SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Five reasons you need vulnerability management for business-critical applications
Wed, 22nd Sep 2021
FYI, this story is more than a year old

Every organisation relies on a bedrock of core applications that keeps every department operational. From finance applications to human resource management, these applications must be protected from attacks, regardless of whether they exist in the cloud, on-premise, or both.

Many organisations look to a ‘defence in depth' security model that applies technology layers on top of critical systems. However, security firm Onapsis says that there is one key area that IT teams often overlook: the last layer of security for the application itself.

Attacks on business-critical applications can exploit administrator privileges. These privileges can be used to bypass application controls and compromise data and processes. Additionally, these attacks can have ripple effects across all areas of the business.

According to Onapsis, there are five reasons organisations need vulnerability management capabilities designed to protect their business-critical systems.

1. Market conditions during the last year have accelerated the pace of DX

Business-critical applications hold data related to processes, finances, staff, customers, patents, and other critical information.

The shift to a distributed cloud means that the old ways of installing all applications on-premise and building security around them doesn't work anymore.

The pandemic has encouraged organisations to prioritise digital readiness. Still, it is at the expense of security in some cases, particularly as these organisations turn to cloud-based and often public-facing systems.

“This has greatly increased the risk of exploitation. Organisations trying to keep up with the fast pace of acceleration may also be overlooking risks that potentially leave them susceptible to exploits, including the due diligence of security best practices,” notes Onapsis.

2. The shift to cloud leaves business-critical applications vulnerable

 A Forrester Consulting Thought Leadership paper, commissioned by IBM, found that 85% of those surveyed include on-premise as a critical part of their hybrid cloud strategy because the cloud cannot service all workloads or performance environments. However, the paper also noted that these respondents were also delaying on-premise system upgrades, of which half admitted security vulnerabilities as a result.

With the urgency for digital readiness explained above, security risks are overlooked as businesses focus on speed instead of security.

 An exploited vulnerability in one of these on-premises systems could lead to a compromise for that unpatched critical system with far-reaching consequences,” Onapsis notes.

3. Business-critical applications are increasingly at risk from bad actors

Vulnerability management processes are complex because there is often very little time to act before a vulnerability becomes exploitable. According to Onapsis research, it can take as few as 24 hours for a vulnerability to be disclosed and attackers to take action. It can take just 72 hours for the same attackers to create an exploit.

“Many organisations do not have security best practices, tools, or staffing levels in place to address vulnerabilities within this accelerated time frame. Bad actors are not only exploiting vulnerabilities in business-critical systems, they are doing so at a faster pace than ever before,” states Onapsis.

4. Existing defence-in-depth strategy deployments insufficiently protect the business-critical application layer

While a defence-in-depth strategy is useful, vulnerabilities can often still lurk within any layer of defence. Certain types of malware and misconfigurations can enable attackers to breach security layers and move laterally to infiltrate business-critical applications.

It is difficult for organisations to identify vulnerabilities, and traditional vulnerability management solutions are limited because they only scan for known vulnerabilities.

“It is still challenging to implement effective vulnerability management processes even for organisations that are well aware of these risks. This is due to the decreased amount of time between a vulnerability being identified and disclosed and a bad actor taking advantage of the vulnerability.

5. Even the best teams are challenged to do more with less

While there is increased investment in application security, according to Gartner, even well-staffed organisations face time and workload constraints.

Patching is time-consuming, and there may be long backlogs before all patches are deployed. Meanwhile, attackers are actively seeking vulnerabilities and exploits.

“The accelerated pace of digital transformation and the rapid migration from on-premises to hybrid and cloud infrastructure has dramatically increased the risk to these systems. Yet despite the increased risk, these applications are often out-of-scope for traditional vulnerability management tools and security teams.

“They are typically managed by information technology professionals who are focused on development and uptime as opposed to security. This further compounds the complexity associated with protecting these applications from vulnerabilities."

There is a better way to protect your business-critical applications with actionable insights, secure change, automated governance, and continuous monitoring.

To learn more, check out the 5 Reasons Why You Need Vulnerability Management for Business-Critical Applications white paper from Onapsis.

Download it now.