Enterprises across the globe are aggressively embracing the latest technologies and newer ways of delivering services to stay relevant in today’s global market. However, the growing interest in technology adoption introduces additional vulnerability and risk exposure.

For starters, today’s threat landscape is incredibly dynamic, with thousands of new vulnerabilities reported annually amid growing complexity in organizational environments. The attack surface has also increased multifold, with business services delivered over the web, mobile and application programming interface (API) gateways.

Moreover, a lack of security controls across the software development lifecycle (SDLC) and extensive use of third-party/open source components add hundreds of vulnerabilities to applications unknowingly. Lastly, infrastructure-as-code and containerization add even more dynamics to the IT environment. As a result, known and unknown vulnerabilities can be easily exploited by hackers.

The U.S. National Vulnerability Database (NVD) published roughly 17,000 vulnerabilities in 2019, which has grown progressively during the last few years, illuminating the increased volume and velocity in vulnerabilities. With 17% of overall vulnerabilities reported as “critical” by the Common Vulnerability Scoring System (CVSS v3), this translates to 2,600 vulnerabilities for organizations to potentially deal with as a top priority. With limited bandwidth to deal with remediation, enterprises need further intelligence on threat prioritization.

Seeing Through Blind Spots

While enterprises are able to detect vulnerabilities though automatic scans, they typically ignore the need to manage the vulnerability lifecycle. In fact, many vulnerabilities are not well understood.  Delayed patching often magnifies the impact. For example, the Windows vulnerability exploited by the devastating WannaCry ransomware attack of May 2017 was patched by Microsoft before WannaCry was even unleashed. Unfortunately, many organizations failed to implement the patch in time.

Vulnerability management (VM) is a core process for IT security frameworks; in some industries, it’s mandatory to comply with standards such as PCI DSS. Many organizations also have set practices and ongoing programs to manage vulnerabilities. Nevertheless, they struggle to manage them effectively. Among the key challenges:

  • Creating a system to effectively prioritize vulnerabilities.
  • Disconnected IT security and services/operation teams and systems leads to a widening gap between finding and fixing vulnerabilities.
  • No single view for different types of vulnerabilities across all assets and services.
  • Increased capital expenditure and a lack of skilled talent.
  • No single tool to detect different types of vulnerabilities across infra, apps, containers, etc.

Upping the Vulnerability Management Game

To address some of these challenges and make noticeable improvement to the effectiveness of vulnerability management, we suggest:

  • Risk-based prioritization, often described as a function of CVSS/severity, asset value and threat. Enterprises need a custom risk calculator to determine vulnerability severity.
  • Security orchestration and automation response (SOAR) platforms to help systems more quickly exchange data and execute responses. SOAR systems can effectively bring together various vulnerability reporting sources in ways that invoke remediation workflows on IT service management/operation management (ITS/OM). This not only reduces gaps between find and fix but also creates a single-pane-of-glass view for the chief information security officer to see all open vulnerabilities and their remediation status/breach of SLAs, etc. As a result, SOAR is a key component of today’s vulnerability management platform.

A VM program can be costly in terms of capital and operational expenditures. Further, while the vulnerability scanner market is quickly changing, many tools offer inflexible licensing and deployment models and operate via a closed architecture. This limits extendability and the ability to cross-reference vulnerability data across the security systems landscape.

Therefore, organizations should explore partners (such as those in the managed services space) to get SLA-based pay-per-use services. Practitioner experience can be leveraged to effectively manage risk exposure.

In today’s world of IT-enabled businesses, enterprises are aware of the importance of security; however, they need a practitioner’s view to stay ahead of and protect themselves from ever-emerging threats.

Kuldeep Wagh

Kuldeep Wagh

Kuldeep Wagh is an Associate Director within Cognizant’s Security Practice. In this role, he helps customers set up/improvise vulnerability management and DevSecOps... Read more