Einstein's adage that, "The definition of insanity is to keep doing the same things, but expect different results" has rarely seen a more definitive example than the way in which vulnerability management is being pursued in enterprises. A change needs to be made that prioritises those things that will make the biggest improvements.
Vulnerabilities and their exploitation are still the root cause of most information security breaches today. However, too much focus is placed on high profile exploits and malware, rather than these underlying root causes. Although not all breaches result from a vulnerability being exploited, most do. Within this majority, they also come from known vulnerabilities, rather than zero day attacks.
Zero day attacks made up only approximately 0.4 percent of vulnerabilities during the past decade, but the amount spent on trying to detect them is out of kilter with the actual risks they pose, when compared with the massive numbers of breaches and infections that come from a small number of known vulnerabilities that are being repeatedly exploited.
Are zero days real? Absolutely. Are they the biggest issue for most organisations? No.
What’s the real threat?
The top issue in vulnerability management (and, arguably, IT security operations) is that organisations are not prioritising their patching and compensating controls to align to commonly targeted vulnerabilities. Organisations need to align their vulnerability management priorities with what threat actors are actually using.
As a rough metric, Gartner’s research has uncovered that there are likely to be (depending on your technology stack) only about 50 to 300 vulnerabilities each year you should be critically concerned about.
It's this number that roughly defines the number of vulnerabilities that make it into the exploitation mainstream. They’re the ones that are most often used and reused for all kinds of nefarious activity from various threat actors, such as banking trojans, ransomware and botnets.
Deal with the elephant in the room first
The reality is that organisations are struggling to figure out the delta between "what can I fix" and "what will make the biggest difference, with the reality of the time and resources that I actually have." The answer is a risk-based approach.
Although Gartner’s seeing persistent and advanced threats, most threat actors don’t use overly sophisticated means to achieve their goals in most cases. Gartner believes that 99 percent of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of exploitation.
The dogmatic approach to vulnerability management, based on attempting to deal with large volumes of vulnerabilities in aggregate, seems sound and is based on common sense; however, it has led to friction between IT security and operations teams. Causing outages and downtime from never ending patching, is simply untenable from a business point of view.
The “patch everything, all the time” mindset doesn’t account for staffing/budget constraints in this “do more with less” world, while trying to still compete in making a product or delivering a service. More importantly, it hasn’t delivered on its goal of making organisations more secure — breaches have continued unabated during the past decade and it’s not getting better.
If you deal with the "elephant in the room" first, then you’ll have a better foundation. I’m not saying that you shouldn’t stop with the idea of continually inching toward improvements with a vulnerability management program. However, we’re clearly not executing well on the critical issue in reducing your attack surface by closing the biggest risks.
It’s worth pressing the reset button and doubling down on improving your vulnerability management program. Get your foundation right first. It's not only just a principle, the data here speaks volumes as to how effective it could be in raising your organisation's security posture.
Prioritise patching of vulnerabilities exploited in the wild
Traditional logic states that you should patch in order of the severity of the vulnerability — for example, critical vulnerabilities first, then high, then medium and so forth. Although it would be great if we could patch everything, this is clearly not working, and in fact, it's not even possible for most organisations and never will be.
We’re far from a world in which this will be achievable. However, attack path modelling and an understanding of the cyber kill chain shows that in reality, the most-effective approach is to focus on the vulnerabilities being exploited in the wild. On average, only about 12.5 percent of all vulnerabilities in the last decade have gone on to be exploited in the wild.
Another point to note is that the number of exploited vulnerabilities over the decade is actually flat, despite the number of breaches increasing and the number of threats appearing. Essentially, more threats are leveraging the same small set of vulnerabilities.
As a number one priority, focus your efforts on patching the vulnerabilities that are being exploited in the wild (or have a competent compensating control). This is an effective approach to risk mitigation and prevention, yet very few organisation do this. It reduces the number of vulnerabilities to deal with, which means more effort could be put into dealing with a smaller number of vulnerabilities for the greater benefit of your organisation’s security posture.
Handy hints
- Start tracking a simple metric that enables your organisation to gain visibility into the overlap between "the vulnerabilities in your environments" and "the ones being actively exploited in the wild." Improving this one metric will significantly reduce the risk of being breached. Security operations, analytics and reporting tools, and threat intelligence services help deliver this.
- Employ mitigating controls, such as intrusion protection systems, network segmentation, application control and privileged identity management, to prevent vulnerabilities from being exploited, when you can't patch in an acceptable time frame or there is no patch available. These controls help focus on the vulnerabilities that are being actively exploited in the wild first.
Craig Lawson is a research vice president at Gartner, focusing on network security, vulnerability management, advanced persistent threats (APT), vulnerability research, threat intelligence, managed security service providers (MSSP), cloud access security brokers (CASB) and cloud security. Craig is the chair of the upcoming Gartner Security & Risk Management Summit in Sydney, 21-22 August 2017.