Most often I have found that the issue of addressing the problem is more pressing than simply identifying the threat. We have a massive, multi billion dollar, industry dedicated solely to “seeing” threats in our systems but why aren’t we fixing those problems at the scale we need to be effective?
First, let’s break down what we must do, not what we think we “should” do. We must deal with vulnerabilities as they appear and we must address them just as an adversary or hacker would. After all, that’s who is targeting us.
To be clear, I’m talking about vulnerabilities and remediation. My simple definition for vulnerability remediation is the process of finding the security weaknesses in your digital infrastructure, then applying remedies to the most-critical issues as quickly as possible to reduce cyber risk. I know however that it is often not that simple. In fact it is far from straightforward for most enterprises.
Remediation to reduce cyber risk isn’t possible without the help of IT and engineering teams, which requires more coordination and often that means more time. Which is the enemy of being secure, as any time that a vulnerability is in play means that an adversary has a potential asset to own and infiltrate your systems.
The Struggle is Real, Very Real.
Two Decades ago, when the first vulnerability scanners were introduced to cyber security teams, vulnerabilities were not nearly as extensive or as fast to market as they are today. Back then each team could usually keep up with their own areas of responsibility to address vulnerabilities and fix the issues that were found. However, as threats to security have grown exponentially with the growth of technology. Add in the new growth and complexity of the cloud and changes to enterprise infrastructure, and the equation gets even more complex. Public cloud, open-source software, and third-party solutions also add to the threats and increase the potential exposure as well. Today, with complex, multi-cloud, hybrid architectures and differing technology stacks that are cobbled together from multiple solutions and vendors also increases the cyber risk. This adds a layer of complexity to the problem as well. Finally the massive shift to agile development and rapid code releases for software that is often deployed without adequate testing or security checks and we have a perfect recipe for failure.
Managing the problem versus fixing the problem
When I talk to customers they often talk about working to be able to conduct vulnerability remediation, not vulnerability management. Okay, but, if they understand they must fix the problem with remediation and not just “manage” the issue then why is the fix too often never realized and the risk isn’t mitigated.
Well it’s because vulnerability management is really about this:
Knowing the latest security threats.
Discovery and visibility.
Do you notice that there is no “remediation” in that mix, anywhere. It’s all about knowing and seeing the problem areas. Which is fine, but you must fix the issue and you must do so easily and at scale to make a difference. If you don’t, you are just managing the problem, not eliminating it. Much like stemming an arterial bleed will slow the blood loss, but the patient will eventually die; this is not a good way of dealing with the reality of the threat here.
Effective remediation focuses on preempting threats before they can do any harm. Ideally, this includes an automated capability that can identify and remediate a threat that is identified, most often a misconfiguration or patch, and then fix that problem in near real time. Let me break down why the benefits of this approach are so worthwhile.
Automation for the Win
Automation saves time, improves quality of remediation, and drives consistency, while eliminating excessive costs and minimizing the need for additional human capital. You should not need an entire department for remediation if you are using a solution that truly enables automation. In my experience using automation is the only practical way to implement remediation due to the size and complexity of the networks and components involved. In other words, you can’t do this right with a spreadsheet and a vulnerability scanner. A few specific benefits from automation are:
Automation reduces manual errors: Avoid the errors associated with manual, repetitive, mundane tasks which frees up resources and reduces costs.
Vulnerability prioritization: Automating the prioritization of threats to your systems will help focus on remediation of the most impactful threats.
Consistency: Infrastructures with multiple instances of the same component, configuration automation guarantees the same remediation method is applied to each.
Continuous fixes: Automation makes it possible to remediate continuously.
Enterprise scalability: Automation allows for efficient remediation at scale.
Are you working “backwards”?
If you and your organization aren’t doing all of this at the right scale and in the right manner you aren’t harnessing the power that modern technology and enterprises really offer. To be frank, you are working against yourself. The only way to stay ahead of the threats and to address the issues that a hacker would use to compromise your enterprise is to fix issues as they are identified and do so in an automated fashion. Doing anything less means you are literally working backwards.