Article by Flexera EMEA senior vice president Vincent Smyth
You’ve heard about the Equifax breach, the WannaCry attack and more. When they occurred, most security teams did a doublecheck on software security risks. But with the explosive growth of software vulnerabilities, one-time check-ins aren’t enough. Software breach risks need full-time attention.
That’s not a small task. It means monitoring the hundreds of new threats reported daily and reviewing hundreds to thousands of internal software applications. Plus, not all threats are equal, so there’s the additional step of pinpointing the top priorities for your company.
The good news is that by using a “back to basics” approach and intelligence technology, you can identify what needs attention to protect your company. That approach includes four core components—know your software inventory, find the risks, identify priority risks and apply a “smart” methodology to patches. These prudent steps create a solid barrier against the risks that continue to escalate.
Vulnerabilities in 2017 increased 14 percent to 19,954, up from 17,147 in 2016, according to the Vulnerability Review 2018 – Global Trends, the annual report from Secunia Research at Flexera. That’s the highest level to date and the impact is big. It’s expensive when a hacker exploits a vulnerability. According to PwC, the average financial loss attributed to cyber security incidents was $2.5 million in 2015. Even without a successful breach, events related to exploitation of known vulnerabilities run into the millions each year.
These risks underscore the need for companies to mitigate this impact, using processes that bring control and today’s technology to gain insight on where to take action.
The first step is deep knowledge of what software your company has in place. Without that basic information, it’s impossible to protect your systems. However, with the scope of software used in today’s organisations, tracking down that inventory can be difficult. Most companies implement Software Asset Management (SAM) processes and technology to automate the process of discovering and inventorying their software (and hardware) assets – wherever they reside. For the best results, this information should be shared across the organisation, including IT, security and risk teams. A single “version of the truth” gets everyone on the same page with risks and serves as the foundation for creating a tight action plan.
Once an accurate inventory’s in place, a formal process to track vulnerabilities remains the key to gaining control over risks. It starts with using available information. In 2017, patches were in place for 86 percent of the vulnerabilities on the day of disclosure. But despite this advance knowledge, the challenge is that many companies lack a proactive method to track these patches to address a vulnerability in the software they own. By applying Software Vulnerability Intelligence to software inventory, an automated process can be created that automates tracking potential vulnerabilities and alerts the IT team about important patches. The important information comes to the technical team, avoiding a highly detailed, manual tracking process that can miss information or slow action. Once this information comes to the surface, the next step’s identifying what needs the most attention.
Hundreds of vulnerabilities are disclosed globally each week. In the first quarter of 2018 alone, Secunia Research issued over 1,500 advisories. Then there’s the thousands of known vulnerabilities in thousands of applications that need to be tracked. The big question for security departments is: “What applies to us?”
With all the competition for internal resources, it’s hard to prioritise the time to sort through what’s important. That’s where expert intelligence can make a real difference. A trusted Software Vulnerability Management solution performs the work of finding the risk in the software inventory and determining how critical it is to an organisation.
These solutions verify reported vulnerabilities with additional data and communicate results in a format security teams can use. It also means that the intelligence has been tested, vetted and is relevant, so that the information delivered pertains only to vulnerabilities in products significant to the specific environment. For instance, vulnerability intelligence should detail what IT security teams need to know to mitigate the risk posted by the vulnerability and what actions or patches to perform.
Patching plays a key role in protecting the attack surface, but a careful approach is essential. Testing first in controlled environments remains highly effective, offering an advance understanding of potential impacts on system performance and stability. Patches can cause performance hits or compatibility issues, so IT teams will benefit from a cautious methodology. Since taking these steps is about mitigating problems, it’s important that a risk-based model is extended into the patch process.
As challenges continue to grow, it’s clearly time for companies to consider a “back to basics” approach to manage software vulnerabilities. Through a more disciplined process and the use of intelligence, companies will uncover actionable information for a more precise response. That adds up to powerful protection for clients, company brands and reputations.