Thought Leadership

Mar 22, 2017

Is Vulnerability Management Dead?

In Greek mythology, Sisyphus was the founder and first king of Ephyra. He angered the gods on numerous occasions – killing travelers and guests in his city, chaining Hades (so no one was able to travel to the underworld), and tricking the queen of the underworld to let him return to the land of the living. For the crime against the gods, he was condemned to ceaselessly roll a rock to the top of a mountain, whence the stone would fall back down, and he would have to do this all over again.

The god’s rationale for his punishment? That there is no more dreadful punishment than futile and hopeless labor.

Vulnerability management is this Sisyphean task for security teams.

Every day, we need to deal with:

  • Massive volume of vulnerabilities – We are forced to deal with not the vulnerability du jour but very very old vulnerabilities from years past. The 2016 Verizon Databreach Report looked at CVEs exploited in 2015, and found that while 2015 CVEs were exploited, ten year old and even seventeen year old CVES were also being exploited successfully.

  • No true understanding of risks – The challenge when dealing with volumes of vulnerabilities is how to prioritize. In March 2016, frustrated security professionals complained that they were unable to gain CVE numbers for critical bugs, and wanted to propose a new bug disclosure system. In fact, many of the vulnerabilities we think are important and need to be addressed right away, may in fact be gaining attention based on marketing and PR hype, not necessarily based on the severity of the impact. Bruce Schneier said this last year– “As an aside, I am getting pretty annoyed at all the marketing surrounding vulnerabilities these days. Vulnerabilities do not need a catchy name, a dedicated website — even though it’s a very good website — and a logo.”

  • No business context – Additionally, while a vulnerability may be real, the actual business impact of a specific vulnerability to a business may not be clear. For example, a vulnerability associated with a customer database in the cloud may be more important that one on the server in the lab with no external connection.

What security teams are missing is that there is more to security than vulnerabilities. Even if you completely patch all your vulnerabilities, there is no guarantee that you will not be breached. An attacker uses comprehensive sets of techniques like brute-force, malware, social engineering.

If you’re involved in making decisions around securing your organization, it’s important to gain the full picture of how an attacker would target you. Breach simulations allow you to understand the true business impact based on the types of assets you’re trying to protect, and the types of attackers you’re protecting from. This “big picture” identifies probable breach scenarios on a continuous basis, and gives you the benefit of time to proactively address any issues. When you simulate breach scenarios across the kill chain, you can also select the best possible way to break this kill chain, based on your strengths. This is a big advantage for you as a defender.

The additional side benefit is that by understanding the types of breach methods that can be successfully executed, you can drill down into the vulnerabilities associated with them. Take a look at the example below, where the Flashpack Exploit kit was successfully executed between the SafeBreach infiltration simuator and the simulator in the customer database. Our simulations provide details of the associated CVEs for the exploit kit that can be prioritized and addressed.

If you want to hear more about our perspective on vulnerability management, check out our on-demand webinar here – “Is Vulnerability Management Dead? Three Reasons Why You Need Breach Simulations”.

Get the latest
research and news