When seven members of Boston-based ‘hacker think tank’ L0pht appeared in front of Congress in 1998 they were tasked with persuading an unaware senate to take the issue of cybersecurity vulnerabilities seriously.
A quarter of a century later, times have changed. The existence or seriousness of the vulnerability issue no longer requires justification. Ironically, it is now almost a problem of awareness being too great. With the CVE database about to hit 225,000 vulnerabilities, 75,000 of which were over the last year alone, how do organisations address this without being overwhelmed? This was the debate held by security leaders recently, who settled on a number of points.
Existing methods lag technical complexity
It isn’t merely a problem of volume, but also one of complexity, it was agreed. With operations now utterly reliant on an ever fragmenting set of potentially vulnerable technologies splayed across on-prem, cloud, remote, IT, OT or more – understanding a true picture of risk is difficult.
With legacy tools siloed, a security team’s visibility of these assets is patchy – limiting their view of dependencies and attack paths. Nowhere do they have a rounded view of how each vulnerability impacts the business they protect.
In response, security teams default to CVSS scores and ‘must-fix lists’.
This causes prioritisation problems by reinforcing a generic view of risk. For example, while externally facing, actively exploited, CVEs present as a priority, lower scoring vulnerabilities do not – regardless of the fact they might be connected to business critical assets. Those present admitted this presented exposure in the form of a ‘long tail’ of unpatched flaws.
Outside of skewing technical priorities, CVSS scores also do the same for humans. Metrics often reward the fixing of high priority vulnerabilities – not giving credit for patching lower rated CVEs – further embedding issues into an already flawed system.
Human systems are also fragmented
The complexity issue is further compounded by organisational silos which force different business areas to have different objectives.
Varying compliance burdens or operational priorities, for example, can drive a wedge between people and processes with an impact on remediation, reporting and resource allocation. For example, one of the attendees outlined that a decision to patch servers had to pass through both infrastructure and appsec teams, both of whom had differing agendas.
It was outlined that such entanglements create friction in the remediation process and cause ‘risk creep’ to take hold. As one put it ‘this is how medium severity vulnerabilities become severe.’