A relentless pace of vulnerability discoveries and disclosures imposes a cyclical patching process on cybersecurity professionals that has proven unsustainable for most organizations.
The situation is going from bad to worse.
“We are on this never-ending loop of massive vulnerabilities patching, and it seems that we are deploying vulnerabilities faster than we are deploying fixes for vulnerabilities,” said Ed Skoudis, president of SANS Technology Institute.
This chronic cycle of vulnerability, patch, vulnerability, patch, ad nauseum contributes to apathy and a heightened awareness of lacking resources among many enterprises and cybersecurity practitioners.
Known vulnerabilities are akin to an iceberg that shows only about 10% of its mass above sea level — those are the vulnerabilities the industry knows about and continues working on, he said.
Meanwhile, software and systems vendors keep slapping more vulnerabilities on the remaining 90% hiding underwater. “We’re deploying more problems than we are deploying fixes for them, and that can lead to cybersecurity burnout,” Skoudis said.
Despite some overall gains, morale is in decline, particularly among professionals that realize organizations are more vulnerable than a decade prior, Skoudis said.
Perpetual state of defense begets apathy
Cybersecurity has significantly improved in absolute terms, but enterprises and the efficacy of cybersecurity as a practice are still falling behind. This apparent contradiction comes as no surprise to anyone paying attention to the pace and magnitude of threats facing every individual, business or government entity.
“[Attackers] are getting more powerful, more clever, more creative, and deeper into our systems at a rate that is increasing faster than our cybersecurity capabilities,” Skoudis said.
As more vulnerabilities are discovered and more patches are required, organizations need to create a system to apply patches in a defined and repeatable way.
The need for an urgent and committed response to vulnerability patching makes this a full-time job, and more likely a team of IT professionals at larger organizations that are responsible for testing and deploying, said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42.
Maintaining a positive mindset
Confronting a lopsided battle from a weakening position, such as the one cybersecurity practitioners operate in, makes it all the more difficult to maintain optimism. Skoudis finds a way, and says it’s critical to keep up the fight.
But how does one offset this undeniable imbalance between hope and reality? Celebrating successes, training and mentoring cybersecurity talent of the future and consistent practice in a lab setting will go a long way in that regard, he said.
Cybersecurity professionals can empower themselves by building up their skills, and doing it regularly and methodically, Skoudis said. “I’m not cast upon this sea of vulnerabilities,” he said. “I’m learning how to apply cybersecurity in a hands-on fashion.