Defense Is Still the Best Offense: Why Continuous Vulnerability Management Is Essential

The threat landscape is constantly evolving, with an increase in incidents and breaches being reported rapidly across industries. In 2020, the number of data breaches soared from a decade ago, according to Statista: over 1,000 breaches compared to 662 in 2010. While vulnerability exposures haven’t increased as notably as breaches, they are still rising. With an average breach costing U.S. companies nearly $4 million USD, anyone in SecOps should sit up a little straighter and examine their vulnerability management processes and the tools used to manage them.  Many organizations rely on Microsoft products — and a quick look at the number and severity of vulnerabilities affecting those products underscores the importance of remaining vigilant. For more details about recent CVEs you should know about, read Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits, Vulnerability Roundup: 10 Critical CVEs of 2020, and our Patch Tuesday blogs for February 2021, March 2021 and April 2021. A good defense security posture is still the best offense in protecting against breaches and vulnerability exposures. While the risk may be lower for smaller organizations (fewer than 1,000 employees), all organizations with weak, semi-scheduled vulnerability assessments and management programs are at a much higher risk than those relying on continuous vulnerability management processes and solutions. What Is Continuous Vulnerability Management? First, let’s review a brief history of the vulnerability management process. In the past, two areas typically hindered IT staff from conducting comprehensive vulnerability assessments and remediating them in a timely manner: the vulnerability management lifecycle and the tools they used for monitoring and remediation workflows. Vulnerability management programs didn’t have much of a “cycle” — instead, they included a semi-scheduled one-off scanning process that provided limited visibility into an organization’s true security posture. Scans were limited to those hosts that were connected to the network in a physical office location. The tools IT staff relied on in those earlier days weren’t much better. These legacy solutions were very manual, requiring a lengthy setup and a time-consuming process of scanning the connected hosts. This complex process ate into resources and business productivity. And then, analysts had to wade through thousands of pages of reports, manually figuring out which vulnerabilities to prioritize and address first. Fast-forward to today: governing cybersecurity institutions, such as the Center of Internet Security (CIS), have recognized the need for continuous vulnerability assessment monitoring. They define it as the ability to “continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” To stay protected, IT staff must stay on top of a regularly evolving situation that is not just influenced by the emergence of new vulnerabilities but also by threat intelligence, security updates and changes to their environment. Consider how many containers are short-lived or how many devices may only be connected to the network for short amounts of time. The rise of remote work, distributed teams and cloud-connected devices all have the propensity for increased exposures and need regular and consistent monitoring. The need for automated solutions and continuous vulnerability management is here. A more automated and supported approach is required to maintain the visibility required for dynamic environments and changing threat landscape. The Art and Science of Continuous Vulnerability Management Fortunately, there are options for those responsible for improving their organization’s security posture via a continuous vulnerability management lifecycle or program. Vulnerability management and remediation is both art and science. In itself, a vulnerability program requires an organized, cyclical architecture to assess, prioritize and act on the exposures found. Having a plan that includes a systematic study and consistent monitoring approach to vulnerabilities is both scientific in nature and essential to a more robust security posture. As mentioned above, without such a plan, your IT staff will likely encounter blind spots or struggle with consistent visibility coverage — that is, knowing how comprehensive your vulnerability visibility is for your organization’s endpoints, no matter if they are on network or off. A program must also be in place to properly manage prioritization. These days, there are far too many vulnerabilities to successfully remediate all at once across every endpoint and system. Prioritization within the program must be put into place (or re-examined regularly if already established) to ensure you are appropriately managing the vulnerabilities exposing your organization’s environment. Continuous vulnerability management is also an art, in that it demands a certain amount of fluidity and flexibility in the management of and resolution of vulnerabilities in an organization. IT staff need to be able to move and pivot with broader security teams as threats evolve. This is where using the correct solution will exponentially broaden IT analysts’ impact (such as CrowdStrike Falcon Spotlight™vulnerability management; see the breakout box for more information). The solution you choose for continuous vulnerability management should be able to: • Automate assessment for vulnerabilities on all your endpoints on or off the network. • Shorten response time for vulnerabilities and possible threats into your organization’s environment. • Be intuitive and responsive. Bulky, manual reports should be left in the past. Your staff needs the ability to create custom reports or dashboards that provide cross-functional teams with timely, relevant data. Most of all, the solution should act as a bridge between the gap of security and IT tools, making use of improved workflows for better visibility and an improved remediation response. In 2020, CrowdStrike surveyed a variety of customers to learn more about patching behavior before using Falcon Spotlight. What was discovered was “Survivorship Bias”: the logical error of concentrating on things that make it past some selection process and overlooking those that did not due to lack of visibility.  The CrowdStrike Falcon platform offers a comprehensive solution to view and assess vulnerabilities via Falcon Spotlight. Through this solution, you are able to continuously monitor and manage the vulnerabilities in your environment. In addition to vulnerability assessment, CrowdStrike Falcon X™ offers the industry’s only solution that integrates threat intelligence data within the platform. The data is constantly updated by CrowdStrike’s world-class threat hunters, researchers, and intelligence experts, who provide highly actionable information about nation-state actors, e-criminal organizations, hacktivist groups and other adversaries. They connect this information to specific CVEs, providing organizations with immediate data on how to best protect themselves. Complex tooling can lead to missed areas for vulnerability exposures. If you only patch what your IT staff can see, you might be missing essential or even critical areas that could dramatically affect your security posture. What isn’t visible can’t be monitored, and if it’s not monitored, then those are all potential openings for risk. You need both the art and the science; the continuous vulnerability management program, and the right solution to properly protect your organization in a timely, and cost-effective manner. Organizations who implement such a program and vulnerability management tools have found significant cost- and time savings. A study examining over 500 organizations worldwide shows that organizations that regularly tested endpoints for vulnerabilities and worked with other cybersecurity teams to share relevant threat intelligence data could save an organization a combined$273,000 USD annually.

Taking the time to set up an appropriate, continuous vulnerability management cycle and then choosing the best solution to support will create a more defensible and secure environment that can protect your organization from becoming another breach statistic. This is why a solution such as Falcon Spotlight supports such programs, creating automated, continuous monitoring while also being dynamic enough to provide in-depth threat intelligence insights in conjunction with the broader Falcon platform.