Share with Your Network
In the wake of high-profile, potentially destructive vulnerabilities like Log4J, many security operations teams are reassessing how they respond to high-risk vulnerabilities. But the more efficient and effective path forward isn’t always about increasing remediation capacity or even budgets. Making improvements to risk management workflows demands teams take a good hard look at where they excel, where they fail, and where they’re going.
So, when Ed Bellis, CTO and Co-founder of Kenna Security (now part of Cisco), and Doug DeMio, Ransomware Task Force Leader at American Family Insurance, met to explore the best ways to tackle extreme vulnerabilities, common threads began to emerge. This blog breaks out key takeaways from that convo to help security leaders and remediation teams rethink and plan for the next headline-worthy vuln.
- Severity is subjective.
Just because news outlets (or board members) are dialed into the scary vulnerability du jour doesn’t necessarily mean it should be a top priority for you. “Likelihood has to be part of the equation,” says Bellis. “Extreme vulns are going to be (assessed on) not only the severity but the likelihood of exploitation and what asset does this affect.”
Bellis says the data supports this notion. “If you’re just looking at severity, 70%+ of all vulns ever are going to have a high severity. Organizations can only fix somewhere between 10-30% of their vulnerabilities.” Fixing all high-severity vulnerabilities, Bellis points out, is “not even something they could do if they wanted.” And it doesn’t help that many organizations rely on CVSS scores, even though they are simply too generic to make critical prioritization decisions. So too are scanning tools whose prioritization features simply repackage CVSS.
DeMio agrees, making the case for data-driven context. “Historically, a lot of engineers rely on the scanning tools themselves. The reality is that completely lacks risk context.”
Instead, he says organizations need to focus on two critical factors. “Number one: What are your highest value assets? And number two: What other pieces of information can you glean from cyber threat intel or tools such as Kenna? Even though it may be a critical vuln, is it being actively exploited in the wild? If not, you don’t want to ignore it forever, but it shouldn’t be your highest priority to remediate.”
2. Be honest about your resources, capabilities—and limitations.
It can be a slippery slope when trying to reassure leadership remediation capabilities are robust and capable of tackling whatever is thrown at you. If you’re not careful, you can find yourself over-promised and under-resourced. Bellis and DeMio (a Kenna customer) urge security leaders to not fall for that trap. The strongest security strategies acknowledge setbacks and adjust accordingly.
“Depending on the size of the org, you could have many millions of low severity vulns,” explains De Mio. “Statistically, it might look good in a management report (but) in terms of risk reduction you’re not getting the best bang for your buck, that’s for sure.”
It’s tempting to take the short-term approach and commit to resolving all the issues, but it’s not realistic—or effective. “Demonstrate you’re being responsible by prioritizing based on risk reduction opportunities versus trying to ask for enough funding and money and people to solve all of the problems. You can’t do that. You really just need to solve the actual threats.”
Research conducted by Kenna Security and the Cyentia Institute finds there are far fewer vulnerabilities that demand remediation resources than many security leaders realize. “Regardless of size or funding,” Bellis explains, “teams can fix on average about 15% (of their vulnerabilities). For top performers, it’s closer to 25-30%. The good news is we see less than 5% of vulns exploited in the wild.”
Bellis points out the eventual challenge of diminishing returns. “Keep in mind, it’s probably not necessary to fix every vuln in that backlog. In fact, there are probably better ways to reduce risk in the company as you get to a certain level where it’s just diminishing returns. Basically, it becomes a hygiene issue.”
At the end of the day, one of the most important measures security leaders can take is ensuring there’s a plan in place for when things do go awry. “One of the greatest challenges in terms of your resilience,” claims DeMio, “is that you have to really understand, have up-to-date business continuity planning, and business impact analysis to know what it takes to recover.”
3. Understand your remediation metrics: Coverage, efficiency, velocity, capacity
Measuring vulnerability management program success flows from a deeper understanding of strengths, weaknesses, and goals. Of course, we could give you rote definitions, but Bellis offers a more helpful answer. Here, he describes four must-have metrics for tracking risk remediation efficiency and effectiveness.
Efficiency. “Efficiency is something you can take advantage of with the resources you have. If I fix 100 vulns, how many of those were actually high risk? Efficiency is about making sure that when I take an action, I’m bringing risk down.”
Coverage. “Coverage is the opposite of efficiency. For instance, if I have 100 high-risk vulns, how many did I actually fix? And that’s where sometimes you have to get resources to get better coverage—it could be people, tools, or both.”
Capacity. “On average, between the number of high-risk vulns you’re opening and closing on a monthly basis, are you able to close as many that get opened or more so?”
Velocity. While Bellis didn’t elaborate on velocity during this conversation, he’s unpacked this concept before. “Typically, companies measure vulnerability remediation through a metric known as mean time to remediation (MTTR). But the metric only looks at vulnerabilities that have closed, and it doesn’t look at those left open. Instead, we use survival analysis to look at how long it takes to remediate half of the instances of a vulnerability in the system.”
These metrics offer powerful insight into an organization’s real ability to manage and mitigate cyber risk, and help teams course-correct and operationalize remediation response. For a deeper dive into these concepts, check out The State of Risk-Based Vulnerability Management in 2021.
4. Assess your organizational culture and risk tolerance.
Like most organizational upgrades, change starts from the top and is often working against historical views and outdated opinions. “You need support from the top to understand that this needs to be a priority,” says DeMio.
Leadership priorities can impact everything from securing funding for new initiatives to day-to-day operational workflows, DeMio explains. “Typical legacy infrastructure was a big problem. Today, it’s much less of an issue, but the mindset is still there. What holds you back is a cultural issue, and it’s an aversion to risk related to possible operational disruption. That’s historically why people delay applying patches because they’re worried about what it’s going to do to the system. It’s a cultural shift to understand the risk of not remediating far outweighs the risk of operational impact.”
And while the sinister evolution of ransomware has proven to be one of the most difficult cybersecurity adversaries, it’s also been a catalyst for cultural change, prompting much-needed attention and multi-pronged action that extends beyond the IT and Security departments. For instance, American Family Insurance recognizes the dire need for effective security education and has implemented a security awareness program to train people to better recognize potential threats and increase cybersecurity savvy.
Getting ahead is doable—and the data supports this
Even when facing a tsunami of high-risk vulnerabilities unlike we’ve ever seen before, Bellis reassures listeners teams are in fact able to get and stay ahead thanks to data-driven and predictive risk prioritization. “We do a series of research reports where we’re looking at all of this data to determine what organizations are doing, and I can tell you for a fact the majority of orgs are getting ahead.” Heartening news for security leaders looking to level up their security resilience.
“We’ve determined it’s a solvable problem with data,” says Bellis. And enterprise solution leaders like Cisco are helping companies harness this data to strengthen defenses, gain visibility, optimize finite resources, simplify security operations, and respond to threats promptly and efficiently. In other words, they’re helping organizations achieve security resilience.
To hear more insight from DeMio and Bellis, including their thoughts on emerging threats, watch the replay: Hacking Extreme Vulnerabilities: An hour of critical thinking about the confluence of concerns across threat actors’ intentions, industry targets, ransomware, and a company’s unique weaknesses.
