When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry.
“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.
It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said.
Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.
To provide the level of data protection required by the EU’s General Data Protection Regulation (GDPR), your organization must continuously detect vulnerabilities, and prioritize their remediation.
Why? An InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and unable to pinpoint the critical ones that must be remediated immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls. “Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.
In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. The reason: Many organizations fail to detect and remediate critical bugs on a timely basis, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this second installment of our GDPR compliance blog series, we’ll explain the importance of vulnerability management and threat prioritization, and how Qualys can help you solidify these practices so you can slash your risk of data breaches.
Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week.
Given this large number of severe vulnerabilities, it’s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations’ IT environment.
If they identify the vulnerabilities that pose the highest risk to their organization’s most critical assets, they’ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.
However, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it’s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.
“One of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,” Josh Zelonis, a Forrester Research analyst, said during a recent webcast.
Zelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.
“This is really representative of the problems we’re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,” he said.
“In a post-Equifax world, VM is coming under increased scrutiny,” Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.
Read on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.
Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018
High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.
Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.
Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.
“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.
In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks.
Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months, even years. Hackers routinely feast on all that low-hanging fruit to hijack systems, steal data, deface websites and disrupt operations.
We all know it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient. But InfoSec teams agree that fixing the most dangerous bugs on a timely basis is not only doable but also necessary.
The problem is that prioritizing remediation and pinpointing those critical vulnerabilities is difficult when — as is often the case — organizations lack continuous and automated vulnerability management, asset inventorying and threat analysis.
Unsurprisingly, recent Qualys data on patching behavior shows that remediation activity is directly related to the level of risk attached to specific vulnerabilities. And in some cases, specifically when it comes to the realm of IoT devices, patching is always slow, and often non-existent.
This structured set of 20 foundational InfoSec best practices, first published in 2008, offers a methodical and prioritized approach for securing your IT environment. Mapping effectively to most security control frameworks, government regulations, contractual obligations and industry mandates, the CSCs can cut an organization’s risk of cyber attacks by over 90%, according to the CIS.
When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 
