When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry.
“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.
It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said.
Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.
Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week.
Given this large number of severe vulnerabilities, it’s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations’ IT environment.
If they identify the vulnerabilities that pose the highest risk to their organization’s most critical assets, they’ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.
However, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it’s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.
“One of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,” Josh Zelonis, a Forrester Research analyst, said during a recent webcast.
Zelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.
“This is really representative of the problems we’re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,” he said.
“In a post-Equifax world, VM is coming under increased scrutiny,” Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.
Read on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.
In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks.
Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months, even years. Hackers routinely feast on all that low-hanging fruit to hijack systems, steal data, deface websites and disrupt operations.
We all know it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient. But InfoSec teams agree that fixing the most dangerous bugs on a timely basis is not only doable but also necessary.
The problem is that prioritizing remediation and pinpointing those critical vulnerabilities is difficult when — as is often the case — organizations lack continuous and automated vulnerability management, asset inventorying and threat analysis.
Unsurprisingly, recent Qualys data on patching behavior shows that remediation activity is directly related to the level of risk attached to specific vulnerabilities. And in some cases, specifically when it comes to the realm of IoT devices, patching is always slow, and often non-existent.
As hackers get faster at weaponizing exploits for disclosed bugs, InfoSec teams need — more than ever — automated, continuous and precise IT asset inventorying, vulnerability management, threat prioritization and patch deployment.
Critical vulnerabilities that linger unpatched for weeks or months offer hackers easy opportunities to breach systems. These bugs open the door for bad guys to steal confidential data, hijack PCs, commit financial fraud and create mayhem.
The WannaCry ransomware attack, which infected 300,000-plus systems and disrupted critical operations globally in mid-May 2017, highlighted the importance of timely vulnerability remediation.
When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 
