Ed Amoroso, who spent 31 years working in IT security at AT&T, the last 12 as the company’s CSO, recently let us pick his brain on infosec topics such as vulnerability management, patch prioritization and emerging technology. Below is our Q&A with Amoroso, who is now CEO of TAG Cyber, a cyber security advisory and consulting firm which he founded this year and which recently published its first annual industry report. This report found Vulnerability Management to be one of the top security controls for enterprise CSOs.
Does it surprise you when a vulnerability that was patched years ago continues to be exploited successfully even in companies and government agencies with a lot of IT resources? Do you think this is caused by issues in any one part of the VM process (discovery, prioritization or remediation)?
Most cyber practitioners forget that the normal patching process up until 2003 was to batch together several updates into one good modification that was scheduled and managed slowly and properly. The SQL/Slammer worm changed all this because it exploited a patch that most of us were waiting to update – and it was a good thing, because the patch actually turned out to create a memory leak after all. So this idea that we should all have perfect processes for patching seems to me quite unfair and unreasonable. That said, I think most CISO teams do an excellent job, given the tough circumstances. Remember that patches are software changes that often affect system processing in critical systems. And they are done quickly with no disruption and with zero tolerance for business consequence. So no – it does not surprise me that there are still lingering issues, because this is not an easy activity.
What problems arise when VM is approached as a stand-alone scan-and-patch function, and not as a holistic security process? What opportunities do infosec teams miss when companies approach VM this way? What elements are critical to a holistic VM process?
Because vulnerability management is so essential and core to enterprise security, creating a stand-alone process is clearly unacceptable. Vulnerability management requires embedded internal hooks for telemetry into all systems of interest as well as external hooks for threat information from all sources. And from a visibility perspective, the process requires scanning and discovery of everything in scope. So the word holistic certainly seems appropriate here.
VM has been around for many years. Is its relevance and importance rising or falling, and why?
The relevance of vulnerability management is rising, but then all of cyber security is becoming so much more essential in modern society, government, and business. It would be great to imagine a world where all components work perfectly, but that is far off into the future. So for now, we must contend with human inadequacy in creating correct software objects and systems – hence the need to manage vulnerabilities.
What advice do you give to enterprises that are trying to migrate systems to the cloud while maintaining IT security and compliance posture? Should they be moving their security tools to the cloud as well?
Cloud is part of the solution, not part of the problem – as is so often claimed by anyone who has not thought this through properly. The idea of distributing and virtualizing workloads into cloud operating systems seems to me to be the most promising architectural solution to the advanced persistent threat. It may not be perfect, but it’s a thousand times better than perimeters.
Why is it important to properly prioritize vulnerability remediation, and what makes it so hard for many organizations to do so?
Remediating vulnerabilities is not always simple, especially if the underlying system is legacy, complex, or just not conducive to update. When this occurs, the CISO team usually takes the blame for a slow update cycle, but this seems unfair to me. Another issue is that remediating vulnerabilities can create new problems. Experienced security admins know this and are usually extra careful pushing patches, especially if they are numerous or consequential.
What new and emerging technology trends are catching the eyes of CISOs, and are they adding to the complication of vulnerability management today?
Virtualization is super exciting from a vulnerability management perspective, because it allows for updates to be implemented in so-called “gold standard images,” which can then be exported to a large number of workloads, containers, or virtual machines. This doesn’t remove the need for vulnerability management, but it might improve the lifecycle considerably.