In this Help Net Security interview, Michael Gorelik, CTO and Head of Malware Research at Morphisec, provides insights into the business impact of vulnerabilities.
Gorelik discusses challenges posed by regulatory frameworks, incomplete asset inventories, and manual methods, while also exploring the role of automated systems, the future of vulnerability prioritization in the face of evolving cyber threats, and key factors organizations should consider in building effective remediation strategies.
The remediation of vulnerabilities is a daunting task.
As of Dec 2023, over 4,540 critical vulnerabilities have been published less than 2% of those vulnerabilities are exploited.
Over the same time period, just over 120 CVEs were listed on the CISA KEV database - the CISA Known Exploited Vulnerabilities catalog maintains an authoritative source of vulnerabilities that have been exploited in the wild.
Organizations that drive patching efforts using CVSS scoring are likely not able to keep up with the pace of new vulnerabilities, since deploying security patches requires testing, compatibility checks, and risk assessments resulting in a lead time of 4-6 weeks to patch a vulnerability.
Prioritization must be done according to the organization's business context, with alignment to the most significant vulnerabilities to which they are exposed - this leads to a sustainable remediation process.
Organizations should understand which vulnerabilities have the potential of being exploited within their unique environment and which of the vulnerabilities potentially pose the highest business risk.
A vulnerability with proven exploitability or a high probability of exploitation existing within an active internet-facing business application is likely a higher priority than a vulnerability residing within an unused application in a well-protected environment.
The management of vulnerabilities is a key component in many compliance and regulatory frameworks such as NIST CSF, PCI DSS, NERC CIP, CIS critical security controls, GDPR and others.
The regulatory frameworks include components for data protection and privacy, and these indirectly address vulnerability management by requiring organizations to implement security measures to protect personal data.
A loss of personal data can lead to a loss of credibility and imposing regulatory violation fines by regulators like the US SEC. A vulnerability management practice prioritized and driven by business context can define assets that process PII as critical.
Systems should operate continuously and collect live data to drive vulnerability prioritization efforts based on actual usage.
Traditional vulnerability systems, on the other hand, typically collect information periodically - on-demand, weekly, and even monthly.
Patchless protection protects known vulnerabilities that haven't been patched yet while preventing unknown vulnerabilities from causing damage.
Vulnerabilities cannot be remediated on shadow IT assets or assets that cannot be easily accessed by the organization.
For this, vulnerability management systems should offer multiple options to drive efforts, including the grouping of computing assets by business context, factoring the exposure of entire hosts, aggregating vulnerabilities on applications, and presenting exploitability and the potential of exploitability for vulnerabilities.
Modern vulnerability remediation technologies should easily adapt to the organization's strategy of choice.
Standard vulnerability management practices driven by CVSS scoring have evolved into risk-based vulnerability prioritization.
In addition to application vulnerabilities, companies will be deepening their identification and risk-based assessment of misconfigurations, privileges, and assets specific to an organization.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 18 Dec 2023 05:43:05 +0000