As any security analyst knows, managing vulnerabilities in a company network is a never-ending task. According to a 2017 Enterprise Management Associates study, there’s an average of ten vulnerabilities per IT asset, amounting to an average of around 20,000 vulnerabilities the average midmarket company must manage at any given time. It’s no wonder, then, that 74% of security teams reported being overwhelmed by the amount of vulnerability maintenance work assigned to them.
With all that stress and with the shortage of manpower many teams also experience as a result of the cyber security skills crunch, how can security teams get a handle on managing the sheer volume of vulnerabilities? While it’s practically impossible to fix every vulnerability, with the help of automation and with proper prioritization, security teams can keep vulnerabilities at a manageable level and take care of the ones that present the greatest risk to the organization. We asked F-Secure’s Tuomas Miettinen for his tips on keeping the vulnerabilities at bay.
1. Be sure your workstation and server software is up to date
Most commodity malware exploits vulnerabilities in workstations and servers. Patching those will reduce the available attack surface and eliminate the occurrence of certain vulnerabilities in your scans from the start. With patch management or software updating tools like Software Updater, this process can be automated to ease your workload.
2. Discover and map out your assets
If you don’t know it’s there, you can’t protect it. Inventory your assets – your devices, services and open ports both on-premise and on the internet. Discover shadow IT assets and decommission unnecessary open ports and old targets. The devices, services, and applications that make up a network are constantly changing, so regular inventory is essential, but this is easy to automate with tools like F-Secure Radar‘s discovery scanning.
3. Scan for vulnerabilities, and do it regularly
Vulnerability scanning should be done on a regular basis. One scan is just a snapshot in time, but new vulnerabilities are found and reported every day. Frequent scans are needed to stay on top of the current situation. They are also helpful in confirming that a problem that has been previously attended to really is fixed. This process can also be automated and scheduled with F-Secure Radar. And don’t forget to scan services hosted by third party service providers.
4. Focus on the most important vulnerabilities first
Scanning will identify a lot of vulnerabilities, which can be overwhelming. Prioritization should be given to business-critical assets. Because you’ve done a thorough asset inventory, you know what you have – so categorize those assets and prioritize. Rather than thinking in terms of single targets, consider the interconnectedness of assets with the rest of the IT environment and to the internet. Think about the effect an exploited vulnerability would have on the rest of the environment, and fix the critical vulnerabilities across all platforms and services.
5. Document the scan results
Keep track of the scan results and the changes that have been made. Later you’ll have a record when you need to review what was done previously. To help with this, F-Secure Radar includes history data and ticketing to track down who is responsible for fixing vulnerabilities.
6. Make plans for unpatchable vulns
Not every vulnerability can be patched. For the ones for which patching isn’t feasible, make a mitigation plan to minimize the possibility of exploitation. Mark this as an accepted risk and report it to your head of security. Unpatchable, end-of-life products are vulnerable and need to be replaced. Doing a risk analysis will help a company justify investing in replacing vulnerable legacy systems.
7. Don’t take anything for granted
It doesn’t matter how big or small your company is – you will be targeted not because of your company, but because a vulnerability exists and can be exploited. Adversaries have automated tools that scan the internet for vulnerabilities and when they find them in your infrastructure, attackers go after them simply because they have the opportunity. They’ll then see what’s inside your company they can exploit for financial gain.
A program of regular inventory scanning and continuous attack surface assessment will help you stay on top of vulnerabilities. F-Secure Radar simplifies the process of vulnerability management with internet discovery, asset discovery and vulnerability discovery all in one easy-to-use solution. It also satisfies the GDPR requirement for having a process of regularly testing, assessing and evaluating the technical measures for ensuring security of data processing.