Enterprise security professionals have their hands full these days—monitoring networks for security breaches, managing the implications of “bring your own device” policies, and patching systems to combat “weak links,” or vulnerabilities that could allow online criminals to grant entry.
Regarding this last task, security practitioners may be able to take an approach to addressing vulnerabilities that allows them to more effectively allocate resources toward resolving these challenges. As detailed in the Cisco 2014 Midyear Security Report, urgent critical vulnerabilities—those that merit the time and attention of security executives—make up a very small number of reported vulnerabilities. While all reported vulnerabilities should be patched, it’s wise to focus on those that pose the most danger.
Cisco publishes thousands of multivendor alerts every year, and zero-day vulnerabilities (for which patches are not yet available) tend to win the lion’s share of attention from security practitioners and the media because of their perceived urgency. However, only about two percent of the thousands of reported vulnerabilities were being activity exploited soon after published reports.
Adversaries tend to cluster their efforts around vulnerabilities that they can easily exploit—hence the heightened activity for some reported vulnerabilities versus others. It is these vulnerabilities that merit a stepped-up approach to patching—while, of course, not neglecting all other vulnerabilities. As we explain in the Midyear Security Report, we believe it’s good practice for organizations to create “high-urgency patching processes” that operate in tandem with standard patching processes. This allows security managers to direct investments of time and resources toward the small number of vulnerabilities that criminals are most actively exploiting. Other vulnerabilities can be managed by more routine processes.
By quickly patching high-priority vulnerabilities, the rest of the reported vulnerabilities can be integrated into regularly scheduled maintenance and patching processes. From our perspective, this makes for better risk management.
For some references on how an organization can improve their vulnerability management, and increase their security maturity levels, there is the Carnegie Mellon University Software Engineering Institute Capability Maturity Model that lays out a process for continuous improvement across your organization, and similarly the Council on CyberSecurity Twenty Critical Security Controls, previously governed by the SANS. And Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.
The underlying key to managing vulnerabilities is having timely and accurate security intelligence that helps you to rapidly assess your risk, prioritize your response, and management your environment. Security intelligence provides vulnerability activity, correlated with threat activity, and provides analysis and trends of these activities over recent years to enable proactive actions. Security Intelligence allows organizations to identify those vulnerabilities that not only are being actively targeted, but those that will likely be exploited by criminals and attackers. By being proactive, organizations can identify and patch the urgent vulnerabilities before they are being actively exploited, added to exploit kits and automated attack tools, and being delivered through any of the potential attack vectors. Like most predictive analysis, it is not 100 percent accurate all the time, but as the models describe security intelligence integrated with sound vulnerability management processes can move your organization from reactive to proactive, and provide measurable results in a defined method.