In this interview with Help Net Security, Stephen Carter, CEO at Nucleus Security, explains the importance of having a vulnerability management strategy within an organization, what are the biggest challenges and what should be done to overcome them.
Vulnerability management has become an essential part of every organization’s strategy. Would you say they are overall doing a good job?
The number of breaches, and the economic impact of those breaches, continues to rise year over year, suggesting that organizations are not doing an adequate job at vulnerability management. IT ecosystems have become increasingly complex, attackers have become increasingly sophisticated, and vulnerability management teams are struggling more and more to analyze and respond to vulnerabilities before they are exploited by attackers. The biggest challenges in vulnerability management today revolve around a lack of qualified people, poorly engineered processes, and inadequate technologies.
What are the prerequisites of a good vulnerability management strategy?
There is an extreme shortage of cybersecurity talent, and it takes a team of uniquely qualified experts to develop a vulnerability management strategy for a modern enterprise. Typically, an enterprise security engineering or a dedicated vulnerability management team is responsible for developing and maintaining the overall strategy.
The scope of a good vulnerability management strategy will be broad, including computer and network devices, custom-developed applications, operational technology (OT), cloud infrastructure, and more. As such, many stakeholders will need to be involved, including the IT/patching, network, cloud operations and application security teams. Having buy-in and input from each of these teams, and from executive management, is key to building a good vulnerability management strategy.
With the right people involved, vulnerability management policy, service level agreements (SLAs), and procedures can be developed to align with the organization’s risk tolerance. Documented policy should be comprehensive, unambiguous, and consistent to ensure that all stakeholders and teams are aligned on the organization’s expectations for vulnerability management outcomes.
Vulnerability management technology has evolved significantly in recent years, and state-of-the-art vulnerability management solutions are required to implement an effective and efficient vulnerability management plan in the modern enterprise. For starters, vulnerability identification requires a “best of breed” approach to vulnerability scanning tool selection. Vulnerability scanning vendors specialize in vulnerability identification for different layers of the technology stack, and it isn’t uncommon to have a dozen or more scanning tools in use through the organization to identify vulnerabilities in computing devices, networks, custom code, third party libraries, cloud configurations, APIs, database technologies, SaaS products, and more.
Given the vast number of vulnerability scanning and identification tools typically in use throughout the enterprise, a vulnerability aggregation capability and centralized vulnerability database is key to implementing a consistent vulnerability response methodology across the organization. Furthermore, an up-to-date IT asset inventory should be leveraged alongside the central vulnerability database to ensure that vulnerability identification tools have assessed all assets in the enterprise. A robust attack surface management capability should also be in use to continuously monitor for public-facing assets that are under constant attack and are commonly the entry point for a breach.
What can be done to successfully bridge the gap between SOC and IT teams?
Enterprise SOC teams both consume valuable vulnerability intelligence from external sources and create valuable vulnerability intelligence through network security monitoring. This intelligence is a gold mine for IT and security teams, however modern tools and technology must be implemented to automate the sharing and contextualization of intelligence for it to be useful to IT security teams.
As an example, enterprise SOC teams have a deep understanding of which threat actors and groups are targeting their organization, and their tactics, techniques and procedures. They understand which malware is being used by their adversaries, and what the associated indicators of compromise (IOCs) are. When this information is shared with IT security teams, and correlated with the organization’s vulnerabilities discovered by vulnerability scanning tools, remediation activities can be better informed and prioritized.
What is your opinion on AI in cybersecurity?
To the credit of some great companies, we have seen several examples of AI applied to cybersecurity solutions that have raised the bar tremendously. For example, endpoint security is an excellent case study, and nearly every vendor in that space has developed and trained machine-learning systems to identify anomalous system and user behavior in real time to block both known and unknown malware from executing. However, overall, I believe AI in cybersecurity is over-hyped; it has limitations, and not every cybersecurity technology benefits equally from applied AI.
There are solutions that modern AI (in its current form) is not a good fit for, doesn’t add a lot of value to, and in some cases does more harm than good. We live in a world of AI-obsessed marketing teams – where a product not “powered by AI” runs the risk of appearing “traditional” or “legacy”. It’s hard to find a cybersecurity startup today offering a product that doesn’t claim to have sophisticated AI and machine learning algorithms. It is a running joke among engineers that “AI” in a product just means regular code in the vast majority of cases.
The value of AI for vulnerability and risk management will grow over time as AI technology improves. The biggest pain-points in vulnerability management today relate to data integration, workflow automation, and visibility of data; none of which are improved by ML or AI. This is one example, but the issues of data integration are one of the top problems in cybersecurity facing large organizations. And as organizations adopt advanced functionality and tools before they have mastered basic fundamentals, we are likely to continue seeing massive breaches make headlines.
One important area in the vulnerability management space which does benefit from AI and ML is vulnerability and risk prioritization, the practice of rating vulnerabilities to figure out which ones to fix first amongst millions in an enterprise. The Exploit Prediction Scoring System (EPSS) is a great example of this, and FIRST has done an excellent job of training a system to predict which vulnerabilities will be exploited in the future, based on patterns of exploitation from the past. While the EPSS scores alone aren’t enough to solve the problem of prioritizing vulnerabilities, they are particularly useful when combined with additional business/asset context and threat intelligence to start increasing the accuracy of decision-making in the prioritization process.
How do you see vulnerability management evolving in the future?
As technology continues to evolve and enterprises become more complex, vulnerability scanning vendors will focus and specialize more on identifying vulnerabilities in specific technologies and specific layers of technology stacks. To achieve the highest levels of security, modern enterprises will pursue best-of-breed vulnerability scanning solutions, rather than the “one stop shop” approach to vulnerability scanning vendors and tools that was sufficient in the past.
The number of vulnerability scanning tools needed in a modern enterprises will continue to grow, and vulnerability aggregation and unification platforms will become table stakes for enterprise vulnerability management programs. Threat and vulnerability intelligence, both vendor provided and organization created, will be incorporated into vulnerability management policy, SLAs and decision making, creating intelligence-led vulnerability management programs that will be able to operate more efficiently and effectively than the best vulnerability management programs of today.