This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Three ways that security teams can improve processes and collaboration, all while creating the common ground needed to sustain them.
We’ve seen COVID-19 infection curves flatten when people are conscientious about recommended pandemic hygiene, such as social distancing and wearing a mask. As we start to re-emerge from quarantine, it serves as a powerful example of what can be accomplished if security and IT teams approach cyber hygiene with the same rigor and sense of urgency. Effective cyber hygiene requires a level of cross-team collaboration, which is rarely the norm. Here are three ways security teams can make effective improvements while creating the common ground needed to sustain them.
Seek to Understand and Empathize
Corporate IT teams remain surprisingly siloed, which makes fundamental yet essential cyber hygiene functions such as vulnerability and patch management difficult to do well. Reducing vulnerability-related IT risk isn’t possible without contributions from both security and IT operations teams. Teamwork is hard, and even simple cyber hygiene workflows are easily complicated, often by the division of labor across different teams.
Security teams are usually the ones that find vulnerabilities, while other IT teams (mainly IT operations and DevOps teams) are the ones that fix the issues. When those fixes don’t work as planned, it can impede their ability to preserve the availability and reliability of infrastructure. The bottom line is that full-stack security isn’t trivial and requires compromise and collaboration across all stakeholders.
As the pandemic has reminded us, the simple act of connecting with another human being can have a profound impact on the personal and professional resilience of all parties. Take the initiative to reach out to colleagues on other teams. Ask what a successful day looks like for them, about the tools they use and love, the processes that work well and don’t work at all. With normal processes and interpersonal communications upended, now’s the time for security teams to connect with their counterparts on other teams and (re)forge the connections that lead to productive partnerships.
Intelligent Vulnerability Remediation Goes Beyond Patch Management
According to Imperva, there were more than 20,000 new vulnerabilities reported in 2019. Unfortunately, handling the influx of all these new security threats remains a largely manual and error-prone process. And we all know patches can easily break more things than they fix. But patching is not the only remedy for security vulnerabilities. Configuration-based remediation options such as closing down firewall ports can be used to close security gaps quickly, even if only used as a temporary stopgap until a more robust solution can be implemented.
It’s difficult for IT operations teams to source and compile the patches, workarounds, configuration changes, and compensating controls needed to remediate an avalanche of vulnerabilities every week. Using remediation repositories that store what can also be called remediation intelligence, the vulnerability management equivalent of threat intel, security teams can help to lighten their load. Instead of tossing a list of unprioritized vulnerabilities over the cubicle wall for the IT team to deal with, remediation intelligence enables security teams to take a more active and collaborative role in closing tickets.
From using Ansible playbooks or Chef recipes to patch a Linux server to preventing exploits by updating a firewall configuration, remediation intelligence enables security teams to help IT operations teams determine the best fix for their environment. Take this time to figure out how your security and IT teams can use remediation intelligence to streamline infrastructure security.
Re-Evaluate Remediation KPIs to Ensure Relevancy
Security operations teams often rely on industry-standard benchmarks to prioritize the execution of cyber hygiene workflows, but many of those metrics are outdated or have become dangerously misleading. For example, prioritizing remediation based solely on a vulnerability’s Common Vulnerability Scoring System (CVSS) score is still a common but highly flawed practice. CVSS scores are essential for benchmarking the criticality of a vulnerability, but not how critical the threat is to the assets in a unique environment.
So, what metrics should be used to guide and prioritize the efficient work of vulnerability remediation? Here are a few of my favorites. While these are metrics used by security teams, strong cross-team support leads to greater control over these benchmarks.
- Coverage: Does the security team have sufficient vulnerability scanning in place for all business-critical systems and applications? Are there any blind spots? Coverage clarity across the full scope of risks, known and unknown, is necessary for comprehensive security.
- Vulnerability dwell time: The time between vulnerability disclosure and published exploit of the vulnerability in the wild has contracted substantially over the last couple of years, from weeks to days. The longer the vulnerability dwell time, or the time the vulnerability is persistent in the environment, the greater chance it will be exploited.
- SLA goals versus actual remediation results: By evaluating remediation results against goals outlined in service-level agreements with the business, you can gauge how well your team has met its stated operational and risk management goals, why or what not, and how to improve.
- A commonsense risk model: Just because an Oracle vulnerability has a CVSS score of 10 doesn’t mean it matters to your organization if you don’t run any Oracle. But if significant components of your infrastructure run on Oracle, you’d want these vulnerabilities to be flashing red on the remediation list.
As Rahm Emanuel (via Winston Churchill) famously said, “Never let a good crisis go to waste.” Change at scale is never easy, but the pandemic has created a once-in-a-career opportunity to make material improvements to cyber hygiene practices.
- Is CVSS the Right Standard for Prioritization?
- 8 Trends in Vulnerability and Patch Management
- There May Be a Ceiling on Vulnerability Remediation
- Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
- How Data Breaches Affect the Enterprise
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event.
With over a decade of cybersecurity experience under his belt, Yaniv has spent years working with some of the largest companies in the world. With his “solutions, not problems” mindset, Yaniv had co-founded Vulcan Cyber in order to do just that – enable security teams to … View Full Bio
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
From DHS/US-CERT’s National Vulnerability Database
iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling remote management, enabling DHCP, or modifying the subnet range for IP addresses.
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.
A vulnerability in Brocade Network Advisor Version Before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications.
An elevation of privilege vulnerability exists in Avast Free Antivirus and AVG AntiVirus Free before 20.4 due to improperly handling hard links. The vulnerability allows local users to take control of arbitrary files.
The web interface of Maipu MP1800X-50 184.108.40.206(R) devices allows remote attackers to obtain sensitive information via the form/formDeviceVerGet URI, such as system id, hardware model, hardware version, bootloader version, software version, software image file, compilation time, and system uptime. Th…