Stories of new data breaches grab headlines again and again. Many of these breaches are the result of known vulnerabilities left un-remediated, and in some cases, organizations have been aware of these vulnerabilities for years. Why weren’t these problems fixed sooner? Wouldn’t organizations try to fix them as soon as possible to avoid a breach?
Every organization strives to fix vulnerabilities rapidly. Unfortunately, fixing vulnerabilities is a complex task.
First, organizations are flooded with vulnerabilities. New vulnerabilities are reported daily and the volume is only increasing. Keeping pace is tough.
Second, there’s no single pane of glass for tracking all vulnerabilities. Organizations use multiple scanners to detect vulnerabilities, each living in its own walled garden. Application and network vulnerabilities are treated separately, typically in disconnected systems. Vulnerabilities discovered via pentesting may only reside in reports. Detective control tests find weaknesses in security tools, and auditing tools find vulnerabilities in configurations – and these results may not align with scan results. Unifying multiple sources in a central location, and normalizing the results for accurate tracking, is a big challenge.
Third, even if you have all vulnerabilities in a single pane, remediation processes vary and take time. Application vulnerabilities must go through the software development life cycle (SDLC), while network vulnerabilities have their own workflow. Identifying the right asset owner can be a challenge because CMDB information is often inaccurate. Configuration changes usually need to go through a change control board process, and patches need to be widely deployed across a large number of devices. There is little margin for error: fixing 99% of your vulnerabilities is great, but all it takes is that last 1% to cause a major breach.
On average, for every vulnerability patched, organizations lose 12 days coordinating across multiple teams. Contributing factors include:
- Use of emails and spreadsheets to manage patching processes (57%)
- No common view of systems and applications to be patched (73%)
- No easy way to track if patching occurs in a timely manner (62%)
Fourth, many security organizations spend an inordinate amount of time focused on regulatory compliance. It’s critically important for your organization to build a strong, business-aligned security program that meets regulatory compliance standards. When a program is built to simply “check the box” of compliance, the results are inefficient, insecure, and not aligned with the business.
Finally, and most importantly, sheer human effort is not enough to overcome the vulnerability challenge because organizations don’t have enough talent or resources. A solid vulnerability management program requires talent focused on security, development, and operations – three skill-sets that are in high demand. Cybersecurity is experiencing negative unemployment; IT operations is fully occupied maintaining up-time; and developers are immersed in the agile SDLC.
We see common challenges in organizations of all sizes and across many industries. In the coming articles in this series, we’ll share our experiences and provide suggestions on how you can solve these challenges!