Page 45 - index
P. 45
3+-%0!")+)27 )&%#7#+% !-!'%,%-2 )1,!-!'%$ "7 !-7
Vulnerability Lifecycle Management (VLM) can be a polarizing subject. Many people do not
generally endorse the term, or think that VLM is a critical part of their security operations. At
least until they think about what VLM really is; the active management and mitigation of known
vulnerabilities in your environment. Then, most people would consider VLM one of the most
basic processes of an IT security team. And, the reality is that it should be. When you detect a
vulnerability in your environment, you close the vulnerability or find a way to mitigate the effect it
could have on your environment. The function and process you use to manage, track and report
on the status of those vulnerabilities is your VLM.
The most obvious question is “Does a VLM system work?” When we compare clients with a
VLM system to clients without a VLM system, we found on average four-times the number of
exploitable vulnerabilities in organizations without a mature VLM program. In that same vein,
security programs with proactive VLM systems realized a 20 percent faster remediation time
across the board. Especially since it can have such a profound impact on the organizational
environment, the ability to effectively manage vulnerabilities that you know exist in your
environment should be a basic security control. Yet, when we see organizations with no formal
VLM it is clear that the basics are not being done well by all organizations.
We look at vulnerability management in terms of a comprehensive lifecycle. Something that is
basic, repeatable and ongoing, and is an integral part of an organization’s success in meeting
immediate security challenges. A well-designed VLM program will also go a long way towards
addressing future information security needs for an organization. Some vendors offer regular,
monthly patches for their systems and software. That’s fantastic for organizations with
automated tools to digest and implement apply patches. But what can organizations, with limited
staff and budget, do to better defend against and remediate continuing threats that seem to
appear daily?
What Are the Vulnerabilities That Put Organizations in Harm’s Way?
Even though VLM is such a critical, yet basic, part of an information security team’s toolkit, the
industry is still plagued by relative complacency. Regular comparison of identified vulnerabilities
shows that many sites include unpatched vulnerabilities as much as 10 years old, even though
there are patches available. Many organizations remain exposed to these common
vulnerabilities, simply because they have not tracked and patched them. When attackers
consider this, it has two specific effects on attacker techniques:
Research indicates exploit kit developers are pruning older exploits and favoring newer ones, as
78% of current exploit kits are taking advantage of vulnerabilities less than two years old.
Meanwhile, the creators of these kits are actually ramping up their capabilities to leverage more
recent vulnerabilities. Attackers know organizations are slow to patch, so appreciate that many
organizations will continue to be vulnerable to more recent exploits for some time.
In addition to new exploits, cybercriminals are taking advantage of vulnerabilities that
organizations have identified as low priority or no longer consider a threat. Fifty percent of
vulnerabilities identified in 2013 were more than three years old. Organizations have effectively
been ignoring some of these vulnerabilities for nearly a decade. These vulnerabilities are no
longer on the Top 10 lists, and are no longer getting the same level of attention as the newer,
more current vulnerabilities, so they sometimes “fall off the list.” Attackers continue to take
! " $
! # ! "
