Qualys Blog

www.qualys.com
197 posts

Overwhelmed by Security Vulnerabilities? Here’s How to Prioritize

In our second installment of the Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we tackle the bane of many InfoSec teams: Deciding which vulnerabilities to remediate first.

Thousands of new vulnerabilities are disclosed every year, so knowing which ones must be immediately patched or mitigated has become a major challenge for InfoSec teams everywhere.

No security team has the resources to patch every single one, and even if they did, they’d still need to identify and address the most critical ones first. Why? Because not all vulnerabilities are created equal. Some are trivial, while others can be disastrous. Pinpointing the software that must be patched with the greatest urgency is essential.

Unfortunately, many organizations lack a precise, strategic, automated and systematic process for prioritizing their vulnerability remediation work. As a result, hackers constantly exploit common vulnerabilities and exposure (CVEs) for which patches have been available for weeks, months and even years.

In its 2015 Data Breach Investigation Report, Verizon found that almost all of the vulnerabilities exploited in 2014 had been disclosed more than a year earlier.

Clearly organizations have a prime opportunity to slash their risk of breaches through an effective vulnerability prioritization program — ideally, one that ranks vulnerabilities based on their risk to the organization, and prioritizes their remediation accordingly.

A Snapshot into the Current State of Vulnerability Prioritization

SANS Institute’s second annual survey on continuous monitoring (CM) programs — titled “Reducing Attack Surface” and published Nov. 2016 — shows there is plenty of room for improvement in organizations’ vulnerability prioritization and remediation efforts.

The study, which polled organizations of all sizes and from most industries, found that only 12% described their vulnerability ranking process as “fully automated,” while another 43% called theirs partially automated.

Meanwhile, only 7.5% called their remediation process “very effective” — meaning that their processes “include automated prioritization and workflow to ensure vulnerabilities are repaired or shored up” securely across systems, and that repairs are maintained.

Another 54% rated their remediation process “effective enough,” which means they manage to keep attackers out, but are in need of more repair status visibility and of more workflow automation. The remaining 37% know what they need to repair but face limitations in follow-through, budgets, staff and tools, including automation.

With regards to the time it takes organizations to remediate, 68% of respondents said they’re able to repair, patch or mitigate critical vulnerabilities in under a month.

While this is up from 54% in 2015, the ideal is to fix critical vulnerabilities in one day, because risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer. Among respondents, 10% reported being able to remediate critical vulnerabilities in 24 hours or less.

Another area of concern: less than 6% of respondents was able to remediate all critical vulnerabilities in their IT environments.

Taming the Vulnerability Overload

Key to properly prioritizing remediation work is the ability to correlate vulnerability disclosures with the organization’s IT asset inventory. To do this, you naturally need a comprehensive and searchable inventory of your IT assets and a complete log of vulnerability disclosures. Both elements need to be continuously updated.

This way, you’ll be able to “connect the dots” and obtain a clear picture of the vulnerabilities that exist in each IT asset.

Then you must delve deeper and weigh more granular criteria about both the impacted IT assets and their vulnerabilities, as recommended in the Center for Internet Security (CIS) Critical Controls Section 4.8, which reads: “Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops).”

The CIS document goes on to recommend applying patches for the riskiest vulnerabilities first, minimizing impact to the organization with a phased rollout and establishing expected patching timelines based on the risk rating level.

4 - Top 10 TipsFor example, with regards to IT assets, you should factor in things like:

  • the importance of the role they play in critical business operations
  • their level of interconnectedness with other assets in your IT environment
  • the level of exposure to the internet via web and mobile apps
  • the size and nature of their user base

Regarding vulnerabilities, take into account whether they:

  • Are “zero day” type
  • Are being actively exploited in the wild
  • Represent a big threat for data integrity and data protection
  • Can lead to “lateral movement” attacks on other systems after the initial breach
  • Are a conduit for DDoS attacks

Out of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you’ll be able to come up with an accurate remediation plan.

Obviously, these assessments of IT assets and vulnerabilities must be automated, so that they can be conducted continuously. This is necessary because, as stated earlier, new vulnerabilities are disclosed every day. But that’s not the only reason.

Often vulnerabilities disclosed months or even years before can suddenly become more dangerous if, for example, they’re targeted by exploit kits that make them easier to compromise by a much larger universe of hackers.

Meanwhile, your IT asset inventory also changes frequently:

  • Hardware is added, while other hardware is decommissioned, including PCs, tablets, cell phones, servers, storage arrays, IoT sensors and networking equipment.
  • Software is removed, updated and installed, including OSes, databases, middleware, applications and firmware.
  • The business and technology roles of IT assets also change, lowering or increasing their level of importance.

In other words, the intensity and types of threats presented by the vulnerabilities in your IT environment are always shifting and changing, forcing you to reassess your remediation prioritization plan.

What Success Looks Like

Advanced persistent threats, those sinister attacks that are tailored and customized for particular organizations or even individuals, receive much attention. However, organizations are more likely to be hit by automated, wholesale attacks designed to compromise known vulnerabilities that haven’t been patched.

“The tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies,” reads Verizon’s 2016 Data Breach Investigations Report (DBIR). “Hackers use what works and what works doesn’t seem to change all that often. Secondly, attackers automate certain weaponized vulnerabilities and spray and pray them across the internet, sometimes yielding incredible success.”

If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks. In a way, it’s a defense similar to immunization.

When the most dangerous and critical vulnerabilities are consistently addressed in your most important IT assets on a timely basis, your organization will be in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps.

We’ll continue this series next week with a trio of tips for ensuring your organization complies with external regulatory mandates, enforces internal policies and assesses the risk of doing business with vendors and other third parties.

Qualys ThreatPROTECT helps you take full control of evolving threats, so you always know which to remediate first. Start your free trial.

Five Things to Know About Qualys’ FedRAMP Authorization

The FedRAMP authorization obtained by the Qualys Cloud Platform was one of Qualys’ significant achievements in 2016. Why is that, you may be asking? Here we explain five reasons why the FedRAMP (Federal Risk and Authorization Management Program) approval is important for Qualys customers and partners. (And we explain what FedRAMP is!)

Continue reading …

Information Security and Compliance: New Year’s Resolutions You Can Keep

A new year has started, giving InfoSec professionals the perfect opportunity to evaluate what’s working and what’s not in their organizations, and, filled with that early-January optimism, set out to do better.

In that spirit of improvement and renewal, Qualys is kicking off today a blog series that outlines helpful tips — not just flimsy resolutions — for ensuring data security and compliance throughout the year.

In this initial post, we’ll discuss the first three of the Qualys Top 10 Tips for a Secure & Compliant 2017, addressing the importance of IT asset visibility, proper management of vulnerabilities, and continuous monitoring.

Continue reading …

Office Depot Extends the Value of Cloud-based Security via Qualys APIs

When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.

Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.

“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.

Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.

Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.

Continue reading …

What You Need to Know About the Upcoming Leap Second

The U.S. Naval Observatory announced on July 6, 2016 that a leap second will be added to official timekeeping on December 31, 2016 at 23 hours, 59 minutes and 59 seconds Coordinated Universal Time (UTC).  This corresponds to 6:59:59 pm Eastern Standard Time, when the extra second will be inserted at the U.S. Naval Observatory’s Master Clock Facility in Washington, DC.

Qualys has completed our assessment of the Qualys Cloud Platform and its sensors (scanners), and we do not expect any impact or adverse effect.  In the time since Qualys was founded in 1999, there have been leap seconds in 2005, 2008, 2012 and 2015, all with no reported impact to Qualys systems or customers.

Continue reading …

SSL: Deceptively Simple, Yet Hard to Implement

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critiivan-risticcal for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

SANS Survey Report: Organizations’ Continuous Monitoring Programs Must Keep Maturing to Yield Full Benefits

Organizations worldwide have expanded and sharpened their continuous monitoring (CM) programs over the past year, but their adoption of this key set of security practices remains far from perfect.

That’s the main finding from the SANS Institute’s second annual survey on CM programs titled “Reducing Attack Surface” and published Nov. 2016.

Despite tangible improvements, CM “still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy,” reads the study, which polled almost 300 Infosec and IT pros actively involved in vulnerability assessment and remediation.

Continue reading …

Qualys Cloud Suite 8.9.1 New Features

This new patch release of the Qualys Cloud Suite, version 8.9.1, includes updates for Cloud-based scanner deployments, VM Reporting Enhancements, and expanded platform coverage for PC.

Cloud Platform: Added EC2 Proxy Server support for the connector and the ability to identify the provider for scanners deployed in cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Vulnerability Management: Improvements from customer requests for a number of VM Reports and ability to set reopen date for Remediation Tickets.

Policy Compliance: Expanded platform coverage for Microsoft IIS 10, Pivotal Webserver 6, Docker and Windows Server 2016.

Continue reading …

Qualys Cloud Platform 2.19 New Features

Qualys Cloud Platform release 2.19 includes updates and new features for:

  • Cloud Agent Platform (Version 2.0.0)
  • Web Application Scanning (Version 4.13.0)

Continue reading …

Web and Mobile Apps Often Hide Complex Maze of Insecure Connections

To stay secure, organizations must gain control and visibility over their app landscape

For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.

His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.

To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.

“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”

Continue reading …