The EU’s GDPR (General Data Protection Regulation) demands that organizations stringently protect EU residents’ data they hold, share and process, which requires having solid InfoSec practices, including threat prioritization.
No, there is no specific mention of prioritization of vulnerability remediation in the regulation’s text. In fact, only a few InfoSec technologies and practices are mentioned by name.
What is stressed throughout the 88-page document is the call for both data “controllers” and data “processors” to protect this customer information by implementing “appropriate technical and organisational measures”, a phrase repeated multiple times.
There are also several references to the need for organizations to have in place secure IT networks and systems that can “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”
“This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems,” reads the document.
What does this all mean in the context of GDPR? That you need to do whatever is in your power to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”
Remediation Prioritization a Must for GDPR Compliance
You won’t be able to provide GDPR’s required level of data protection unless your organization continuously detects vulnerabilities in its IT environment, prioritizes their remediation, and promptly patches or mitigates them.
In the last installment of this blog series on GDPR preparedness, we discussed the importance of having full visibility into all hardware and software involved in the processing, transmission, analysis and storage of this data.
This week, we’re zeroing in on how prioritizing your vulnerability remediation work is essential in order to appropriately prevent data breaches and stay on the right side of GDPR, which goes into effect in May 2018 and applies to any organization worldwide that handles personal data of EU residents.
As is well known by now, running afoul of GDPR can be extremely costly. An organization can face fines of up to €20 million, or 4% of its annual revenue. In addition, there is the considerable fallout that comes from compliance failures caused by data breaches, such as brand damage, loss of customer trust, drops in sales, and costly litigation.
Vulnerability Remediation Prioritization: A Foundational InfoSec Practice
The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls.
CIS estimates that an organization that implements its first five controls — which collectively are considered foundational for cyber security “hygiene” — is able to protect itself against 85 percent of attacks.
But an InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and can’t pinpoint the critical ones that must be remedied immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. You need to continuously rank vulnerabilities based on their risk to the organization, and prioritize their remediation accordingly.
The Threat Prioritization Challenge
Thousands of new vulnerabilities are disclosed annually — by vendors, researchers and other groups — making it impossible for an organization to even come close to patching every single one in their environment.
In addition, vulnerabilities disclosed months or even years before can suddenly become more dangerous if, for example, they’re targeted by exploit kits that make them easier to compromise by a much larger universe of hackers.
Meanwhile, your IT asset inventory also changes frequently on- premises, in elastic cloud instances and at mobile endpoints.
Hardware devices are added and decommissioned. Software is removed, updated and installed. IT assets’ roles change, increasing or reducing their importance.
In other words, the threats posed by vulnerabilities in your IT environment are always changing, forcing you to continually reassess your remediation plans.
But you can’t continuously pinpoint which IT assets must be patched with the greatest urgency at any given time by doing manual calculations or using informed guesswork.
The Right Way to Prioritize
To prioritize remediation work, you must continuously correlate vulnerability disclosures with your organization’s IT asset inventory. This will give you a clear picture of the vulnerabilities that exist in each IT asset.
Then you must weigh detailed criteria about the impacted IT assets and their vulnerabilities, as recommended by CIS, which calls for rating vulnerabilities’ risk based on their “exploitability” and their potential impact.
Regarding IT assets, you should consider factors such as their role in business operations, their interconnectedness with other assets, their Internet exposure and their user base.
When assessing vulnerabilities, you should take into account, for example, whether they are “zero day” types, are being actively exploited in the wild, threaten data integrity and protection, lead to “lateral movement” attacks and are conduits for DDoS attacks.
Out of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you’ll be able to come up with an accurate remediation plan.
Automate This Process with ThreatPROTECT
To conduct these assessments of IT assets and vulnerabilities continuously, the process must be automated. Qualys ThreatPROTECT was designed to do just that.
ThreatPROTECT continuously correlates external real-time threat information against your internal vulnerabilities and IT asset data, so you can take full control of evolving threats and identify what to remediate first.
With ThreatPROTECT you get:
Robust Data Analysis
ThreatPROTECT continuously correlates external threat information against your vulnerabilities and IT asset inventory, leveraging Qualys Cloud Platform’s robust back-end engine to automate this large-scale and intensive data analysis process. With thousands of vulnerabilities disclosed annually, you’ll always know which ones pose the greatest risk to your organization at any given time.
Live Threat Intelligence Feed
As Qualys engineers continuously validate and rate new threats from internal and external sources, ThreatPROTECT’s Live Threat Intelligence Feed displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details.
Centralized Control and Visualization Panel
A single, dynamic dashboard includes customizable views, graphs and charts.
giving you a clear and comprehensive view of your threat landscape at a glance in real time. You can create multiple dashboard views, and break down vulnerabilities by real-time threat indicator (RTI) types, such as zero-day exploits.
Powerful Search Function
ThreatPROTECT’s search engine lets you look for specific assets and vulnerabilities by crafting ad-hoc queries with multiple variables and criteria. You can sort, filter, drill down and fine-tune results. Queries can be saved and turned into dashboard widgets, which can display trend graphs for up to 90 days.
In short, ThreatPROTECT, working in tandem with Qualys AssetView and Qualys Vulnerability Management, helps you to proactively and continuously identify, prioritize, patch and mitigate the most critical vulnerabilities in your IT environment.
This will let you dramatically cut the risk of data breaches and reap many benefits, including reducing the chances of violating GDPR requirements.
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free guide and watch our webcast.
(Jimmy Graham is a Director of Product Management at Qualys, in charge of ThreatPROTECT.)