[BreachExchange] The Vulnerability Whack-a-Mole Game

[Destry Winant]

https://www.riskbasedsecurity.com/2020/03/09/the-vulnerability-whack-a-mole-game/

Most professionals have probably heard the classic business iceberg
metaphor quite a few times during their careers – the one with the
punchline: “Hey, the problem is actually bigger than you think!” It’s a
cliché but, like it or not, it rings true when it comes to cyber security.

Many organizations see the tip of the iceberg, but very few stop and do the
hard work necessary to figure out what is really going on below the
surface. Those that do, and start to more fully understand the issues, may
soon discover that the cyber problems are even bigger than they thought.

It’s nearly impossible for most organizations to look below the surface
using the “free” data that fuels most of the security products currently on
the market. It’s just not comprehensive or timely enough. As a result, the
attempt to deal with security problems turns into a vulnerability
“whack-a-mole” game, where risk management professionals reactively lunge
at newly emerging issues instead of proactively mitigating their likelihood
and impact. Compounding the problem, organizations tend to treat the
symptoms and not address the root causes that are driving the risk.

Organizations need a better mindset when it comes to implementing the right
approach for vulnerability management. They want to evolve beyond the
whack-a-mole game and be more strategic, and in order to do that they need
better data.

The Problem Isn’t the Platform, It’s the Data

At Risk Based Security, we have always been focused on collecting and
understanding vulnerability data. We track every type of vulnerability that
we can uncover (including many issues in third-party libraries). We believe
it’s critical that we offer the most complete and detailed vulnerability
data, but many cyber security solutions do not view this as a priority.
Unfortunately, organizations that use bad vulnerability data, knowingly or
otherwise, may be making bad risk management decisions.

The core of the problem is that most organizations (and the security
products they use) source their data from CVE. Some do not really
understand how the system works, or the severe limitations that can put
them at risk. Many organizations are still relying solely on running a
vulnerability scanner, thinking “Oh, great! I just did a full assessment
and I’m clean. I didn’t get any findings.” But a scanning tool isn’t able
to alert them about important vulnerabilities that are missing from their
data. Worse, the major vulnerability scanners look for only a fraction of
the issues that are published in CVE. We’re not suggesting that you throw
CVE out entirely, as it does have some value. But you can’t implement an
effective vulnerability management program using CVE/NVD alone.

At the time of publishing, CVE/NVD is missing over 73,000 vulnerabilities
and that number is growing every day. For many people in the security
industry CVE/NVD has been the de facto standard, so this can come as quite
a shock. Many practitioners react with surprise when confronted by this
fact, while others know but choose to ignore it. They may assume that the
missing vulnerabilities are in software that doesn’t matter, or that are
low risk”. Neither of these statements are true.

The Missing Vulnerabilities Matter

If your organization is currently relying on CVE (and most are), at least
33% of all disclosed vulnerabilities are completely unknown to you. Our
research shows that 43.5% of those vulnerabilities not published by CVE/NVD
in 2019 are high to critical in severity, and included major vendors as
well as popular third-party libraries. It gets even worse for DevSecOps as
CVE coverage of third-party library components is a fraction of what is
should be.

Even when CVE does publish vulnerabilities, they can be days, weeks, and
even months behind the disclosure date. Have you ever gone to look up a CVE
ID only to see it say “RESERVED”? This is normal for newly disclosed
vulnerabilities. In many cases, the information is out there, but MITRE
hasn’t done the work necessary for you to do yours.

Even if you’re doing vulnerability research yourself, you need to be able
to handle vulnerabilities that don’t have a CVE ID. Organizations quickly
realize that this is a complex and very expensive undertaking to manage.

Evolving Beyond The Vulnerability Whack-a-Mole Game

Vulnerability Management is more than just using a scanner. While
vulnerability scanning has served organizations well and got us to this
point, we need to evolve our approach if cyber security is to mature. We
need to put proper vulnerability intelligence and asset inventory at the
core of effective Vulnerability Management. When organizations know about
all vulnerabilities disclosed, and how they potentially affect them, they
can prioritize and remediate accordingly, ensuring that their limited time
and money is focused on the most important risks.

We need to continue to educate and enable organizations to start looking at
Vulnerability Management from a more strategic standpoint, and apply more
of a problem management approach. Ask yourself:

What if you knew the vendors or products that would most likely put you at
risk for a data breach or compromise?
What products or libraries/components cost the most to maintain securely?
What if you could easily look at your vendors and see how much they care
about their own security? Are they actively addressing the vulnerabilities
within the products they are shipping to you? And if a vulnerability does
make it through, how quickly do they respond and provide a patch?

If organizations have access to easy to understand ratings and are able to
gather better insights about the products they are relying on, they can
take a strategic approach. They can finally achieve proactive, risk-based
vulnerability management, set aside the squeaky mallet, and move on from
the whack-a-mole game.

This article originally appeared in the 2019 Q3 Vulnerability QuickView
Report. Read our latest report here
<https://pages.riskbasedsecurity.com/2019-year-end-vulnerability-quickview-report>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200319/4ac6376d/attachment.html>