2016 outlook: vulnerability risk management and remediation
TRANSCRIPT
2016 Outlook: Vulnerability Risk Management and Remediation Trends
REPORT
2 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
Table of Contents
Executive Summary ........................................................................... 3
Current Trends in Vulnerability Risk Management ......................... 4
Putting Management in Vulnerability Risk Management ............... 6
2016 Outlook: Priorities in Vulnerability Risk Management ........... 7
3 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
Executive Summary
The practice of vulnerability risk management is not new. Every information security control framework requires organizations to perform some level of regular vulnerability assessment. Most organizations – from SMEs to enterprises – are doing just that. Today, nearly 70% of organizations scan some portion of their environment for vulnerabilities at least weekly.
Vulnerability risk management has become a numbers game, with more than 50% of organizations citing data overload as their biggest challenge to effective vulnerability prioritization. The CVSS scoring system, originally launched in 2004, was developed as a method to quantify the severity of security vulnerabilities and give organizations a basis for determining risk across their environment. More than a decade later, data breaches continue to be rampant and organizations still struggle to effectively prioritize vulnerabilities and make the move to remediation faster.
A recent investigation into the 2013 Target incident, where tens of millions of payment cards were stolen and breach damages were expected to reach $148 million1, demonstrates the essence of everything that is wrong with current vulnerability risk management practices. The Verizon report2 noted that Target “had a comprehensive vulnerability scanning program in place,” however, lacked robust procedures to remediate identified weaknesses in a timely manner. This finding comes as no surprise when 82% of organizations indicate their current remediation process is broken.
This report, based on responses from nearly 200 IT and security practitioners surveyed, explores the current state of vulnerability risk management, the challenges that directly impact the remediation process, and the outlook for improvement in the coming year. In addition, compliance drivers and executive awareness of information security threats are considered to demonstrate their influence on effective vulnerability risk management.
60% of respondents stated company executives are only “somewhat” to “not at all” informed about the risk posed to their business from today’s security threats.
?
1 Time Magazine, “Target Expects $148 Million Loss From Data Breach,” August 2014 2 Krebs On Security, “Inside Target Corp., Days after 2013 Breach,” September 2015
4 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
Current Trends in Vulnerability Risk Management
Security vulnerabilities are multiplying at alarming rates. There is a new security vulnerability identified approximately every 90 minutes, and an average of seven vulnerabilities per asset across the IT environment3. Vulnerability risk management has become a numbers game, only further exacerbated by the expansion into cloud and mobile technologies. Today, organizations are very actively detecting threats across their environment. According to respondents, nearly 70% are scanning their environment on a daily or weekly basis, and 41% are scanning at least three-quarters of their IT assets for vulnerabilities.
Vulnerability scanners provide the visibility into the potential risk land mines across the network, applications and endpoints. But the question of what to do next has created an overload of data tracked in spreadsheets, inefficient business processes, and communication breakdown between internal teams in charge of remediation.
Despite active detection, the internal teams tasked with remediation and risk management are still faced with sifting through an avalanche of data (see Figure 1). In fact, more than half (51%) of organizations surveyed cited data overload as their biggest challenge to prioritizing data generated from vulnerability scanning, followed by lack of resources (46%) and too many false positives (34%).
0
10
20
30
40
50
60
Not all vulnerabilities are created equal. While the Common Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin the process of prioritizing threats, it is by no means the best measurement of risk on its own. Factors such as known exploits, active malware attacks, available patches, and the criticality of an asset also need to be considered.
What is the biggest challenge you face when it comes to prioritizing data gener-ated from vulnerability scanning?
51%Data overload
Too much information makes it difficult to prioritize
51%46%
34%31%
21%16%
Lack of resources too much manual time spent removing bad data/enriching the data
Bad data too many false positives
Lack of budget
Lack of context little or no insight to enrich the data beyond the CVSS score
Lack of relevancy little or no insight on how the data relates to my environment
010THREA
T0101010
101010
10101010
THREAT10
1010101
01010101
01010THR
EAT1010
10101010
10101010
1010101
01010101
0101010T
HREAT10
10101THR
EAT10101
0101010
01010101
01010101
0101010
101THREA
T0101010
1010101
01010101
01010101
0101010
10101010
10THREAT
1010101
01010101
01010101
0101010
101THREA
T0101010
1010101
010THREA
T0101010
101010
10101010
THREAT10
1010101
01010101
01010THR
EAT1010
10101010
10101010
1010101
01010101
0101010T
HREAT10
10101THR
EAT10101
0101010
01010101
01010101
0101010
101THREA
T0101010
1010101
01010101
01010101
0101010
10101010
10THREAT
1010101
01010101
01010101
0101010
101THREA
T0101010
1010101
3 NopSec, “2015 State of Vulnerability Risk Management,” June 2015
5 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
Organizations do, however, recognize the value of this additional context to prioritizing security vulnerabilities. Among those surveyed, 85% cited the use of open source or commercial threat intelligence feeds, or a combination of both, within their current vulnerability management programs. Yet, how it is being used to score vulnerability risk is questionable. When asked how security vulnerabilities are prioritized today, 45% stated they are still using basic risk forecasting using the CVSS score and/or asset classification, or that correlation of threat intelligence and CVSS score was a manual process (see Figure 2).
The approach to information security overall is not keeping up with the pace of cybercriminals, and still remains very much a task driven by compliance compared to a core function for risk reduction. Two out of three (64%) respondents stated that compliance is still a key driver for how they approach information security programs such as vulnerability risk management. The existing view from the boardroom doesn’t show much progress being made on this front, either. In fact, more than 60% of those surveyed stated company executives are only “somewhat” to “not at all” informed about the risk posed to their business from current day security threats.
Which statement best describes how your organization prioritizes vulnerabilities today?
10%
12%
21%
24%
31%
We prioritize security vulnerabilities using the CVSS score only.
We prioritize security vulnerabilities using the CVSS score and asset classification.
We prioritize security vulnerabilities using the CVSS score and asset classification as well as open source and commercial threat intelligence to prioritize security vulnerabilities. The correlation is done manually.
31%We use commercial
tools to automate the prioritization of security
vulnerabilities.
I do not know how security vulnerabilities are prioritized within my organization.
6 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
Putting Management in Vulnerability Risk Management
While lack of effective prioritization methods is certainly contributing to the lag time between detection and remediation of critical threats, the remediation process itself is riddled with gaps. On average, it takes 103 days for organizations to remediate a security vulnerability4. Even more, hackers are often staying inside the network for more than 200 days before they are detected5. This leaves the window of opportunity wide open for attackers and offers clear evidence that the remediation process is broken.
Respondents cited a very similar sentiment, with 82% stating their existing remediation process is broken, and 37% acknowledging “major improvement” is needed. There are many factors that are negatively impacting the current state of remediation, most notable being the lack of resources to get the work done (see Figure 3). Seventy-eight percent of those surveyed cited this as having the most impact, followed by competing priorities with other operational demands (76%) and too many false positives (70%).
While technologies exist that can help improve the process through workflow automation and unified reporting, no program can be effectively managed if it can’t be measured. This is especially true for teams involved in remediation where time is of the essence when it comes to fixing security vulnerabilities. For example, looking at hard metrics such as vulnerability aging can help internal teams identify the gaps and address them to improve the process. Yet, only 40% of the organizations surveyed stated they have metrics in place to measure the success of their vulnerability management program.
Please rank how much each of the following challenges impacts the remediation process within your organization (percentages reflect organizations who indicated a moderate to major impact).
78% Lack of resources to get the work done
Competing priorities with other operational demands (i.e, taking a system offline vs. generating revenue)
False positives and/or validity of vulnerability findings
Too much time spent on manual assessment of vulnerabilities leaves little time for remediation
Lack of understanding of the risks posed by security vulnerabilities
Lack of a unified view to report on current status of tasks/tickets
Lack of communication and/or documentation between teams related to the remediation process
Lack of defined roles and responsibilities among teams (i.e., who owns this asset group)
Lack of accountability among teams involved in the process
01020304050607080
78%
76%
70%
67%
62%
62%
61%
60%
60%
4 NopSec, “2015 State of Vulnerability Risk Management,” June 2015 5 FireEye, “M-Trends Report: A View from the Front Lines,” February 2015
7 2016 OUTLOOK: VULNERABILITY RISK MANAGEMENT AND REMEDIATION TRENDS
2016 Outlook: Priorities in Vulnerability Risk Management
So much attention has been paid to anti-malware technology and incident response. As a result, many organizations have lost sight of the root cause to most data breaches – an exploited vulnerability. In examining many security incidents classified as an “advanced” attack, it is often nothing more than repackaged malware exploiting the same vulnerability over and over again. While an organization would never sit idle knowing an attacker is roaming their network, the same response does not hold true when it comes to vulnerability risk management. Breach after breach has shown through subsequent investigation that the headlines – and resulting costs and brand damage – could have been avoided by patching a single server or fixing a simple misconfiguration.
Organizations know improving prioritization and remediation is critical to drastically reducing the risk of a data breach, and were cited as top priorities in the coming year. Specifically, half of organizations surveyed plan to implement tools to improve the prioritization of vulnerabilities and threats, and 40% intend to work on improving communication between internal teams tasked with remediation (see Figure 4).
0
10
20
30
40
50
In the next 12 – 18 months, what are the top priorities for improving your vulnerability risk management program?
50%Implement tools to
improve prioritization of vulnerabilities
and threats
More frequent scanning of network/applications
Improve communication between remediation teams
Implement goals and success metrics to reduce remediation time
Integration with asset and/or configuration management systems
Integration with SIEM/incident response systems
Integration with operational ticketing systems
42%
50%
40%
26%31%
25%22%
For additional information or to schedule a demo, visit www.nopsec.com or email [email protected].
A recent report6 of IT professionals showed that 59% say their companies don’t invest enough in security. Despite increasing attacks and the recognized need for improvement in the coming year, it is unlikely security and IT teams will see increased budgets either. In fact, most forecasts have IT security spending as flat in 2016, which will be even more taxing on teams already faced with a lack of resources. The need for tools that enable automation of vulnerability risk management and other security processes to free up valuable resources will increase dramatically in the coming years as hackers continue to show no sign of slowing down.
Give Your Vulnerability Risk Management Program a Boost
Check out these fast facts on NopSec’s cloud-based vulnerability risk management platform, Unified VRM.
• NopSec Unified VRM removes more than 40% of the results on average from raw vulnerability scan data in the way of false positives, duplicates, and other bad data.
• Social media activity related to an attack or vulnerability is directly correlated with its level of risk. Vulnerabilities scored as “Urgent” by NopSec – the highest NopSec risk rating – are mentioned more than 250 times on average on Twitter.
• Prioritized vulnerabilities with a NopSec score of “Urgent” have a 29% probability of being found in malware compared to just a 1% probability for those rated as “High” by the CVSS ranking system.
• Workflow automation capabilities within NopSec Unified VRM helps organizations fix critical security vulnerabilities more than three times faster within the first 6 - 9 months of deployment.
6 Spiceworks, “Voice of IT Report,” October 2015