Vulnerability Management Is Still a Mess
We’re a third of the way through 2021. I’ll pause and let that hit you and sink in before I continue…
Now that you’ve had a minute to think about the statement I made above, I’d like to draw your attention to a LinkedIn post I made a while back, essentially asking people to write down the first three words that come to mind when I say the words “vulnerability management”. The results were, sadly, predictable.
Call me a pessimist, or a realist, but at this point in my career, it’s difficult to surprise me. This survey didn’t surprise me. But it did reinforce in my mind that as much as technology has grown in the last decade, we haven’t moved the collective bar in proportion.
What do I mean? Let’s start with what happens when you do a simple Google search for “Vulnerability Management”. The first page of results is completely dominated by technology companies. Tools. If you are looking for help, and you do a Google search, you could be led to believe the solution is just to buy more tools.
- Network vulnerability scanners
- Host vulnerability scanners
- Vulnerability management tools
- Application security scanners
What’s missing? Right. Process! Program. Lifecycle.
Hello? Is anyone paying attention out there?
Friends, I promise you, if you’re using the world’s most effective host and/or network vulnerability scanner and you’re dumping the results to a spreadsheet — you’re on the express train to Failsville.
Identifying vulnerabilities is just the first, and frankly the easiest, step. Then validation, triage, prioritization, assignment, follow-up. All of those parts and many more are what makes a program work.
Look at the word-cloud below. The bigger words are the most repeated in the 100+ replies I received. Where do we have the biggest problem? Look at the words most often used:
What I see here is that while technology continues to advance and we have better ways to detect and identify missing patches, misconfigurations, and implementation errors — we continue to fail at the most basic things.
- Vulnerability debt — Not unlike technical debt, I see companies amassing vulnerabilities that live longer than Yoda. The biggest issue, which I’ll address in a further post, is that we’re creating impossible situations for ourselves down the road.
- Lack of lifecycle — In a previous role, many years ago, we would scan and dump vulnerabilities to a spreadsheet. Don’t laugh, many of you do it today — this was in early 2000. Then we would present it to a technical owner of a system, who would tell us all the reasons the patch could not be applied today, next week, or sometimes ever. We’d note it in the spreadsheet, and never, ever return to this issue. So much to be said here about improper risk management, but it boils down to lifecycle. You can’t just mark it down as “accepted” and move on never to revisit. I sense another further post on this.
- Accountability — One of the best lessons I ever received on the topic of accountability was from a lawyer. Chief Inside Counsel, as I recall. He told me that if I was allowing a manager-level person, a technical owner, to ‘accept the risk’ on behalf of the company I was the problem. That person had neither the authority nor the accountability to accept risk, and I was going along with it. This made both of us on the firing line if something happened… luckily I dodged that bullet but wow. Right, another post on this topic coming too.
- Asset management — This may cause you to slap your forehead, so I’m warning you ahead of time. If you are vulnerability scanning only the assets you know about and calling it good, you’re going to have a bad time. The unknown unknowns will be your undoing. Your program should give as much focus to the things you don’t know exist, as the things you do. OK, so another post on this too.
Let me summarize.
Vulnerability Management in the enterprise is in serious disarray, right now. While tools have matured, and many of us have bought lots of them, they aren’t solving the problems we face on their own. Shocking, I know. Tools must be paired with operational excellence, a well-thought-out program, and a lifecycle process.
If you aren’t minding the program, and the lifecycle, we’re just going to be back here again in 10 more years, and it’ll be just as ugly a conversation.
I’m going to write more on this topic (right here), but I’m also publishing more on this topic over on my Lightstream corporate blog. I invite you to give “The Maturity of Vulnerability Maturity Matters” a read. Comments always welcome.