123/rf
The following is a guest post by a 2016 Secure360 Wisconsin Gold Sponsor Qualys.
If you are an information security professional, you’ve probably experienced vulnerability disclosure overload. This ailment strikes when infosec pros grapple with the constant release of vulnerability announcements, amounting to thousands per year.
The truth is that no IT department has enough staff and resources to promptly patch every single vulnerability within its environment. As a result, infosec teams must be highly selective when drafting their vulnerability remediation plans. They must strategically address the threats that represent the highest risk to their organization at any given point.
Attempting to eradicate 100 percent of vulnerabilities sequentially, by treating them all as equally important, is impractical and dangerous.
A comprehensive, continuously updated view of all your IT assets
When attempting to prioritize vulnerability remediation, it’s what you don’t know that hurts you. At the most basic level, this means being aware of all the hardware and software in your organization, from high-end systems to mobile apps. There can be no “phantom” servers, PCs, smartphones, tablets, printers, applications, middleware and the like lurking in your network without your knowledge. You must have a complete, unobstructed view of your IT environment at all times, and be instantly aware of its changes.
In addition to having a complete list of your IT assets, you need granular, detailed access to the components of each one. You must understand how extensively each asset is interconnected with and dependent on other systems. Finally, it’s critical to know what is the role of each asset in your overall IT environment and how valuable and important it is to your organization. Absent this underlying information structure, your attempts to assess vulnerability risks will be ill informed and ultimately erratic and ineffective.
Knowledge of the constant stream of infosec vulnerability disclosures
Just like you must have a clear and deep knowledge of your organization’s IT assets, you also need to plug into the firehose of external vulnerability disclosures, so you’re aware of the latest threats out in the wild. This disclosure information flows uninterrupted from multiple sources, including industry groups, government agencies, academic researchers, technology analysts and security vendors.
For example, you must be aware of “zero day” vulnerabilities being actively exploited, publicly available exploit code, actively attacked vulnerabilities, “lateral movement” vulnerabilities that let hackers use a compromised system to attack other machines on the same network, vulnerabilities with high data loss potential, Distributed Denial of Service (DDoS) attacks and malware outbreaks.
You need to mesh both sets of internal and external data — your IT asset information and disclosed vulnerabilities — and correlate them. And you need to be doing this continuously, so you’re alerted whenever there is a match. You also must be able to proactively conduct specific searches, combining multiple variables, to find assets that may be potentially at risk. This will give you a dynamic snapshot of all the vulnerabilities that exist in your IT environment at any given moment.
Dashboards, control panels, graphing and reporting tools to visualize your threat landscape
Once you have correlated your internal and external threat data and identified impacted IT assets, you must be able to drill down on the data, mine it for patterns, slice and dice it, aggregate it in custom reports and represent it graphically.
This analysis of the data will allow you to extract insights and gain an awareness of your security posture that you otherwise wouldn’t have access to.
Precise assessments of threat scenarios in your organization’s specific context
Finally, you’re now ready to factor in various criteria for assessing how critical certain threat scenarios are in your organization’s specific context using actionable intelligence.
Let’s say there’s vulnerable database software that is being savagely exploited in the wild, causing chaos in many companies. And you happen to have one instance of it. However, in your environment this database is only present in a system of marginal importance that is isolated from the rest of your infrastructure. You determine that if that asset were compromised, the risk to your organization would be trivial.
Likewise, you may encounter the opposite scenario, in which a vulnerability that isn’t attracting much attention in the industry may be a critical one for your organization.
Qualys ThreatPROTECT
Qualys ThreatPROTECT lets you take full control of evolving threats so you know which vulnerabilities to remediate first. Qualys ThreatPROTECT correlates active threat intelligence information with your vulnerability data, allowing you to pinpoint the IT assets that are at greatest risk within your organization. With ThreatPROTECT, you get a holistic, contextual and continually updated “at a glance” view of your threat exposure.
The latest addition to the Qualys Cloud Platform, ThreatPROTECT features a highly customizable dashboard with a variety of report templates and graph-creation capabilities. It also has a powerful search engine, and a live threat intelligence feed. ThreatPROTECT fine-tunes your IT department’s vision and guides it with actionable intelligence through the process of closing security holes in a precise, strategic manner.
Leave a Reply