The recently issued 2024 Data Breach Investigations Report (DBIR) from Verizon Business revealed a 180% increase from last year in attacks stemming from the exploitation of a vulnerability. More concerning, the report also found that, on average, it takes organizations 55 days to remediate 50% of the critical vulnerabilities in the Cybersecurity and Infrastructure Agency's Known Exploited Vulnerabilities catalog once patches are available.
Amid a threat landscape filled with zero-day exploits and cybercriminals working at unprecedented speeds, delays in patching and gaps in vulnerability management programs can introduce significant risk.
The foundation for effective vulnerability management
Vulnerability management has been a linchpin for strong cybersecurity and cyber resilience programs for years. Yet, many organizations still struggle with getting vulnerability management right, leaving the door wide open for malicious actors and contributing to alarming statistics like those in this year’s DBIR.
As one of the most impactful cybersecurity basics, we can’t overstate the importance of shoring up vulnerability management programs. Companies need to invest in a triad of elements that I like to refer to as the three-legged stool security pros must balance on: people, processes and technology. We need to balance all three according to the needs of the business and the biggest risk it faces. Here’s a closer look at each:
People: Invest in training programs
Companies often overlook investment in training programs for the security teams. They can purchase world-class products, but if they aren’t deployed, used or managed properly, they won’t maximize potential and gain an acceptable return-on-investment. Beyond that, misconfigurations and overlooked features can even leave organizations vulnerable to emerging threats.
Training programs empower security teams with the necessary skills to effectively use cybersecurity tools to quickly detect and respond to new threats. Start wit cyber threat intelligence (CTI) analysis: understanding CTI sources based on real-world threat actor behavior, analyzing and interpreting threat feeds, and implementing CTI in vulnerability management.
Second, have a program that teaches security automation and orchestration. Focus on Implementing automation in vulnerability management, orchestrating security processes and integrating tools for more efficient, seamless workflows.
Finally, companies need a risk assessment and management course that teachers team members how to conduct risk assessments, use risk frameworks such as NIST and ISO) and prioritize vulnerabilities based on risk to the business
It’s also important to remember that training isn’t a one-time exercise. The most effective training programs are short, engaging and conducted frequently to help participants pay attention and remember what they learn.
Processes: Implement robust business processes
Start by defining clear workflows for vulnerability management—from detection to remediation. Teams need to conduct a comprehensive inventory to identify critical assets and network architecture as well as perform a thorough risk assessment on these components to prioritize areas that, if compromised, will have the biggest impact on critical business functions
Companies should also develop well-defined processes for vulnerability detection, assessment and remediation, and policies that govern the program, define roles and responsibilities, establish reporting protocols and outline remediation steps. Finally, create detailed standard operating procedures that serve as a guide for executing tasks spelled out in the policies
Once processes and guidelines are in place, it’s important to conduct regular audits and establish a continuous improvement framework to ensure ongoing effectiveness against changing threats and business needs.
Technology: Rationalize vulnerability management tools
Tool overload across cybersecurity environments has become a common challenge faced by organizations, and we also see it in vulnerability management. Security teams continually invest in new vulnerability scanning tools and patch management solutions as new threats arise. But if there isn’t a continual monitoring or consolidation of the alert and report data generated by each independently operating tool, this siloed approach results in alert overload and delayed detection and response.
To help security teams navigate this difficult situation, organizations need to rationalize the existing tools in their security stack. Technology rationalization helps security teams gain comprehensive visibility across security environments to take a complete inventory of existing vulnerability management tools. It also helps them assess the efficacy of each tool in addressing specific cybersecurity needs—for example, a tool's capacity to effectively detect, assess and respond to threats. Rationalization also helps teams detect gaps in vulnerability management programs, so they know where to allocate future investments, as well as identify tool redundancies to streamline infrastructures, and find opportunities to integrate, so tools are working together rather than in isolation
With these building blocks in place, security teams benefit from a unified approach to vulnerability management that allows them to correlate and prioritize security incidents, leading to faster detection and response and a stronger overall security posture.
How to balance the triad
Vulnerability management and patching can get lost in a security market saturated with newer technologies, but they are tried-and-true basics for a reason. To stay effective, organizations must invest in people, processes and technology and find the right balance among the three for their unique business. Security teams that build integrated vulnerability management programs in this way will patch vulnerabilities faster to keep cyber adversaries out, and also build a resilient foundation capable of withstanding any type of cyber threat.
Shaun Kummer, vulnerability management and remediation practice leader, Optiv
