Vulnerability Management: Speed is Key

Given the increasingly complex attack surface and the continuously growing number of software vulnerabilities, IT managers need a robust strategy for managing vulnerabilities. This strategy should not only include the right tools but also reliable knowledge resources to make informed decisions.

Vulnerabilities and Security Weakness – Security weakness and vulnerability are often confused but are not the same. According to the National Information Assurance Training and Education Center, vulnerabilities are weaknesses in automated system security processes, administrative and internal control procedures, and IT systems that attackers can exploit through an active exploit. An attack can exploit this weakness for unauthorized access to information or to disrupt business-critical processes. However, this definition overlooks the fact that security weaknesses can affect not only hardware and software but also all processes and controls that apply in a company. A vulnerability without an associated exploit is “just” a weakness. For now, at least.

Knowledge resources for assessing risks

Vulnerabilities exist in large numbers, for example, in increasingly complex web applications. It’s easy to get caught in an endless cycle of patching. Therefore, it’s important to quickly recognize, identify, assess for triage, and report vulnerabilities and their associated risks. The following resources can support professionals in this:

Common Vulnerabilities and Exposures (CVE)

uniquely identify vulnerabilities and assess their urgency.

Common Vulnerability Scoring System (CVSS)

rates the security of a computer system with a value from 0 to 10. Basic metrics evaluate the attack vector (AV), attack complexity (AC), required privileges (PR), and user interaction (UI). Other factors include the area affected by the attack (Scope, S) and its effects on confidentiality (C), integrity (I), and availability (A) of a system.

Risk indicators such as exploitability (E), remediation level (RL), and report confidence (RC) change over time. These indices reflect the maturity of the exploit technique, available fixes, and the credibility of the vulnerability report. Environmental metrics refer to the user’s environment and describe the effect of an attack in this specific context. The final CVSS score ranges from 0.0 (no vulnerability) to 10.0 (critical vulnerability).

Open Web Application Security Project (OWASP)

provides a practical guideline for documenting and publicizing vulnerabilities. The project is based on a system for reporting vulnerabilities and a predefined process for assessing, locating, and fixing weaknesses through triage. The creators share the documentation of this report internally and externally.

Tools and approaches to contain CVEs

IT security managers need the right tools and technologies to quickly contain CVEs according to their respective urgency and close gaps. Numerous tools are available, each with their advantages and disadvantages:

Configuration Management Databases (CMDB)

are the central repository for information about an organization’s assets: software, hardware, systems, products, and even employees – as well as the relationship between all these assets. CMDBs are suitable for managing and documenting configurations. However, they don’t provide visibility into network operations and possible connections with assets that are supposedly not affected on the attack surface.

Tools for securing cloud assets

such as Cloud Access Security Brokers (CASBs), Cloud Security Posture Management (CSPM) tools, Cloud Workload Protection Platforms (CWPPs), and Cloud Native Application Protection Platforms (CNAPP) play an important role, which increases with each workload moved to the cloud. However, they only monitor a specific area and disregard on-premises systems and the underlying infrastructure.

Patch Management

is essential to keep software, operating systems, and applications up-to-date and secure, improve the security situation, and reduce vulnerabilities. Patch management as an addition to a security platform automates the deployment of patches and provides status on applied patches. Admins can also patch manually. It's important that patch management manages as many operating system environments as possible.

Vulnerability scanners

are of central importance for preventively finding and quickly evaluating security weaknesses. Common scanners monitor networks, hardware, operating systems, applications, and databases, among other things. Shodan, dubbed by some as the search engine of the Internet of Things, scans the entire internet and shares information about "open" devices such as servers, routers, IP cameras, or smart TVs. It uncovers open ports and systems. Of course, hackers also use this to quickly deploy large-scale automated attacks.

Risk Assessment Tools

from platform solutions for IT security are based on information from Extended Detection and Response (XDR) technologies for monitoring IT activities. With these, IT administrators can identify risks arising from misconfigured operating systems, vulnerable applications, or human behavior, among other things.

Software Bill of Materials (SBOM)

provides exact information about the individual software components of an application and thus an important tool for vulnerability management. Based on this inventory, users can understand which elements of software are vulnerable, need improvement, or updating. This gives IT another basis for assessing security risks and making informed decisions. In an emergency, IT managers can quickly identify affected systems with the SBOM and contain the attack. An SBOM thus also prevents the risk and effects of a supply chain attack.

Managed Detection and Response (MDR) Services

are important for possible prediction of CVEs. Security experts can filter source information from a large amount of data and recognize and monitor CVE trends. This allows experts to anticipate exploits, start threat hunting, and identify potential dangers.

Jörg von der Heydt is Regional Director DACH at Bitdefender.