Steve Rivers, Technical Director International, ThreatQuotient, discusses why vulnerability management requires a wider approach
When speaking to security professionals about vulnerability management, I find that there is still a lot of confusion in the market. Most people immediately think I am referring to getting rid of the vulnerabilities in the hardware and software within their network, but vulnerability management encompasses a much broader scope.
Vulnerability management is not just vulnerability scanning, the technical task of scanning the network to get a full inventory of all software and hardware and precise versions and current vulnerabilities associated with each. Nor is it vulnerability assessment, a project with a defined start and end that includes vulnerability scanning and a report on vulnerabilities identified and recommendations for remediation. Vulnerability management is a holistic approach to vulnerabilities – an ongoing process to better manage your organisation’s vulnerabilities for the long run. This practice includes vulnerability assessment which, by definition, includes vulnerability scanning, but also other steps as described in the SANS white paper, Implementing a Vulnerability Management Process.
Just as the process of vulnerability management is broader than you might think, the definition of a vulnerability is as well. A vulnerability is the state of being exposed to the possibility of an attack. The technical vulnerabilities in your network are one component, but there is another important aspect that is often overlooked – the vulnerabilities specific to your company, industry and geography. You can’t only look internally at the state of your assets. You must also look externally at threat actors and the campaigns they are currently launching to get a more complete picture of your vulnerabilities and strengthen your security posture more effectively.
In The Art of War, Sun Tzu captured the value of this strategy well when he stated,
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Prioritise patching based on the threat
As stated above, with respect to vulnerability management, most security organisations tend to focus on patching but because they don’t have the resources to patch everything quickly, they need to figure out what to patch first. To do this security teams typically take a thumbnail approach – they start with critical assets, the servers where their crown jewels are located, and work down to less critical assets. While a good starting point, their prioritisation decisions are based only on internal information. As Sun Tzu points out, knowing yourself but not the enemy will yield some victories but also defeats.
Having a platform that serves as a central repository allows you to aggregate internal threat and event data with external threat feeds and normalise that data so that it is in a usable format. By augmenting and enriching information from inside your environment with external threat intelligence about indicators, adversaries and their methods, you can map current attacks targeting your company, industry and geography to vulnerabilities in your assets. Intelligence about a campaign that presents an immediate and actual threat to your organisation leads to a more accurate assessment of priorities and may cause you to change your current patch plan to prioritise those systems that could be attacked at that moment. The result is intelligence-driven patch management that hardens your processes to thwart the attack.
Bridge the visibility gap
Unfortunately, the reality is that not every company has 100% visibility into their assets and vulnerabilities, so mapping external threat data to internal indicators to hone a patch plan sometimes has limited value. However, there is still tremendous value in gathering information from global threat feeds and other external intelligence sources to determine if your business is under a specific attack. The MITRE ATT&CK framework is one such source. It dives deep into adversaries and their methodologies so security analysts can use that information to their advantage.
Bringing MITRE ATT&CK data into your repository allows you to start from a higher vantage point with information on adversaries and associated tactics, techniques and procedures. You can take a proactive approach, beginning with your organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if these techniques could be successful or if related data have been identified in the environment. For example, you may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential indicators of compromise or possible related system events in my organisation? Are my endpoint technologies detecting those techniques? With answers to questions like these you can discover real threats, determine specific actions to harden your network and processes, and mitigate risk to your business.
A holistic approach to vulnerability management, that includes knowing yourself and your enemy, allows you to go beyond patching. It provides awareness and intelligence to effectively and efficiently mitigate your organisation’s risk and position your team to address other high-value activities – like detecting, containing and remediating actual attacks, and even anticipating potential threats.