Vulnerability Management (VM) can be a nightmare should you let it become one. Considering most of us would like to continue to sleep at nights (despite CISO’s most common nights relates to game of thrones famous quote “dark and full of terrors”) let’s explore together ways to handle VM in a way that will make you stand out as an efficient Professional.
Vulns are simply unavoidable. Ever since code has been written (circa ~70 years ago) vulns have came as a package deal. They are several reasons for this, as a profession information security used to blame it mainly on developers/coders not doing their job the proper way, even not caring in some extreme situations. I am 100% convinced that once again the picture is more complex than that. True fact: information security used to be utterly missing from developers academic studies (thankfully this is less and less true as time advances).
Truth be told: developers can make mistakes as we all can (including infosec otters), however in an era where devsec (heck even devsecops !) is a bankable buzzword couldn’t we agree that every organization shipping code to production (especially to clients) should augment their code security practices with robust (testing) processes and technologies (therefore completing infosec holy triforce: strength, courage & wisdom People, process & techno)?
As such, should we attempt to blame someone for vulnerability proliferation, we might turn our focus on coding organization willing to either maximize time to market or more bluntly put their profit/margin/revenue. Another pretty obvious explanation is that vulns exploitation is on the raise therefore increasing their (ethical ๐) research (hence the boom of ‘innovative’ approach: hackathon, bug bunty and such).
Now that we know more about the magnitude of the situation and its unavoidable nature let’s dig into what can be done against it. My first advise would be to be 100% honest and transparent, explain to your organization that vulns are here to stay and that noone can fathom to thwart all of them. This should trigger one of the most interesting (to us infosec pro) and useful (to our organizations) question: what risk are we willing to take? Put it differently: where should we focus our energy?
Slowly but surely becoming somewhat of an Infosec dinosaur ๐ฆ I lived during the time where the Graal was to ship every single (critical or critical+important) OS patchs and pray for it to suffice. This approach has its advantages (most notably its simplicity wink wink Leonardo da Vinci ๐) and can constitute a first step toward VM especially for understaffed organization (I wouldn’t consider it “enough” for any organizations but it is definately better than doing nothing similarly to SMS-based MFA but this is a topic for yet another post).
Considering ‘modern’ Infosec practices I would rather advocate for a more chirurgical / “crown jewels” focused approach. Why? Because if you cannot protect everything it would prove easier to explain why you attempt to protect your most critical assets would it not? In addition to this (crucial) ‘defensability‘ / CYA argument (against a board, in case of incident, Infosec pro should always remember to protect their back because noone will do it for them when things go south which given enough time is bound to happen), it is a pragmatic approach because in most environments your endpoint protection include some virtual patching capabilities (think about Deep Security/APEX from Trend Micro, Cortex XDR from Palo Alto or any IDS/IPS/NDR for example). Those technologies despite certainly not being bulletproof could provide you with enough protection to change your patching program from the production dreaded monthly cycle to a much more implementable quarterly/Semestrial cycle especially on critical/regulated/ICS/OT environnements.
Obviously such capabilities need to be tested beforehand (hello handmade penetration testing ๐) before throwing your current practice to the trashbin (think again ‘defendability’… Share this responsibility with as much people as possible, invest on a pentest conducted by a best-in-class provider to back your decision it will cost a bit more to your current year budget but would ease the organization budget on the mid-long term, trust me this is your best argument to win your CFO/COO over).
Next article on this series will dig deeper on this “crown jewels” startegy and provide actionable insights to turn VM from a nightmare into a manageable mess therefore improving your current information security practices.
Leave a Reply