- Companies, even within the same industry, face unique cyberthreats, making vulnerability management less about mass patching and more about prioritizing the most exploitable vulnerabilities, according to Mitchell Schneider, principal analyst at Gartner, while speaking during the virtual Gartner Security & Risk Management Summit Wednesday.
- Over the last decade, while the number of overall vulnerabilities has increased, the number of critical vulnerabilities are not surpassing those of low, medium and high severity. Normally, "we would want to address [critical ones] first. However, if you focus only on those, it leaves you open for attackers to target the medium- and low-ranking vulnerabilities," Schneider said. "The medium-ranked vulnerabilities are the ones getting away from us," which are the ones with the most exploitability.
- Threat actors are not choosing their vulnerabilities based on the traditional common vulnerability scoring system (CVSS), so companies cannot afford to prioritize patches using CVSS either. "There's no inherent correlation between the vulnerability and if threat actors are exploiting them in terms of those severity ratings," Schneider said.
Vulnerability management cannot be simplified to only patching, Gartner says. It's an entire system weighing active threats against business continuity, and not all vulnerabilities will have patches.
Companies do not have to concern themselves with the threat landscape at large, only where a business and threats meet. "What we would like to do is actually change the threat landscape for the first time in two decades," Schneider said.
"If you can move to a situation where your attack surface is so high, that only a sophisticated zero day and or intelligence agency in another country is able to get in, you've just broken something," he said. Threat actors will struggle to gain access.
Scanning and exploiting vulnerabilities became the top infection vector in 2020, replacing phishing as the top vector in 2019, IBM X-Force found. Researchers estimate that more than 1,600 vulnerabilities met the critical severity outlined by the CVSS last year.
The Cybersecurity and Infrastructure Security Agency (CISA) is aiming to make vulnerability management easier by making its federal catalog for known exploited vulnerabilities accessible to the public. CISA's catalog moves away from the CVSS, as it's meant to only capture CVEs with active exploits underway to avoid the possibility of prioritizing patches less critical than others.
The catalog provides federal civilian agencies with due dates for updates, the first deadline for 99 of the initial 291 CVEs were due Wednesday. CISA also sent out an updated catalog Wednesday.
"Organizations really need to start thinking about and considering Plan B options when patching is not feasible," Schneider said. But companies run into communication issues when infrastructure and operations versus security view patching as the other's responsibility. Security tends to view management by how it makes the organization more secure. Infrastructure and operations are more focused on reliability and service interruptions.
Vulnerability management is a shared responsibility among business units, and does not require one dedicated team, according to Schneider. The project manager, however, should be from security.
IT has changed through DevOps, containers, and off-premise solutions, which means vulnerability management is not one-size-fits all like it used to be for an entire environment. "All this discussion about vulnerability management will make you think that exposure is all about vulnerabilities," said Schneider. But other considerations are cloud misconfigurations or third-party security postures.
"There is no way to know and manage exposure without proper visibility," he said. Vulnerability assessment vendors are beginning to offer vulnerability prioritization technology capabilities, which Gartner expects to converge with vulnerability assessment in the next two years or so.
"Prioritization is the most important concept. And this was the lightbulb moment and what changed Gardner's entire perspective around doing vulnerability management," Schneider said. "If you take the vulnerabilities in your environment, and focus on the ones that are being exploited in the wild, this will be an exponential improvement in your security posture."