A Vulnerability Management Primer – Part 2 : Challenges
October 24, 2016 by Syed Abdur

In Part 1 of this blog series, we talked about why Vulnerability Management should be an integral part of all InfoSec programs and tried to define the scope for this discussion. In Part 2 of the Vulnerability Management Primer blog series we are going to talk about the common challenges that prevent organizations from being effective in achieving their vulnerability management goals.

Data Overload

Most organizations manage, monitor and scan tens of thousands of assets. Often these assets are owned and maintained by different teams, each with their own sets of tools and processes. With the exponential growth of non-traditional enterprise boundaries – cloud infrastructure, other virtual environments, mobile devices, IOT – existing lines of ownership and responsibility are constantly being blurred and redrawn. The vulnerability monitoring industry has done a great job of keeping up and extending coverage to accommodate the new normal, but to ensure coverage InfoSec teams invariably end up using more than one analysis method and tool. The reasons for doing so may be strategic – passive and active network scanning afford different opportunities for monitoring. While in some cases this might be necessary – SAST and DAST tools may have overlaps is results but they serve different purposes. Whatever the reasons, it is reasonable to expect that in such highly diverse environments the vulnerability data you are going to have to process and analyze is going to be increasingly heterogenous. The better you do at ensuring complete monitoring coverage for your infrastructure, the more prepared you must to be to analyze, parse and take decisions at the speed that vulnerabilities are being reported.

Changing Attack Landscape

The problem of analyzing very large volumes of highly diverse data is compounded by the fact that there is a lot of invaluable metadata associated with these vulnerabilities that is constantly changing.

    If a new toolkit is released that exploits a particular vulnerability to create a successful breach, should that have an impact on your priority for remediating that particular vulnerability?

The answer to this question for most organizations would be YES, however very few programs factor in this information into their vulnerability prioritization models. While vulnerability scanners are constantly improving to provide more threat metadata, this pales in comparison to intelligence that is available from other, more dedicated sources.

Zero-day vulnerabilities provide another stark example of this. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. These provide ripe opportunities for hackers to affect compromises before vendors, scanners and the host organization catch on. In 2014, a record 24 zero-day vulnerabilities were reported. The fallout from the most significant of these – Poodle, Shellshocked, Heartbleed, highlighted some dire facts :

    These vulnerabilities were successfully exploited within hours of disclosure which tells us that potential hackers are well equipped and highly coordinated.

    The nature of these vulnerabilities (ShellShock exploited a design flaw that went unnoticed for 25 years) tells us that attackers are evolving their methods and tactics. They are investing in vulnerability research to target areas and products that might not be a focus for traditional vulnerability management programs.

    The top 5 zero-day vulnerabilities of 2014 combined, left organizations exposed for a total of 295 days which tells us that vendors are not responding at the speed required to deal with emerging threats.

Lack of Business Context

Security intelligence systems provide real-time, real-world context for vulnerabilities. Just like this external context is invaluable for remediation prioritization, an understanding of how a vulnerability impacts your particular organization can provide tangible benefits to remediation effectiveness. In an ideal world InfoSec teams would have the resources necessary to fix all critical vulnerabilities. In reality, this is hardly ever the case. InfoSec teams have to perform a balancing act of fixing critical vulnerabilities across the entire infrastructure, and keeping critical infrastructure as vulnerability-free as possible.

    If you are an investment bank, is a Severity 5 vulnerability on Box 1 (delivering your cafeteria menus) the same as a Severity 5 vulnerability on Box 2 (running your trading applications)? What about a Severity 4 vulnerability on Box 2?

The answer may depend on whether these network devices are on segregated network segments or if they are interconnected. But regardless of the actual configuration, we need this information to take an informed decision. Business context provides a powerful dimension, not only for remediation prioritization but also to demonstrate that remediating efforts are being undertaken with a clear understanding of cost and impact.

Unintelligent Prioritization

Threat intelligence and business context can significantly improve remediation efforts by highlighting vulnerabilities that are most at risk of being exploited as well those that can have the biggest impact to the organization. In spite of this, most organizations leverage basic criteria like vulnerability severity or CVSS score as the primary dimension for vulnerability prioritization. This is often due to the effort required to aggregate, consolidate and collate data from multiple sources to build a prioritization model that takes all these factors into account. Manually consolidating and analyzing threat intel and business context is an option but one that is hardly repeatable or consistent. Despite the effort and cost associated, organizations that can find the right tools or resources to build a prioritization model that not only factors in default classifications like CVSS, but also leverages threat intelligence and business context can expect a significant improvement is program effectiveness.

Manual Processes

Most vulnerability management programs employ manual processes in several stages of the remediation cycle. Analyzing vulnerabilities, collating threat intel, creating tickets, assigning ownership, setting SLAs – are often done manually. In addition to being inefficient, manual processes are also detrimental to the crucial goals of maintaining consistency and developing repeatable processes.

Gap to Remediation

A survey of vulnerability management programs reported that it often takes hundreds of days for vulnerabilities to be targeted to remediation. This statistic does not reflect the actual amount of time it takes to remediate a vulnerability, simply the time before vulnerabilities are assigned to a ticket/owner for remediation. This is surely a consequence of the challenge we have discussed above, but on its own represents a big challenge that vulnerability management programs face. To keep the organization safe, InfoSec teams must be able to react quickly and directly to any emerging threats. They must address all of the challenges above with the goal that they can identify critical vulnerabilities quickly and accurately and target them for remediation. This means streamlining all the processes involved in identification, contextualization, analysis, and remediation of vulnerabilities.

In the next post in the series we are going to discuss the crucial components that all vulnerability management programs must have in place to address these challenges effectively.

Vulnerability Management Challenges

Read more about Brinqa Threat and Vulnerability Management here.

Recent Posts
July 20, 2022
Grails Framework Remote Code Exception Vulnerability

Brinqa is actively investigating the impact of the Grails Framework Remote Code Execution Vulnerability CVE-2022-35912 disclosed on July 18, 2022. This bulletin contains the latest information as it pertains to the impact of this vulnerability and will be updated as new information becomes available. Based on information in the disclosure from the Grails Foundation, no version of the Brinqa Platform is impacted by this vulnerability.  Out of an abundance of caution, we will be releasing an updated version of the 10x Platform this week.  This update contains the patched version of Grails addressing the CVE-2022-3591 vulnerability. If you were not already scheduled to be upgraded to this version and would like to be patched, please reach out to your Customer Success Manager for assistance. If you have any questions or concerns, please feel free to reach out to us at security@brinqa.com

March 24, 2022
Cybersecurity vulnerabilities and risks to watch for in 2022 – and how to manage them

As breach remediation costs rise, seemingly in direct proportion to the number of attackers and attacks, what are you doing to manage your cybersecurity vulnerabilities and risks?  Sufficient proof is easily found to reinforce that how you respond to threats and breaches can have a significant impact on your business. For example…   The 2021 Ponemon Institute Annual Cost of a Breach Report found that the average cost of a breach rose 10% to $4.24M.  The report also found that it took an average of 287 days to identify and contain a data breach.  Even if you can handle the reputation hit of a breach, and even if your insurer agrees to cover a portion of the damages, do you want to be on the hook for millions of dollars in remediation and restoration costs?  Prevention is easier and less expensive. Your data and intellectual property (IP) are often the most valuable assets you own, and as such are deserving of all the resources your team can muster for effective security vulnerability and risk management. Read on to learn more about the cyber risks to watch out for in 2022 and how you can plan and prepare for them.   What types of cyberattacks can you expect?  Counterintuitive, of course, because many organizations don’t expect  their network to be attacked, any more than they expect it to contain dangerous vulnerabilities. You want to believe those events occur to others, not you. Right?   Except competent hackers can infiltrate your network and steal your data and IP while remaining undetected.   Ransomware attacks For several years now, ransomware attacks have been the fastest growing segment of cybersecurity breaches. Typically, criminals breach an organization and encrypt its data, rendering it unusable. Inaccessible data renders a firm unproductive and unprofitable for as long as the data remains inaccessible. The Colonial Pipeline ransomware attack, for example, led to the shutdown of the largest fuel pipeline in the U.S, which in turn caused fuel shortages across the East Coast.  Criminals also threaten to publicize intellectual property (IP) and customer information, unless they receive a ransom.      Although small-to-midsize businesses (SMBs) are at the most risk of criminal ransom demands, payouts can reach seven or eight figures. The highest ransom amount confirmed to have been paid is $40 million USD, by CNA Financial, in May 2021. Few SMBs can afford such extravagance.    Cloud vulnerabilities  The first researchers to discover and report on critical vulnerabilities in the cloud focused on Microsoft Azure infrastructure. In detailing the vulnerabilities, those researchers, who were with Check Point, “wanted to disprove the assumption that cloud infrastructures are secure.”  And did they ever disprove it — the discovered vulnerabilities included those that received the highest possible score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.” The discovered vulnerabilities allowed malicious actors to compromise applications and data of those using similar cloud infrastructure. Firmware vulnerabilities Firmware vulnerabilities expose not only the major computer manufacturers, but also their customers. Undiscovered firmware vulnerabilities are especially damaging, because they grant criminals free reign over any network on which the devices are installed, leaving networks open until the vulnerability gets reported and patched.  As the number of connected devices continues to grow, Internet of Things (IoT) security becomes increasingly important to analyze.   Software vulnerabilities Applications contain vulnerabilities. According to Veracode, 75.2% of applications have security flaws, although 24% of those are considered high-severity.  Common flaws include: Information leakage. Carriage Return and Line Feed (CRLF) injection.  Cryptographic challenges. Code quality. Credentials management. Insider threats  Insider theft and trading of secrets is another growing vulnerability area. As demonstrated by recent Cisco and GE breaches,  employees with perceived grievances or bad intentions can choose to steal or wreak all kinds of damage on their employers’ data and networks.  Carelessness and poor training also contribute to insider threats.  Cyber threats to healthcare In recent years criminals have increasingly trained their sights onto hospitals, insurers, clinics, and others in that industry.  A 2016 report by IBM and the Ponemon Institute found the frequency of healthcare industry data breaches has been rising since 2010, and it is now among the sectors most targeted by cyberattacks globally.  Whether or not the reputation is deserved,healthcare industry computer networks are often considered soft targets by malicious actors. In 2021 Armis discovered nine vulnerabilities in critical systems used by 80% of major North American hospitals.  Additionally, rapid health device adoption has increased the number of available targets for malicious breachers. Numerous healthcare devices suffer security flaws, including imaging equipment. Added together, those factors point to an increase in attacks on health care institutions.  Attacks against health care networks threaten lives, not just productivity. Criminals might believe health care administrators are willing to pay ransoms faster to retrieve health data and help patients. That’s not always the case, as ransomware allegedly led to the death of an infant and was initially thought responsible for the death of a German patient.   Individual medical data – name, birth date, blood type, surgeries, diagnoses, and other personally identifiable information – is particularly interesting to criminals. Once compromised, it’s impossible to restore patient privacy, just as it’s impossible to reverse the social and psychological harm inflicted.  Forgotten cyber hygiene  When IT professionals are always in stressful firefighting mode, they can’t be expected to remember everything. Sometimes patches fall through the cracks, and those vulnerabilities come back later to bite your network.  Your IT department may be aware of old vulnerabilities, but just hasn’t gotten around to applying the necessary patches or closing open holes. A virtual private network (VPN) account that remained open, although no longer in use, was how criminals penetrated Colonial Pipeline. Employees had previously used that account to access the company network remotely.   How can you uncover cybersecurity vulnerabilities and risks? It’s easy for consumers to learn what to watch for and what to avoid. They can download, for example, the Annual Data Breach Report from the Identity Theft Resource Center.  You, on the other hand, have a network full of devices, endpoints, applications, and the weakest link in the security chain – users. Yes, you can lower the possibility of user negligence with cybersecurity training. Sure, you can find and read reports about currently existing threats.  But without a comprehensive vulnerability management program that brings together every vulnerability scanning tool across your entire attack surface, it’s almost impossible to  know what’s threatening your network right now.  How do you find a vulnerability in YOUR cybersecurity and IT environments? Most organizations rely on several different vulnerability scanning tools to achieve full vulnerability assessment coverage over their IT environments. Most vulnerability scanning tools focus on only one specific aspect of your attack surface — network devices, web applications, open source components, cloud infrastructure, containers, IoT devices, etc. Vulnerability management teams are often left with the unenviable job of bringing these disconnected tools, and the incompatible data they deliver, together into cohesive and consistent programs.  Deploying Brinqa vulnerability management software to perform vulnerability enumeration, analysis, and prioritization allows you to effortlessly synchronize and orchestrate  the best vulnerability scanning tools for your environment. The Brinqa platform is designed for data-driven, risk-based cybersecurity solutions. Brinqa include risk models for cybersecurity problems like vulnerability management and application security, which are essentially data ontologies developed based on industry standards and best practices to represent these cybersecurity challenges in terms of data. Brinqa data models and risk scores are adaptive, open and configurable, and include not just vulnerability data, but also additional business context from within the organization, as well as external  threat intelligence. For example, the data model automatically considers that if a server is internal facing, and it’s for testing code, then it’s going to differ in priority from an external facing server that is hosting an e-commerce site, and which contains customer personal data and information. Similarly, if external threat intelligence discovers that a particular vulnerability is suddenly very popular among malicious actors and is being used to affect breaches, the data model automatically computes and assigns a higher risk score to the vulnerability. First and foremost, we get you away from having to log into numerous different tools to bring all relevant information together and make it usable. Second, we streamline and automate your common vulnerability analysis, prioritization, and remediation use cases. That's the enormous benefit of Brinqa... The centralization is great, but once you start consolidating, enhancing, and contextualizing all of that data, you can provide a level of prioritization that takes your risk response to another level.    Beginning with generic, out of the box rules based on best practices, the environment allows every Brinqa customer the flexibility to tailor analysis to their needs, basically giving them a self-service mechanism to implement their own cybersecurity service level agreements (SLAs). The default rules are like templates or starting points, which you adjust and configure as necessary.   It is ineffective and inefficient  to make decisions on an ad hoc, case by case basis, about what should be fixed and in what order. Once you implement Brinqa, your automated vulnerability remediation and cyber risk response processes  deliver effective, consistent, and reliable results. Spend a little time (no money) to see how simple solving a major headache can be, with a free trial.        Frequently Asked Questions: What is vulnerability scanning? Vulnerability scanning is the detection and classification of potentially exploitable points on network devices, computer systems, and applications. What is vulnerability remediation? Vulnerability remediation includes the processes for determining, patching, and fixing cybersecurity weaknesses that have been detected in networks, data, hardware, and applications.  What is NVD? National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).  What is CVE?  Common Vulnerabilities and Exposures is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services. What is CRLF? Carriage Return and Line Feed injection is a cyber attack in which an attacker injects malicious code.

December 15, 2021
Brinqa and Apache Log4j Vulnerabilities

Brinqa is actively investigating the impact of the Log4j library vulnerability CVE-2021-44228 disclosed on Dec 9 2021 and associated CVE’s (2021-45046, 2021-4104). This bulletin contains the latest information as it pertains to the impact of these vulnerabilities on Brinqa and will be updated as new information becomes available. We have been continuously monitoring for Log4j exploit attempts in our environment. At this time, we have not detected any successful Log4j exploit attempts in our systems or hosted solutions. We will continue to monitor our environment for new vulnerability instances and exploit attempts and will update this page as we learn more. The Cybersecurity and Infrastructure Security Agency (CISA) provides a useful summary of Log4J vulnerability guidance that customers may want to reference in addition to any product and version specific recommendations from your Brinqa customer success team. If you have any questions or concerns please feel free to reach out to us at security@brinqa.com