It’s not a sexy, cutting-edge algorithm, but research shows comprehensive asset management is your best tool to mitigate the most commonly exploited vulnerabilities.
A Joint Cybersecurity Advisory, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), presented the top 30 vulnerabilities routinely exploited in 2020. The importance of keeping software assets patched and compliant becomes abundantly clear.
This article will detail key findings from the joint advisory, discuss techniques to ensure you are tracking all of your software asset inventory, and ultimately highlight how enhanced visibility leads to faster remediation timelines.
Attackers getting more aggressive
The Top Routinely Exploited Vulnerabilities advisory revealed that four of the top 12 CVEs most commonly exploited in 2020 were disclosed during the year 2020. Given that many of these CVEs were disclosed in the middle of the year, attackers wasted no time adding these tools to their arsenal. Zooming out the timeline shows that all of the top 12 CVEs were disclosed within the previous three years, 2017-2020. Bluntly, this research shows that critical CVEs disclosed within the past few weeks are very likely to be exploited.
If you are waiting more than six weeks to patch or update your systems, it’s too late. Organizations often have laborious patching cycles that take weeks to months. Extended patching cycles are ripe opportunities for attackers to take advantage of security gaps.
Effective asset management needs to be dynamic and reactive to today’s emerging threats. That’s why the industry standard 18 CIS Controls (formerly the SANS Top 20) prioritize software and hardware asset inventory as the two most important focus areas for your security practice, helping to create a continuous vulnerability management system.
Comprehensive asset visibility and management is the foundation on which to build your organization’s security posture. With a comprehensive mapping of your environment, you can easily manage your assets at scale. As your organization evolves, your attack surface becomes increasingly complicated and at risk of having software and hardware slip through the cracks. Tracking every single endpoint becomes the essential first step in good security practices.
What gets measured, gets done
Compared to traditional vendors with point-in-time tools, an Extended Detection and Response (XDR) solution provides a comprehensive unified platform to inventory and secure cloud, container, and traditional endpoint assets. With an XDR platform, you can gather real-time asset inventory and gain insight into what is happening in your organization’s environment.
Top XDR solutions will normalize the stream of data from your assets into a database to be easily queried. Meaning whether you have a question on your container configurations, are performing a live audit of applications, or searching for information on a specific software package, an XDR platform should provide you an immediate answer.
With an XDR solution, start with a dashboard overview of your assets, then seamlessly drill down into in-depth insights on individual assets.
When combating emerging threats, a unified asset management platform makes your team faster at analyzing, detecting, and taking action. Extended protection goes beyond visibility: you can configure your platform to perform the heavy lifting for your team and get real-time insights for overclocked resources, security failures, and rare anomalies.
Reconstruct historical configurations to understand the previous state of your posture or if a specific software created performance issues. A best practice is to store historical data for the previous 30 to 90 days. Historical data becomes a powerful tool to determine risk over time and gives you the power to run queries looking at the real-time or previous states of your machines.
How visibility speeds up the remediation lifecycle
In the context of emerging critical vulnerabilities, an XDR solution can turn a multi-month remediation and patching cycle into fractions of that time. Let’s break down a traditional vulnerability management cycle, then identify the areas where improved asset visibility relieves pressure from IT staff and allows for a faster remediation turnaround.
The traditional method of remediating software vulnerabilities:
- A new critical CVE emerges. The security team tends to be informed as new headline grabbing critical CVEs emerge, but this finding is related to a smaller vendor and so doesn’t get the same headlines as a Microsoft or large network infrastructure exploit.
- You have a traditional vulnerability scanning tool to capture a point-in-time analysis of all software on your assets where the agent is deployed. This scan causes a spike in resource utilization, so you can only run once daily or weekly. Your team is already understaffed and overworked, so you have a meeting to monitor scan results on a weekly or bi-weekly basis. You have alerts and a dashboard configured, but the backlog of CVEs to be remediated makes the noise drown out the new findings from stirring any news in your channel.
- A week has passed, your team sees the new finding. It appears relevant but the prioritization it deserves is unclear. The team decides to raise it as an item to be discussed in the upcoming meeting.
- The finding is brought up in the bi-weekly meeting. Questions arise such as: What assets are running this software? Is this a false positive? Who maintains the assets this software is running on? Who has the bandwidth to take this up? How bad does the finding appear? Is it on internet-facing assets? If so, how many? Are those assets carrying any sensitive data? In fact, is there a list of all the assets this software is running on? Lets connect with the Dev or Ops team and understand how changing the configuration or upgrading might affect the current stable build.
- It takes a couple more days to get the full picture of where this software is running, what the assets it’s running on are using it for, and exposure these assets have to the internet. Two weeks after being released, the team finally determines that this finding is present and relevant to their environment.
- Your team begins the remediation phase. Despite the urgency of this finding, you have business-critical production operations that can’t be interrupted. You will need a multi-week to multi-month process to go through the steps of implementing a fix in the lowest testing environment to monitor for performance impact. Then after ensuring it is stable in testing environments, you will look into moving it into progressively higher environments up to production.
- Finally, after this multi-month cycle comes to an end with a production fix, you have successfully mitigated the new CVE through upgrading or re-configuring your assets as recommended.
In this scenario, you can see how much time elapses between the CVE being published, becoming noticed internally, a team understanding the full picture, getting the fix prioritized, and getting the fix implemented and tested. Though hopefully all the steps above may not perfectly reflect your own company’s current practices, the key here is what extended visibility and asset management can do to reduce time taken to achieve the phases of 1) understanding the full picture and 2) implementing the fix with confidence. XDR tools quickly answer the questions of scope and priority, and also provide visibility into the operational impact of any patch or upgrade.
Enhanced visibility and insight lets teams immediately understand the full picture and answer the aforementioned key questions around asset ownership, data sensitivity, and ultimately prioritization. Traditional methods over rely on cross-team communication or key internal individuals. With a single pane of glass, security teams quickly assess their entire fleet to filter down in real-time into what assets are the highest priority. Instantly determine what subset of assets are highest priority or assess whether there are reasonable compensating controls in place to mitigate the new CVE.
During the remediation phase, implementing a fix takes time as you incrementally monitor and roll out patches or updated configurations. These delays give more time for attackers to infiltrate your environment and extract sensitive data. Extended visibility applied to the remediation life cycle will reduce the time needed to validate a fix by comprehensively monitoring the performance of your endpoints across your development, testing, and production environments to immediately catch any performance issues from the applied fix. The legacy method of waiting days or weeks to move patches up into higher environments is no longer viable in today’s threat landscape, and an XDR solution will give teams the extended visibility to confidently roll out updates to their entire fleet and validate a fix in a noticeably shorter period of time.
No one can predict what the next threat will look like, but we can prepare our teams with the best tools and processes to react confidently against any type of CVE. With extended visibility, unique insights, and real-time asset management, arm your team to be ready for tomorrow’s threats.
About the Author: