Comment: Vulnerability in the Haystack

CISOs need to ensure their teams are not trapped in an endless struggle of chasing down each new threat and exploit
CISOs need to ensure their teams are not trapped in an endless struggle of chasing down each new threat and exploit

Every system carries some weakness or vulnerability, but they are not all equal – not all systems have the same impact. Sensible security policies are needed to make smart, real-time decisions based on the defensive resources available. CISOs need to ensure their teams are not trapped in an endless struggle of chasing down each new threat and exploit.

According to an IBM X-Force Report, there are more than 70,000 security vulnerabilities that exist in the world today. The rapid expansion of social, mobile and cloud computing will further increase the number of potential vulnerabilities, expanding the threat landscape. Vulnerability scanning has therefore become a fundamental enterprise security practice, and one that is often required to meet regulatory compliance regimes such as the Payment Card Industry Data Security Standard (PCI DSS), among others.

But effective vulnerability management is extremely difficult due to the massive volume of potential vulnerabilities and the cascading complexity of system configurations within an evolving IT estate. No internal or outsourced security team can ensure a 100% level of defense at any one time, and attempting this approach will undoubtedly stretch team resources to a breaking point. Sensitive information is inevitably at risk and could fall through the cracks.

Organizations need to expand on the traditional security information and event management (SIEM) approaches used today and also correlate vulnerability intelligence alongside the event, anomaly, log and flow data. Vulnerability scanning today often lacks network-wide visibility, contextual awareness and real-time scanning. These gaps mean even well-known and preventable vulnerabilities can be lost in an overload of data, leaving organizations exposed to high risks.

At IBM we designed the IBM Security Framework to help organizations take a business-driven approach the security by grouping business security concerns into domains of interest. The Security Intelligence and Analytics layer provides discovery and reporting on top of the security domains. It is a control center for logging, viewing, analyzing, alerting, and reporting on events across, rather than within domains. Vulnerability prioritization and management belongs in this strategic and intelligent layer alongside log management, risk modelling, and impact analysis tasks.

Risk management is a core tenant of effective vulnerability management and the wider business- driven approach to security. Unlike a technology-centric and bottom-up approach that is often driven by security solution vendors, it is business goals that inform the security requirements. To close identified security gaps, enterprises broaden and bolster their defenses by continually building on top of or adding to their existing security investments. This technology-centric approach often creates an excessively complex and disjointed security infrastructure, further hampering attempts to have a clear view of which vulnerabilities matter, and which do not.

Instead of trying to protect against every conceivable threat, organizations should understand and prioritize the security risk management activities that make the most sense for them. By understanding the level of acceptable risk, the IT team can more easily focus on mitigating risks they can't afford to neglect.

Measuring risk accurately, however, can be a time-intensive and highly complex challenge for security teams. Overemphasizing certain risks leads to wasted resources and efforts, while underemphasizing others can have disastrous consequences. A deep and broad IT security knowledge is key for effective threat and vulnerability management, yet the resources of the security team (experience levels and time available) are always facing competing demands for attention.

The type of knowledge that is required includes a deep technical understanding of platform-specific security functions and the ability to understand the performance of security attacks in a step-by-step manner. Besides the technical knowledge, security experts must be up to date on new technologies so that they can identify potential new threats that might come with these innovations. It is also necessary to have skills in using the various security analysis and testing tools.

Despite the fact that vulnerability management has long been a core requirement of every organization’s security practices, many security teams continue to struggle against operational limitations and often manual processes stemming from siloed solutions. These disparate techniques are difficult to integrate with existing security infrastructure, often leading to unsecured blind spots remaining in the environment.

The answer is to add more intelligent systems into vulnerability management processes, reducing the remediation and mitigation burden for security teams by aggregating data so it can be prioritized quickly. Advancements in real-time systems can also react to other suspicious activity on the network, identifying an attacker’s discovery of an exploitable vulnerability, updating its risk profile and alerting attention for immediate remediation.

We need to tackle the limitations of legacy approaches to vulnerability management head-on. By incorporating vulnerability assessment into our Security Intelligence and Analytics layer and building on SIEM principles, we can help security teams fully understand the extent of their exposure and the overall security state of their networks.

Martin Borrett is director of the IBM Institute for Advanced Security in Europe. He leads the Institute and advises clients on policy, business, technical and architectural issues associated with security. Borrett is chairman of the European IBM Security User Group community and the IBM UKI Technical Consulting Group. He is also a member of the IBM Academy of Technology, a Fellow of the BCS, and a Chartered Engineer (CEng) and member of the IET.

What’s hot on Infosecurity Magazine?