Why Vulnerability Management Needs a Patch
Much has been written about how DevOps is breaking traditional security approaches. For one, speed and agility are hardly the hallmarks of security. However, the threat landscape and enterprise attack surface continue to grow and evolve. It’s become obvious that we need security infrastructure that is aware and adaptive — it must continuously balance risk and trust at the speed of DevOps.
Attackers don’t care what threat score a vulnerability has and regularly exploit lower-ranked vulnerabilities if they’re the easiest successful attack vectors.
However, not much has been written about the impact of legacy vulnerability management on modern DevOps environments. While the topic of vulnerabilities is popular — there’s no shortage of research on the number of new CVEs discovered year over year — modern approaches for prioritizing and mitigating vulnerabilities haven’t changed much since the pre-DevOps era.
Why Vulnerability Management Best Practices Are Outdated
When it comes to vulnerability management, remediation timeframes are often based on outdated industry standards which can increase risk exposure. The most popular prioritization methodology is the Common Vulnerability Scoring System (CVSS) — an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: base, temporal and environmental. The base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. However, a vulnerability is only as dangerous as the threat exploiting it, and 95% of vulnerabilities with “high severity” CVSS scores have never been seen in the wild nor linked to breaches. This means that assigning a global critical/high/medium/low rating to any vulnerability is flawed because:
- Attackers don’t care what threat score a vulnerability has and regularly exploit lower-ranked vulnerabilities if they’re the easiest successful attack vectors.
- The known quantity and explosive growth of identified vulnerabilities makes it impossible to remediate them all.
- Not all vulnerabilities have patches or can be patched. It is the very nature of the CVE process that is itself inhibitive to proper risk rating due to the fact that often, even when there is a known vulnerability in a software package the vulnerable components are often never actually executed and thus represent no risk of exploitation.
According to analyst firm IDC, large-to-very large enterprise companies are spending 7-10% of their security budget on vulnerability management. If one were prioritizing vulnerability management based on CVSS scores, they would run the risk of spending a majority of their vulnerability management budget and time on threats that posed no risk to their environment.
MAGNA CARTA VULNERATUM
Analyst firm Gartner suggests that modern vulnerability management requires “continuous adaptive risk and trust assessment” (aka CARTA). This requires creating a triage of business importance and criticality for services in production cross-referenced by those vulnerabilities that are actually running in them.
This methodology is an iterative model that has three primary components:
- Assessment — Analyzing organizational assets to understand the state of the services, which components are actually loaded into memory, and configuration of these assets.
- Prioritization — Identifying which vulnerabilities represent the greatest risk based on exploitability.
- Compensation — If patches are not available, can’t be applied without affecting service performance or functionality, or are true “zero days,” it’s important to have compensating controls that “buy time” between vulnerability identification and patching.
A CARTA approach to prioritizing vulnerabilities correctly shifts focus on the vulnerabilities which represent an actual threat. Patching or compensating for those vulnerabilities is the upper echelon of vulnerability management. Once this class of vulnerabilities is treated, there is a greater window to implement better hygiene in the CI/CD pipeline by eliminating vulnerable components that serve no operational purpose, as well as remediate and mitigate vulnerabilities with a lower probability of being exploited. Gradual risk reduction can then be executed based on standard vulnerability management processes and policies.
The final result and good news are that Gartner predicts organizations that adopt the CARTA vulnerability-management method will suffer 80% fewer breaches by 2022.