The Sisyphean Task of Vulnerability Remediation
By Joel Sivan, Head of Customer Success and Professional Services, Rezilion
Here are five steps to help ease the burden
Security teams are struggling to keep up with the pace of change in modern environments. More than 18,000 vulnerabilities disclosed in 2020 alone with an average mean time to patch of 60 to 150 days. On top of that, recent developments in DevOps enable developers to push code on demand and launch instances in cloud environments as often as the business needs. This combination creates the conditions for a more complex attack surface which security analysts need to protect and reduce.
Vulnerability management has become a Sisyphean task. By the time one vulnerability is remediated, ten more are discovered. We can’t just throw more people at the problem to catch up either, in the US alone the security industry has over 300,000 unfilled positions. It’s time to rethink our approach.
Starting with Renaud Deraison and the open source version of Nessus in the early 2000s, vulnerability assessment has revolutionized the way we detect exploitable weaknesses in our IT infrastructure. Modern scanners make it easy to detect thousands of vulnerabilities in our IT infrastructure and Web Applications. Identifying vulnerabilities is still the first step in hardening your environment but security teams need a new approach for handling the output of these scans.
Security leaders need a faster and more accurate way of understanding their attack surface and patching vulnerabilities. It’s time to prioritize based on the actual risk posed by the vulnerabilities found on our instances. In order to focus on risk we recommend taking the following steps:
1. Identify your vulnerabilities – Do not withdraw your subscription with the VA provider and if you are using open source like OpenVas or Trivvy do not uninstall it just yet. The first step in improving our remediation process is to scan our network and images and retrieve a list of all the vulnerabilities, applicable or not.
2. Define your policy – Vulnerabilities are categorized as low, medium, high or critical risk, but not all vulnerabilities were disclosed equally. Therefore, you should ask yourself what is an acceptable risk level for you based on your risk tolerance and any compliance standards you need to meet. For example if you wish to become PCI certified then you will need to fix any vulnerability with a CVSS score equal or higher than 4.
3. Establish SLAs – How long does it take to fix a vulnerability on your instances? What should be the target mean time to patch? Make sure to have a baseline policy set and active notification for whenever vulnerabilities are left unattended and SLA is being breached.
4. Understand your Actual Attack Surface – When establishing a vulnerability assessment process you will probably find thousands of vulnerabilities and a high percentage of them will be classified as critical risk. The critical next step is to determine if these vulnerabilities are running in memory and actually exploitable. This requires an attack surface assessment using a tool like Rezilion Validate that creates an inventory of all artifacts in dev and prod, and maps dependencies, connections, code provenance, memory and runtime execution flows. This assessment provides you with context such as where do you have compensating controls, which vulnerable packages are actually loaded to the memory and which are not, what your true exposure is and how to prioritize based on actual risk.
5. Harden your images – Building a secure product is not optional. Your customers must be able to trust you to protect their data and not create a backdoor to their network and their crown jewels. One effective way to do this is to remove any bloated unused code before going live. Your Attack Surface Assessment highlights all code that’s in use and conversely, all code that’s not. Removing unused code from any production images makes your builds more maintainable and removes potential avenues for exploitation.
Following this simple 5 step guide will ensure that your vulnerabilities are prioritized according to their actual risk. This will improve your remediation effort and help security keep pace with a constantly changing environment.
Click here to learn more about Rezilion Validate and its benefits.
