Transitioning from vulnerability management to vulnerability remediation

Like many people, I’m glad 2020 is almost over. I am, however, excited about 2021. Here are three trends I believe will impact how well (or not) companies will be able to remediate vulnerabilities.

2021 will be the year of cloud vulnerability

If you think you’ve heard this one before, to quote Bachman–Turner Overdrive, “you ain’t heard nothing yet.” As companies move full speed ahead on cloud migration, we’ll start to understand how little we really know about securing complex cloud deployments. From network configurations to user authorization, each cloud security control has its own best practice (or set of them).

And just as in “olden times,” mistakes, errors, and technology flaws can introduce vulnerabilities into the environment. Using unpatched AMIs and operating systems, leaving ports open, or using insecure encryption are just some examples of what can go wrong.

And cloud security is not just a technology problem. DevOps teams are under a tremendous amount of pressure to move fast, using new technologies built for speed and agility. While the smart play would be for DevOps teams to slow down, that’s unlikely to happen in 2021. So, it’s in the security team’s best interest to find new and better ways to make life easier for their partners in DevOps.

Speaking of which…

Enterprises will take baby steps towards left-shifting their vulnerability remediation programs

Shifting security left makes for a good sound bite, but in reality, it’s a painful and confusing process. If something breaks, who fixes it? Security? Dev? Ops? Site reliability engineering? How do you determine SLAs? It’s hard enough as it is to corral the folks needed to risk-assess the situation, let alone figure out how to drive remediation. From what we’re seeing, because companies are still “digitally transforming,” they have a naïve or limited understanding of their cloud security posture. And why wouldn’t they? It’s a new frontier for them.

Case in point: container security. As companies double down on containers, they’re reworking their CI/CD pipeline to include security controls. But it’s been a struggle, mainly due to how containers are supposed to function as opposed to how they actually do behave in large-scale production environments. Plus, security products are still too immature for sophisticated enterprise-wide workflows – we’re all learning as we go. So, as we move into 2021, the good news is we’ll learn a lot about left shifting vulnerability remediation programs. The bad news is the important lessons are sure to be painful.

Competition and consolidation between traditional vulnerability management vendors and endpoint security vendors will heat up

The theme here is market consolidation, across multiple fronts. Ultimately this will be a win for enterprises, but they may have to stake a claim before the dust settles.

Across one front, you have startups that have brought some very cool cloud scanning approaches to market. These innovators will either be acquired, or their approaches will be copied by traditional vulnerability management vendors. Across another front are the endpoint security vendors, who have already started to move into the vulnerability management space, and for good reason. No matter how clever and effective vulnerability scanners for cloud assets are, they’ll have minimal impact unless companies are able to automate mitigation.

Without that capability, they’ll have the same problem they have now – long lists of vulnerabilities they can’t fix fast enough to shrink their security debt. Patching will always suck, which is why we need to put more effort into utilizing workarounds, compensating controls and configuration changes as alternatives to, or backups for patching. So, in 2021, security teams will get better at using their existing security tools to quash vulnerability risk without having to be subject to the all-powerful (and unpredictable) patch.

But they’re still going to have to figure out the best way to remediate vulnerabilities in the cloud. Should they go with traditional vulnerability management vendors or use the scanning features built into their endpoint security products? Will it matter which option they choose? Impossible to say at this point, but it will be interesting to see how this trend shakes out!

If you think these predictions sound like they could have been written last year or the year before, you’re not wrong. However, vulnerability remediation – not just scanning and prioritization, but driving the remediation process until the vulnerability is fixed – is a complex endeavor with many moving parts. Progress is incremental and the definition of success can vary widely. Plus, when it comes to complex cloud and cloud-native environments, what I’m learning as we help companies design, test and fix their remediation processes and workflows, is that we still don’t know what we don’t know.

I’m happy to be proven wrong – and we’ll find out soon enough. But until then, happy holidays, and wishing you a safe and healthy new year.