Vulnerability Management ≠ Vulnerability Discovery
Why have we conflated vulnerability discovery with vulnerability management? There are lots of tools that classify what's out there, but they don't help you take the next step.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Mike Johnson , CISO, Rivian . Joining us is Yaron Levi , CISO, Dolby Laboratories .
You can’t manage what you don’t know you have
Before you can discover or manage any vulnerabilities, you need to have an inventory of what you are securing. Without that classification, vulnerabilities will fall through the cracks. "Know what you own. Know who supports it. Document it. Audit it regularly for changes. Classify your data. There should be a good understanding of who is responsible for what type of patching. Add them all together, and you’ll have a pretty good program," said Luka Mar of TMX Group .
Once that is in place, Eoin Keary of Edgescan found that vulnerability discovery becomes a very small part of management, saying, "Vulnerability discovery is the ‘easy part.’ Then you need to tackle prioritization, tracking, adhering to SLA, risk acceptance, measurement, alerting, asset onboarding, coverage, integration, and data flows of intel, not to mention accuracy and validation and exploitability verification.”
Vulnerability management doesn’t have an endpoint
Many treat vulnerability management as something to accomplish rather than an ongoing process. Christopher L. of Vulnetix clarified that risk acceptance doesn’t end the vulnerability management process, saying, "Vulnerability management needs a verification stage, preferably continuous verification to detect future regression. Review is also key because the 'risk acceptance' / 'do nothing' is a valid business decision BUT is not a mitigation. It does not remediate. It is not the end of the vulnerability management process. You must always treat these as an ‘accept until’ or specifically have a review date on everything with a rule. A real plan needs to be made if it cannot be accepted/deferred at a review." An overemphasis on patching as a panacea has also left us without more sophisticated tools to conduct a risk-informed management strategy. ”For years, we've been preaching for a patch, patch, patch, hoping for a vulnerability-free utopia. We both know that will never be the case; hence, your point is to focus on the most relevant ones first. Not having a system that can tie in a vulnerability/exposure to an active threat, a vulnerability to a possible impact, its risk of exploitation and reach, an assumed no-fix approach without the appropriate guardrails, will only de-focus our attention," said Maor Franco .
This is about tradeoffs
Vulnerability management is always a game of compromises. There is no outcome where we hit zero vulnerabilities. “A zero vulnerability footprint and those so-called flatlines will never happen, especially in larger organizations. The sooner leadership can realize that the program can move forward and be successful," said Brad Phillips of Cox Communications . Cybersecurity professionals aren’t the only ones dealing with daily tradeoffs. Charles Immordino of Secure Foresight found a comparison to the medical field, saying, "Successful vulnerability management is a bit like triage. I'm absorbing everything from red team findings, the SOC, AppSec, and more besides scan content. From there, it takes a determined plan and some tact to get reductions in place and things resolved. If it were as simple as ‘find it and fix it,’ no one would have vulnerabilities."
A unique approach
One of the primary challenges with vulnerability management is that it remains unique to every organization. We can use the same tooling but an organization’s priorities result in vastly different decisions based on the organization’s priorities. "High risk does not always equal high for everyone. If you're just taking the vulnerability discovery tools risk rating as is, you could potentially be spending a lot of unproductive cycles on items that are not high risk in your particular environment and configuration, leaving vulnerabilities that could be more impactful in your environment longer than necessary," said Dennis Spalding of Charles Schwab .
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to Intezer .
Huge thanks to our sponsor, Intezer
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Join us TOMORROW, Friday [12-06-24], for "Hacking the AI Supply Chain"
Join us Friday, December 6, 2024, for “Hacking the AI Supply Chain: An hour of critical thinking about what's new and familiar about securing the foundations of your AI applications.”
It all begins at 1 PM ET/10 AM PT on Friday, December 6, 2024 with guests Niv Braun , co-founder and CEO, Noma Security and Caleb Sima , builder, WhiteRabbit . We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Recommended by LinkedIn
Thanks to our Super Cyber Friday sponsor, Noma Security
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Edward Frye , head of security, Luminary Cloud . Thanks Vanta .
Thanks to our Cyber Security Headlines sponsor, Vanta
Jump in on these conversations
"Any military vets here who got their start in cyber through the military? Was it worth it?" (More here)
"Thoughts on Zero Trust?" (More here)
"What's a common cybersecurity myth you wish more people understood?" (More here)
Coming up in the weeks ahead on Super Cyber Friday we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.
CISO. Cyber acumen and savvy expertly applied - affordably. Resource what really matters – minimize your cyber risks worry. Experienced virtual / fractional CISO and ERM/GRC programs. CISSP, MSEE, PM, etc.
2wA solid overview of the vulnerability management process…. Which I sense is more effectively approached as a collective risk based TVM strategy (Threat and Vulnerability Management). In any event, concur that it requires a concerted, documented lifecycle approach to maximize business resilience effectively and with high confidence.