We are inundated with stories around security vulnerabilities and breaches all of the time. So how to we wade through the alerts and take action remediating security threats so we avoid joining this 'wall of shame '?
How to Approach Remediation
There are really useful articles around sound security operations for quick remediation that are definitely worth a read. Prioritizing gaping holes versus blips in your security posture isn't hard. But what if you are looking at two issues that, on the surface, feel similar?
Here are some steps for understanding the vulnerabilities in your environment, their urgency and prioritizing remediating them. Not all vulnerabilities or concerns are created equal and it is important to know their weight when determining where we start remediating and where we finish. Why? Because time is not usually on our side and the alerts just keep coming.
Understanding the Age of the Vulnerability
Security vulnerabilities are not good. Not even if you turn your head to the side and squint a little. They are just ugly. But, that doesn't mean they are all created equal. Normally, an article would start with prioritization based on urgency when it comes to remediating security vulnerabilities, but I want to start with a different perspective that may help your security, IT or DevOps team make measurable gains when it comes to shoring up your security defenses.
The age of the vulnerability is straight forward: is it new or old. Newness, inherently, doesn't make a priority rise up the list, but if SecOps was doing an exercise in raw materials logistics, LIFO (last in, first out) would trump FIFO (first in, first out) — not a universal truth.
Here is an example: that annoying little alert on your mac pops up again, as it has for the past 3 months, telling you to update your MacOS for a slew of reasons, one being to address security issues. It isn't a fun update, like Mojave and dark mode, just a 10.14.3 sort of change. You select "Remind me tonight" even though your machine will be tucked away in your back and won't update. That is an old, known issue. For your security team, if they saw 14 devices in the organization still on the old OS, that isn't great, but if it was 17 last week and has been inching slowing to zero, that's progress. It is a known issue that isn't getting worse. Focus on other things that pop up. If, however, your security team sees that number jump from 14 to 19, that is a red flag. The change is backwards, and new. Why would this happen? This is something that needs to be investigated.
Not the most excited example, I get that, but it illustrates the point that understanding the change in your security landscape matters far more than any sort of point in time because a point in time lacks context.
Understanding the Blast Radius of the Vulnerability
Next up is understanding the blast radius of a potential issue. When you are weighing similarly timed, new security events against each other, the next filter should be "which could do more damage?" This is where we want to treat the glass as half empty. Worst-case scenario, if neither of these vulnerabilities were handled immediately, how bad could it get.
If you lead engineer lost his laptop (he said it was stolen but we all know ...), that is definitely not great. He probably has admin access to things that could cripple your organization if tampered with successfully. Yikes. This could have a huge ripple effect (blast radius). To avoid an attacker making a significant dent in your organization, you can manage access to all of your tools from his email/username just in case the malicious attacker (or opportunistic middle schooler) manages to get through his log-in screen. Simple and speedy but it took recognizing the potential damage that could be done if the issue wasn't addressed swiftly.
Another way to think about it is if your wallet was stolen. You had a debit card and some cash ($100) in it. Worst-case scenario for the cash is, well, it's gone. $100. Poof. Worst case scenario for the Debit Card ...your entire checking account plus over-drafting fees. Do you prioritize looking for the person who may have stolen your wallet or do you log into your bank app and kill the card? That is understanding the blast radius.
Understanding the Urgency of the Vulnerability
Now for your regularly schedule security remediating program. Urgency.
I will start with saying I am in no way saying known security vulnerabilities should exist if you can do something about it. They should be handled, and quickly, to prevent potentially disastrous consequences. But, if it was 4 o'clock on Christmas Eve, you forgot your charger at the office and their is only 3% of your battery left, it is important to be able to choose what remediating happens now and what waits.
This timeliness could be tied to multiple things: an impending security audit, the scope of a breach or something else. Whatever the case, your team needs to be able to assess the variables at play to choose what happens first and what happens second.
Successfully Remediating Security Issues Requires Perspective
These 3 tips will help you approach remediating security vulnerabilities with the right perspective to ensure you don't lose the forest for the trees. There is a lot going on in our constantly evolving digital and office environments. If time or money wasn't a concern, you could simply overstaff by dozens and stipulate around-the-clock monitoring. Unfortunately we have yet to come across a security, IT or DevOps professional with that sort of flexibility or time on their hand, so these tips should be the next best thing.
Successfully remediating vulnerabilities really just means having a plan in place for dealing with the onslaught. It usually isn't a matter of how to address an issue; it's a matter of when.
Embrace DevSecOps – it will help
Adopting a DevSecOps Mindset
Giving responsibilities for security assurance across the organization to everyone across the organization is an ideal way of both being able to track down the potential issues earlier on, but also to know the scope of a potential problem. Adopting a "See something, say something" mentality can drastically limit the amount of time it takes to catch potentially large issues.
Embracing DevSecOps and creating a culture of security ownership across the organization, especially your engineering and development teams, will prevent a lot of avoidable vulnerabilities from occurring in the first place. On the flip side, when they do they are more easily caught early on and able to be weighed appropriately in terms of priorities.
If your organization already embraces DevSecOps, then you know the challenge with maintaining efficient security operations lies with the number of tools and technologies that require our time and attention. JupiterOne streamlines the process and each of these remediating steps by automatically mapping and maintaining relationships across your digital environment's resources and users, tracking changes in your environment and answering the 'so-what' of your security alerts. Take it for a spin today and add perspective to your digital environment.
Automation and Infrastructure as Code
Mindsets are great and all but, practically speaking, time is the great limiter organizations and security teams are facing when it comes to quickly remediating security vulnerabilities. To make the most out the hours that are in the day, as well as those less used hours in the night, organizations should lean heavily on automation and infrastructure as code (IAC).
Automation put to practice means automated security gates, continuous integration and delivery (CI/CD) and vulnerability management, while services like Terraform or AWS CloudFormation allow an organization to easily embrace IAC.
Choose wisely when it comes to handling security vulnerabilities to ensure you are leaving yourself your most exposed for the least amount of time. What is easiest to address doesn't always make sense.
Identifying and remediating security vulnerabilities has never been easier.
