The state of vulnerability management today is shackled by three ever-present and high-visibility characteristics: chaos, silos and reactionary confusion. These negative attributes are the result of a tsunami of vulnerabilities coupled with rapidly expanding attack surfaces that have wreaked havoc on organizations’ abilities to manage and prioritize vulnerabilities in a material way effectively.
In this article, I look at the challenges that teams face attempting to implement a meaningful vulnerability management program, explore five trends that will shape the future of vulnerability management in positive ways and offer my insights to assist in the transition to a modern program. Insight into these trends can assist organizations as they wade through the waters of developing a vulnerability management program and choose a partner to take along on that journey.
Chaos results when teams attempt to ingest an overload of information from disparate tools. The flood of vulnerabilities and waves of security data can easily overwhelm even the best teams without the help of automation and machine learning. Too often, teams are still manually triaging signals and emailing massive spreadsheets to stakeholders—causing further potential chaos.
Silos are created by outdated organizational structures that limit the ability of DevOps and security teams to work collaboratively and effectively. This problem is exacerbated as teams retreat further into their respective silos because of the tension caused by whack-a-mole-like threat remediation strategies. Developers feel they can never finish a project because of the endless stream of security bugs and violations sent back to them from security. Security teams cannot keep up with the pace of software development and continually fall further behind.
Reactionary confusion is the predictable result of a vulnerability management strategy that gives way to a “drop everything” firefighting approach to responding to the celebrity vulnerability du jour. Without a plan that establishes what to fix first and why, news headlines and CVSS scores rule the day—both of which come without context to your business-critical risk strategy.
Trend 1: Vulnerability prioritization is becoming table stakes.
Risk-based vulnerability management will become a standard feature requirement as customers evaluate vulnerability management solutions. Automation and machine learning are essential for vulnerability management and risk-based prioritization. However, you should avoid black box machine learning prioritization models, as they fail to provide insight that explains the “why” and the “how” of prioritization. Why and how are every bit as important as knowing what to prioritize. Up-to-date threat intelligence and machine learning algorithms can determine which vulnerabilities cybercriminals are most likely to use in malware or targeted attacks. Still, leadership must know the “why” and “how” for the information to formulate future business plans.
Trend 2: Asset management and criticality are becoming a must-have requirement.
Asset management and criticality—knowing what, where and how important the organization’s crown jewels are—are too often overlooked. You cannot accurately assess risk without understanding these vital aspects of threatened assets. For a risk-based vulnerability management program to be relevant to your organization, it must factor in the criticality of assets.
Trend 3: Leaders are accepting that contextual environmental controls are no longer best practices but a core vendor differentiator.
Every customer’s environment is unique, and threat-centric prioritization is only marginally better than a CVSS-based prioritization. When a vendor fails to incorporate contextual risks and environmental controls, customers may do more remediation than necessary. It is essential to avoid ineffective patching or create throwaway work for your teams.
Trend 4: Changing behavior in vulnerability management is akin to changing to healthier eating, exercise and sleeping habits.
Gaining more energy, building muscles, reducing body fat and sleeping better are individualized personal health goals because each body responds differently to food intake, stress and exercise regimes. Similarly, reducing remediation workload, reducing risk, cutting down data noise, improving automation and gaining real-time insights are different business objectives for each organization’s vulnerability management program. Individualized programs to compare historical progress and peer groups will become the motivational tool to change enterprise behaviors in vulnerability management.
Trend 5: Vulnerability management and configuration management will converge into one category.
Because configuration management is but a subset of vulnerability management—or at least a close cousin—customers in the future should look for solutions that are stack-agnostic, flexible in analyzing both vulnerabilities and misconfiguration, and prioritize accordingly based on risk and business impact.
Conclusion
Here’s my advice for how organizations can prepare for the transition to a modern vulnerability management program:
1. Know your assets. Cloud adoption enables customers more agility and velocity in leveraging cloud scale, and assets can be turned on and off at ease. Not knowing where your assets are and how critical those assets are can become the biggest blind spots in the future of vulnerability management.
2. Celebrity vulnerability matters, but don’t lose sight of good VM hygiene. Having an answer to the risk exposure of your celebrity vulnerabilities is important, but don’t get overconfident when you are cleared for celebrity vulnerabilities because there will be the next Log4j, Heartbleed or any other new celebrity. A good VM hygiene is focused on continuous insights into risks, threats and countermeasure defense.
3. Stop number counting and ask the why. Customers are used to counting and reporting the number of critical, high, medium and low vulnerabilities among the teams and reporting to the board and leadership team. A snapshot number count is not relevant or useful. Trending data can help you tell a better story of your risk management and remediation effectiveness.
Organizations can better transition to a modern vulnerability program by leveraging the benefits promised by these future trends.
Courtesy- https://www.forbes.com/sites/forbestechcouncil/2022/08/08/five-trends-shaping-the-future-of-vulnerability-management/?sh=685a068f7e90