X-Force Red is unveiling a new research study, conducted by the Ponemon Institute, that highlights vulnerability management challenges for on-premises and cloud environments: in other words, hybrid multicloud. The report, “The State of Vulnerability Management in the Cloud and On-Premises,” is based on a global survey of 1,848 IT and IT security professionals in North America, Europe, the Middle East, Africa, the Asia-Pacific region and Latin America across a variety of industries.Download the full Ponemon report
We chose the vulnerability management topic for three reasons. First, the challenge of prioritizing and remediating high risk vulnerabilities continues to be top-of-mind for our clients. Second, while reports about vulnerability management exist, pairing insights on security vulnerabilities from the cloud with on-premises environments is unique. And third, we believed surveying practitioners during these unconventional times would lead to a set of responses we have not seen before — although it turns out, this was not the case.
Fixing False Positives Provides Clarity, Not Security
While too many false positives is not a new problem, the impact they can have in increasing the risk of a cybersecurity compromise is significant.
- The most dangerous security vulnerabilities continue to expose valuable assets as a result of chasing down false positives and vulnerabilities that pose minimal risks, 60% of respondents say.
- Over six months, an average of 28% of vulnerabilities remain unmitigated, and organizations have a backlog of 57,555 identified vulnerabilities.
- 53% of respondents say their organization experienced a data breach in the past two years, with 42% saying the breach occurred because a patch was available for a known vulnerability, but not applied.
Without a risk-based prioritization formula in place, vulnerability management teams may struggle to decipher which vulnerabilities are real and pose the highest risks of a compromise. Some practitioners continue to use manual spreadsheet methods to prioritize which, out of the thousands of vulnerabilities, matter most. Therefore, understanding which ones would enable an attacker to compromise an organization can be difficult.
The importance of automated, risk-based prioritization is not the report’s only takeaway. The reason why our X-Force Red team believes false positives are that mosquito in your ear that will not go away is due to how practitioners are incentivized. Removing false positives may clean up the vulnerability report, which makes practitioners ‘look good’ in front of their managers and auditors. However, it does not make your organization more secure. Based on our team’s experience working with vulnerability management teams around the world, in many cases, those teams are graded by how many issues are resolved. Weeding out false positives and minimal risk vulnerabilities is important. However, prioritizing the ones that attackers are exploiting and that affect high value assets is more impactful for reducing risk.
We like to say that removing false positives is like buying a vowel on “Wheel of Fortune.” It provides clarity for solving the puzzle, but it will not earn you money.
Call for Better Container and Application Security in the Cloud
It seems as though for some organizations, once applications are moved to the cloud, they lose track of them. The report states that the majority of organizations are uncertain about the security of applications in containers and those placed in the cloud.
- 34% of respondents say they’re using containers, while 57% say they do not know if the applications inside those containers were designed securely.
- 56% say they are uncertain whether the applications were tested to find and fix high risk vulnerabilities.
- More than half (53%) say their organization uses a scanning tool to assess the overall security of the environment on a quarterly basis, which is a positive step.
Scanning alone, however, is not enough. While scanning can find “known” security vulnerabilities that have already been made public, penetration testing can find the kinds of exposures that only a human attacker would find (i.e. logic flaws, how vulnerabilities can be chained together, etc.).
Based on the insights above, it appears some organizations are not conducting the same level of penetration testing against cloud applications as they are against their on-premises applications. The cloud footprint can expand rapidly, and it may have different governance structures and policies for security. Keeping up with the differences can be daunting, which may be why testing is not taking place. In addition, limited oversight for cloud environments and applications that have security flaws even before moving to the cloud can compound the problem. During cloud testing engagements, it is not uncommon for our team to find applications that slipped through the inventory.
Create a Virtuous Cycle of Risk Reduction
The first step organizations can take to overcome the challenges discussed in the report is to change how vulnerability management teams are incentivized. Whereas today many teams are incentivized based on how many issues they resolve over time, they should be incentivized based on remediation efforts that actually move the cybersecurity needle. Since false positives are the fastest to resolve, remediation teams will continue to mitigate those first, creating a vicious cycle of prioritizing false positives. If remediation teams are incentivized based on how much they improve security, they will most likely shift their priorities to mitigating the highest risk vulnerabilities first, creating a virtuous cycle of risk reduction.
To overcome the security uncertainty of applications and other assets in the cloud and on-premises, organizations need a combination of programmatic penetration testing and an ongoing vulnerability management program. Penetration testing is a deep-dive, hands-on engagement that uncovers vulnerabilities only human attackers can find. Vulnerability management is the ongoing scanning of the environment, followed by automated prioritization and a repeatable, scalable remediation process to uncover and patch known vulnerabilities.
Combined, these steps can help practitioners confidently guess the consonants, buy some vowels, solve the puzzle and earn the money.
We presented a deeper dive discussion about the report during our team’s global virtual conference, Red Con 2020. The conference featured a new zero-day research that could potentially impact millions of internet-connected devices, new attack tools built by X-Force Red’s hackers, a dissection of well-known and not-so-well-known attacks and more.