In every organization, there is a universe of Devices and a universe of Vulnerabilities. Security Teams use Vulnerability Scanners to identify where systems are vulnerable. These scanners produce pages and pages of reports that are given to IT itemizing every system and every vulnerability identified during the scan. IT then needs to address these vulnerabilities on these systems through some patch or a configuration change. Once the fix is applied, the system is secure, right?
This seems like a pretty straightforward process. Security teams have been tinkering with scanners since the early days. (Remember the controversy around the Security Administrators Tool for Analyzing Networks affectionately known as SATAN? Yes – that was almost 18 years ago) Compliance requirements and industry standards for security all include some provision around vulnerability scanning and management. The chapter and verses related to vulnerability management are numerous: NIST 800-53R4 RA-05, ISO 27001 12.6, NERC CIP CIP-007-2 R8, PCI 2.0 11.2. The list includes international requirements too - Monetary Authority of Singapore, Reserve Bank of India, Australian Government Information Security Manual… This could go on and on but you get the picture – vulnerability management is a widely accepted concept for Security 101.
And it isn’t as if we just started doing vulnerability assessments. We have been doing this for a while. An entire segment of the security industry has been established around this process. Scanner vendors have dedicated, talented teams researching vulnerabilities, building checks, optimizing network loads, extending capabilities, features and functions. Scanners have consistently improved the technical methods to identifying vulnerabilities evolving from pure on-the-wire network scans to authenticated scanning to agent based scanning. Gartner estimates that Vulnerability Assessment (VA) market was around $415 Million in 2012 and expects a stable, long-term demand for security VA capabilities.1 This is a solid arrow in the security team’s quiver.
So if we have been doing this for a while and vulnerability assessment is a fundamental need, why are companies still struggling with it? Take a look at this video and see if you recognize anyone. I think you will. The battle with vulnerabilities is something IT and Security must be fighting together. Finding vulnerabilities isn’t just a security problem, fixing them isn’t just an IT problem.
Companies have to remember that while vulnerability scanning may have first been forced on the organization through some compliance requirement, the true objective of scanning is to reduce the exploit surface of systems. It isn’t about just checking the box (“Yes, the scan ran this quarter and we delivered the report”). It is about finding those cracks in the castle walls that system intrusions abuse. Sure the company could be hacked with a zero-day malware delivered to some poor employee in a phishing email. But the leap frog attacks from system to system inside the infrastructure aren’t going to utilize zero-day malware. Those attacks prey on the misconfigured, unpatched systems that lay wide open. Many times those vulnerabilities are sitting on some scan report on someone’s desk.
My next series of blogs will delve into the topic of Vulnerability Risk Management. It sure feels like we should have had an answer to this age old problem but there are many layers to the issue. Vulnerability assessment is a complex problem and for large organizations can be a significant challenge. In addition, it is becoming more and more evident that even though this has been in our security arsenal for a while, it is as important as ever.
I am interested in hearing about your successes and struggles with vulnerability management as we explore this critical part of security management. Feel free to drop a comment as the conversation unfolds and check out RSA’s latest advancement in the world of Vulnerability Risk Management at http://pulseblog.emc.com/2013/10/29/slowing-down-the-vulnerability-whack-a-mole-game-using-big-data-analytics-and-rsa-archer/
1 Gartner, MarketScope for Vulnerability Assessment, Kelly M. Kavanaugh, Sept 9 2013.