Security vulnerabilities abound in the modern enterprise. Deploying any new set of vulnerability management tools inevitably leads to a flurry of vulnerability reports, leaving cybersecurity teams with a significant amount of work to properly manage these risks.
Those efforts led to lengthy hunts around the enterprise, seeking out the systems and teams responsible for addressing different issues. Today, the added complexity of cloud services is increasing vulnerability management challenges.
Cybersecurity teams working in hybrid environments need to adapt their vulnerability management process to accommodate a mixture of on-premises and cloud services. That requires compiling a comprehensive picture of the vulnerability landscape and adopting a risk-based vulnerability management approach.
Building a complete picture of vulnerabilities
Capturing a picture of an enterprise's existing vulnerabilities to protect systems and data against cybersecurity threats is only possible with modern vulnerability management software. These platforms have evolved significantly over the past several years -- from simplistic network vulnerability scanners to comprehensive suites that integrate vulnerability information collected from systems and data wherever they reside.
Network scans continue to be at the core of a vulnerability management program. These scans seek out network-connected systems, probe them for known vulnerabilities, and report and prioritize the issues they detect. Every organization should deploy network-based scanning in their own data centers and their IaaS environments. Network scans are most effective when conducted from multiple perspectives -- in front of and behind network firewalls -- and when they feed back to a central correlation platform.
Web application scans supplement network scans by providing a deep dive into issues specific to web development, such as SQL injection, cross-site scripting and cross-site request forgery attacks. Addressing the results of these scans is often tricky in a cloud environment, depending on who developed and maintained the web app:
- Vulnerabilities in applications developed by internal teams may be addressed directly by those teams.
- Vulnerabilities in vendor products hosted by the enterprise in on-premises or IaaS data centers require coordination with the software vendor.
- Vulnerabilities in SaaS products typically can't be addressed by internal teams and may only be addressed by the vendor.
The increasing reliance of businesses on SaaS products not only increases the risk of traditional vulnerabilities, but also raises the possibility of misconfigurations by the enterprise's application administrators. For this reason, major vulnerability management platforms now offer modules that reach into cloud services to analyze policy settings and identify customer-caused vulnerabilities as well.
Companies ideally should adopt a single vulnerability management platform that addresses network, web app and cloud configuration vulnerabilities in one console. This single-pane-of-glass approach simplifies vulnerability analysis and creates an environment conducive to risk-based vulnerability management.
Adopting a risk-based approach to security
Risk management professionals know that there are four possible responses to any risk they face: risk avoidance, risk transference, risk mitigation and risk acceptance. These same strategies apply to risk-based vulnerability management programs:
- Risk avoidance. Enterprises may avoid risks by altering their business activities so the risk is no longer relevant. That might mean shutting down a system, switching to a different software platform or taking other actions that render a vulnerability irrelevant to the company's business.
- Risk transference. Companies may transfer risks by shifting the burden of addressing those risks to another company. But an organization often can't completely transfer a risk. In the case of a company adopting a SaaS product, the provider's failure to address vulnerabilities may still jeopardize the customer's sensitive data.
- Risk mitigation. The most common way that vulnerability management programs address risks is to mitigate them. Risk mitigation takes actions to reduce the probability and likelihood of a risk, commonly by applying a patch, modifying firewall rules or deploying other security controls. In a risk-based vulnerability management program, enterprises often rank order the vulnerabilities they detect and mitigate the highest-ranked risks first. This approach derives the greatest possible value from time-consuming risk mitigation efforts.
- Risk acceptance. Risks are considered acceptable when cybersecurity leaders determine that the costs of applying other risk management strategies outweigh the benefits, and they'll continue operating as is with full knowledge of the risk. Vulnerability managers commonly use this approach for low-probability, low-impact vulnerabilities that simply don't rise to the level of remediation.
Cybersecurity professionals may often find themselves overwhelmed by the sheer volume of reports emanating from different vulnerability scans. Developing a complete picture of their vulnerability environment and adopting a risk-based vulnerability management approach help address this significant undertaking in a way that uses limited vulnerability management resources efficiently and effectively.