Think you’re keeping up? Are you tracking risks and priorities and remediating the most urgent vulnerabilities, making you feel like your security is taken care of? Think again. Hackers are onto you–and they remember the vulnerabilities we’ve all forgotten.
“Low-priority vulnerabilities” have become low-hanging fruit for hackers, meaning, ironically, that risk prioritization may actually be putting you at greater risk. You relax, thinking you’re protected, then hackers move in and exploit a vulnerability that may be years or even a decade old.
Look at KashmirBlack, a wickedly powerful botnet hijacking site hosted on popular CMSes like WordPress, Joomla, PrestaShop, Magento, Drupal, vBulletin, OsCommerence, OpenCart, and Yeager. If you don’t have a site on one of these CMSes, chances are you’re doing business with one or more organizations that do. This botnet exploits a number of old vulnerabilities, including one patched a decade ago: PHPUnit remote code execution (RCE) vulnerability (CVE-2017-9841).
Prioritizing vulnerabilities simply isn’t working anymore. According to Fortinet’s “H1 2020 Global Threat Landscape Report,” 74% of organizations in the manufacturing, energy and utilities, healthcare, and transportation industries have had a malware intrusion over just the past year. In that same period, another Fortinet report claims that 65% of these companies were the victim of three or more attacks.
Old vulnerabilities mean big money for hackers–and the only cure lies in total remediation.
A Typical Security Scenario
If you’re like most organizations, you create your security scenario starting with asset inventory and data classification based on the level of sensitivity.
Next comes risk prioritization. There’s no standard way of doing this, and most organizations calculate risk somewhat differently, based on factors like vulnerability severity, application type, business criticality, vulnerability disclosure date, location of an endpoint within the network, and ease of remediation.
Based on your risk prioritization, you can then roll out patches, first remediating top-priority vulnerabilities for your most valuable assets.
And then what? Too often, the remaining vulnerabilities stay unresolved–for days, weeks, months, or even years.
This approach is all about statistics, centered on the core assumption that no organization can address all vulnerabilities. While different companies use different algorithms, it tends to address “popular” new threats while ignoring old and known threats.
Given that more than 60% of breaches originate from known vulnerabilities that were never remediated, this approach is far from ideal.
What About SOAR?
Much has been said about SOAR, and this modern security approach does indeed help close many gaps by outlining a systematic approach.
But SOAR’s emphasis on the response phase means you will only be putting out fires, not preventing them. And because SOAR is risk-based, it doesn’t always address every vulnerability.
In a world where hackers don’t care about statistics–and where the payoffs for exploiting old vulnerabilities are huge and growing–asset classification and risk prioritization don’t go far enough in determining what gets patched.
In fact, focusing too much on risk may actually be lowering rates of vulnerability remediation. According to one WhiteHat Security study, remediation rates are down from 57% in 2017 to 46% in 2019. The fatalistic approach that total remediation is impossible may be stopping some companies from even trying.
Modern Vulnerability Remediation
Security vendors are constantly coming up with newer and smarter ways of assessing risk, tapping into machine learning and AI, but hackers are always going to be one step ahead.
In a recent Wall Street Journal article on cybersecurity, they pointed out that cyber risk assessment is inherently a flawed, imperfect, and still-evolving science and that today’s cybersecurity doesn’t stack up well compared to other types of modern safety standards:
“…if you buy a car, you can compare which models have the best crash-safety ratings. And if the car crashes because of a manufacturer error, government agencies, dealerships and even lawyers can help make things right.”
None of that exists for cyber safety. That’s why you can’t afford to put all of your eggs in the risk assessment basket.
Your modern vulnerability remediation program can’t stop at risk profiling and prioritization. Total remediation is critical for your risk program to be effective. And this demands tools that support modern infrastructure via automation and intelligent prediction, allowing you to build your security around more holistic risk planning and mitigation.
As we’ve seen, prioritization and risk analysis can only take you so far. Any intelligence you’re using, hackers are using too–and hackers are incentivized to go farther and push harder to find open, low-priority vulnerabilities. It only takes one big ransom payoff to make their research pay off.
A safer approach to a modern security environment demands that you bring down total time to remediate (TTR). This is the only strategy that gets you as close as possible to remediating all vulnerabilities and even more so to reach the required compliance for your environment.
JetPatch platform manages security detection, orchestration and remediation in a single tool that does more than just prioritize risks. JetPatch lets you efficiently and easily control your risk profile and compliance level while patching more of the vulnerabilities that put you at risk–even older and lower-priority ones.
Calculating risk plays an important role in your organization’s security strategy. But with hackers using AI and continuously developing better tools to infiltrate your environment, it can’t end there. Focusing only on your top vulnerabilities, however you assess risk, will never be enough.
When it comes to vulnerabilities–old and new, high and low priority – JetPatch has you covered.