The Vulnerability Whack-a-Mole Game
March 9, 2020 • RBS
Most professionals have probably heard the classic business iceberg metaphor quite a few times during their careers – the one with the punchline: “Hey, the problem is actually bigger than you think!” It’s a cliché but, like it or not, it rings true when it comes to cyber security.
Many organizations see the tip of the iceberg, but very few stop and do the hard work necessary to figure out what is really going on below the surface. Those that do, and start to more fully understand the issues, may soon discover that the cyber problems are even bigger than they thought.
It’s nearly impossible for most organizations to look below the surface using the “free” data that fuels most of the security products currently on the market. It’s just not comprehensive or timely enough. As a result, the attempt to deal with security problems turns into a vulnerability “whack-a-mole” game, where risk management professionals reactively lunge at newly emerging issues instead of proactively mitigating their likelihood and impact. Compounding the problem, organizations tend to treat the symptoms and not address the root causes that are driving the risk.
Organizations need a better mindset when it comes to implementing the right approach for vulnerability management. They want to evolve beyond the whack-a-mole game and be more strategic, and in order to do that they need better data.
The Problem Isn’t the Platform, It’s the Data
At Risk Based Security, we have always been focused on collecting and understanding vulnerability data. We track every type of vulnerability that we can uncover (including many issues in third-party libraries). We believe it’s critical that we offer the most complete and detailed vulnerability data, but many cyber security solutions do not view this as a priority. Unfortunately, organizations that use bad vulnerability data, knowingly or otherwise, may be making bad risk management decisions.
The core of the problem is that most organizations (and the security products they use) source their data from CVE. Some do not really understand how the system works, or the severe limitations that can put them at risk. Many organizations are still relying solely on running a vulnerability scanner, thinking “Oh, great! I just did a full assessment and I’m clean. I didn’t get any findings.” But a scanning tool isn’t able to alert them about important vulnerabilities that are missing from their data. Worse, the major vulnerability scanners look for only a fraction of the issues that are published in CVE. We’re not suggesting that you throw CVE out entirely, as it does have some value. But you can’t implement an effective vulnerability management program using CVE/NVD alone.
At the time of publishing, CVE/NVD is missing over 73,000 vulnerabilities and that number is growing every day. For many people in the security industry CVE/NVD has been the de facto standard, so this can come as quite a shock. Many practitioners react with surprise when confronted by this fact, while others know but choose to ignore it. They may assume that the missing vulnerabilities are in software that doesn’t matter, or that are low risk”. Neither of these statements are true.
The Missing Vulnerabilities Matter
If your organization is currently relying on CVE (and most are), at least 33% of all disclosed vulnerabilities are completely unknown to you. Our research shows that 43.5% of those vulnerabilities not published by CVE/NVD in 2019 are high to critical in severity, and included major vendors as well as popular third-party libraries. It gets even worse for DevSecOps as CVE coverage of third-party library components is a fraction of what it should be.
Even when CVE does publish vulnerabilities, they can be days, weeks, and even months behind the disclosure date. Have you ever gone to look up a CVE ID only to see it say “RESERVED”? This is normal for newly disclosed vulnerabilities. In many cases, the information is out there, but MITRE hasn’t done the work necessary for you to do yours.
Even if you’re doing vulnerability research yourself, you need to be able to handle vulnerabilities that don’t have a CVE ID. Organizations quickly realize that this is a complex and very expensive undertaking to manage.
Evolving Beyond The Vulnerability Whack-a-Mole Game
Vulnerability Management is more than just using a scanner. While vulnerability scanning has served organizations well and got us to this point, we need to evolve our approach if cyber security is to mature. We need to put proper vulnerability intelligence and asset inventory at the core of effective Vulnerability Management. When organizations know about all vulnerabilities disclosed, and how they potentially affect them, they can prioritize and remediate accordingly, ensuring that their limited time and money is focused on the most important risks.
We need to continue to educate and enable organizations to start looking at Vulnerability Management from a more strategic standpoint, and apply more of a problem management approach. Ask yourself:
- What if you knew the vendors or products that would most likely put you at risk for a data breach or compromise?
- What products or libraries/components cost the most to maintain securely?
- What if you could easily look at your vendors and see how much they care about their own security? Are they actively addressing the vulnerabilities within the products they are shipping to you? And if a vulnerability does make it through, how quickly do they respond and provide a patch?
If organizations have access to easy to understand ratings and are able to gather better insights about the products they are relying on, they can take a strategic approach. They can finally achieve proactive, risk-based vulnerability management, set aside the squeaky mallet, and move on from the whack-a-mole game.
This article originally appeared in the 2019 Q3 Vulnerability QuickView Report. Read our latest report here.