Is Vulnerability Management Now Out of Our Control?

I can think of three events that have happened over the last few years that were harbingers of what’s to come.

The first—and most recent—was the FBI’s stern call to the public: Reboot your routers, as hundreds of thousands had been infected by a Russian malware botnet. And actually, that number is bigger than we thought.

The second was in 2016, when a teenage boy (who lacked sophisticated training) stole and leaked the identifying information of thousands of FBI and DHS employees on the dark web.

And lest we forget Spectre and Meltdown, the chip flaws that had the biggest names in technology scrambling for a solution. And what was it? To patch a patch.

Why these three events? Because they are canaries in the coal mine of vulnerability management. Enterprise and consumer security are falling further and further behind, while the scope and scale of the problem is expanding rapidly. “In the beginning” of modern security, we only had to worry about the operating system and application-level vulnerabilities. We focused on enterprise IT and are finding now that the breadth of vulnerabilities goes way beyond IT—it has been unleashed into the Wild West that is IoT and firmware or chip design flaws. Basically, vulnerabilities exist at all layers of technology, from the lowest-level hardware to the highest-level software.

Every single industry relies on IoT, from manufacturing industrial control systems to the biggest banks and their ATMs. Companies are seeing an explosion in the attack surface of vulnerabilities—which they could have addressed earlier. As I work with clients who want to stay ahead of evolving threats, I see worse vulnerabilities coming out in firmware and chip architectures; all the various computing layers are bringing more vulnerabilities to exploit. Even the vulnerabilities in IoT, firmware and hardware are now much more difficult to find, and potentially invisible to the non-security professional.

What Now?

My resounding answer to, “What now?” is that enterprises must risk production downtime to apply a potentially invasive patch faster and more completely than ever before. It’s worth it. This is the perennial challenge between security and production availability, and security needs to win out.

The paradigm of vulnerability management has always been to use a closed-loop process; from the moment a vulnerability is identified, it enters a process—a time-tested method—that will guarantee eventual remediation. If you want to have any chance of patching a vulnerability, get smart on where your assets are and what condition they are in. As the number of assets increase, the types of vulnerabilities are also growing.

There needs to be firm commitment from company leadership, or the headline-making breaches will continue to happen. Leadership should double down on their economic arguments for effective security and show motivation to tackle this problem, in earnest. Inability to do so has gotten us where we are now: Businesses simply do not want to face what they need to spend on a solution.

There have been a number of attempts to find better ways to do vulnerability management, including kernel level firewalls and application patches in line (patching it at a gateway rather than on the application). But these are failing businesses that want to avoid an age-old tension between a revenue-generating technology and security as a cost center, as the former always wins. But what they don’t—or won’t—see is the much higher price they will pay when that chicken comes home to roost.

The financial industry is, in my experience, the most aware of that chicken, particularly with credit card processing. But that’s only because their IT is so directly related to a business-impacting event that would be very public. The amount of money the financial industry transacts isn’t the determining factor in beefing up their vulnerability management program; pharmaceutical IT, all the way back to the labs, risk being compromised. But to them, a breach is not as visibly impacting to the businesses (it’s genomes, not credit card numbers). While any business takes damage, it doesn’t all make it into The New York Times.

This battle is part of a larger war in which convenience trumps security, and that falls just as heavily on consumers. Autosaving credit card information, for example, is a convenience many enjoy, it makes it more difficult for people like us to do our jobs. Eighty-seven percent of those aged 18-30 reuse passwords across apps, websites and other IoT systems. The rate doesn’t go down that much after 31. Interestingly, in Europe, customers are liable for a portion of credit card losses and must share the burden with their credit card company when theft occurs. That amplifies consumers’ motivation to protect their data.

“Good hygiene” on both sides of the economy should never be taken for granted, and no, not even the most advanced AI will get us to where we need to be—though it will certainly soften the blow. AI today is important for security teams in their detection and response processes as they must assume breach every day. Even as more advanced security technology comes our way, one thing will remain constant: We can’t patch our way out of this one.

Chris Calvert

Avatar photo

Chris Calvert

Chris Calvert is co-founder of Respond Software, where he leads product design. Chris has over 30 years of experience in defensive information security and intelligence in both government and the commercial industry. He has designed, built and managed global security operations centers and incident response teams for six of the global Fortune 50.

chris-calvert has 4 posts and counting.See all posts by chris-calvert