at any time. Little wonder why it’s difficult to keep up.
- 41% of respondents indicate that one of their biggest vulnerability management challenges is tracking the cost and effectiveness of their vulnerability management program. Security budgets continue to rise but CFOs want some reasonable metrics around what they are getting for their money. Looks like many organizations remain clueless when it comes to vulnerability management ROI.
- 40% of respondents indicate that one of their biggest vulnerability management challenges is keeping up with the volume of vulnerabilities. As I mentioned above, thousands to tens of thousands of vulnerabilities.
By the way, we’ve tried to improve vulnerability management by prioritizing vulnerabilities with high CVSS scores, those with known exploits, or those from mission-critical software vendors. But based upon this data, it looks like we haven’t progressed much in the past 16 years. Given the number of applications, devices, and systems on the network today, many organizations face greater cyber risk today than they did in the early 2000s simply because of these and other continuing vulnerability management challenges.
Fortunately, I finally have an answer to the question posed in 2003.
Question: How do you determine which vulnerabilities to prioritize and which ones to ignore?
Answer: Let data analytics be your guide. In other words, take all your vulnerability scanning data and analyze it across a multitude of parameters including asset value, known exploits, exploitability, threat actors, CVSS score, similar vulnerability history, etc. This data analysis can be used to calculate risk scores, and these risk scores can help guide organization on which vulnerabilities should be patched immediately, which ones require compensating controls until they can be patched, which ones can be patched on a scheduled basis, and which ones can be ignored.
Of course, few organizations will have the resources or data science skills to put together the right vulnerability management algorithms on their own, but vendors like Kenna Security, RiskSense, and Tenable Networks are all over this space. Furthermore, SOAR vendors like Demisto, Phantom, Resilient, ServiceNow, and Swimlane are working with customers on runbooks to better manage the operational processes.
After all this time, I’m still convinced that strong cybersecurity hygiene is a critical practice for cyber risk mitigation. I’m glad that we’ve finally made some progress on ways to make this happen.
If you are in the cybersecurity market, you’ve heard (or read) about the point tools problem hundreds or thousands of times. Enterprise organizations base their cybersecurity defenses on dozens of point tools from different vendors. These point tools don’t talk to one another, making it difficult to get a complete end-to-end picture for situational awareness. This also leads to tremendous operational overhead as the cybersecurity staff is called upon to act as the glue between disparate tools.
I had a terrific week at RSA, meeting and talking with many of the world’s leading endpoint security and application security vendors. Every year, RSA provides a unique opportunity to take a fresh look at new and existing vendors, through in-person meetings with technical and marketing leaders, and checking out messaging through booths, signage, and materials.
There was quite a bit of banter about boardroom cybersecurity actions at RSA Conference 2019. No surprise here, as business executives understand what’s at stake and are asking CISOs to provide more cyber risk data and metrics so they can work with them on intelligent risk mitigation strategies.
Like many other cybersecurity professionals, I spent last week at RSA Conference 2019 in rainy San Francisco. Here are a few of my impressions:
As adversaries continue to be more aggressive and more targeted in their attack techniques, security teams are continuously challenged to implement more comprehensive endpoint protection strategies to keep up. Next-generation security vendors like Carbon Black, CrowdStrike, and Cylance have set the agenda, delivering integrated prevention, detection, and response platforms leveraging the cloud and a single agent. Established endpoint players like Symantec, Trend Micro, and Sophos have quickly responded, delivering integrated solutions leveraging both cloud and a common agent. ESG research shows that 77% of companies surveyed plan to move to an integrated security suite with a preference towards a single vendor, with an even split between companies who are looking to next-gen providers and those looking to the large, established security players.
I’ve attended the RSA Conference for the past 15 years, and things have changed quite a bit. The event has gone from a few thousand to around 50,000 attendees, leading to a confluence of humanity and traffic around the Moscone Center. Hotel room prices exceed $500 per night, even at some of the “boutique” (i.e., flea bag) hotels in and around Union Square. The RSA event has become the nexus where cybersecurity meets high-end capitalism.
When I first entered the cybersecurity market in 2003, I’d already been working in the IT industry for about 16 years in storage, networking, and telecommunications previously. By the early 2000s, all three sectors had moved on from bits and bytes to focusing on how each technology could help organizations meet their business goals. Oh sure, we still talked speeds-and-feeds, but we led with things like business agility, productivity, and cost cutting. The technology was a means to an end rather than an end in itself.
I just got back from attending IBM Think in San Francisco. Though it was a quick trip across the country, I was inundated with IBM’s vision, covering topics from A (i.e., artificial intelligence) to Z (i.e., System Z) and everything in between. 
A few years ago, cybersecurity professionals often lamented that executives didn’t want good security, they wanted “good enough” security. This axiom reflected that many CEOs equated cybersecurity with regulatory compliance. If the CISO could check all the right PCI, HIPAA, or SOX boxes, cybersecurity concerns were taken care of.