Cybersecurity Virtual Summit Panel: Risk-Based Prioritization
Cyber threats continue increase and the tactics and tools available to threat actors grow more sophisticated, but the challenges for companies remains the same. How to quickly and effectively remediate security vulnerabilities without crippling the business.
In short, the volume of changes introduced by trying to address all possible threats is too great. In 2018 more than 16,500 vulnerabilities were identified and reported by vendors across the industry, but only a small percentage had an actual exploit available AND an even smaller percentage were weaponized.
So how do you know where to focus your efforts? Get best practices from a panel of experts in risk-based vulnerability prioritization and hear from an IT security professional at a major packaging materials company on how their organization structures their security strategy accordingly.
Enjoy the video presentation and accompanying transcript below, brought to you by presenters Chris Goettl (Director Product Management for Security, Ivanti), Chris Wakulik (cybersecurity engineer), Andrew Homer (VP Business Development, Morphisex), and Jeff Aboud (Director Product Marketing, Kenna Security).
Chris Goettl: Hello everyone. My name is Chris Goettl. I am the director of product management for security products here at Ivanti. Today, I'm joined by a few different people. I'm going to introduce them in just a moment, but we want to talk a little bit about risk-based prioritization in the trenches. One of our panelists today is actually a security practitioner in a large manufacturing company and he's going to have kind of some challenges and different issues that they've run into and some words of wisdom to share with us. We also have some experts from a couple of partners here that we work with regularly and get some of their guidance as well as we kind of go through this topic. Risk-based prioritization, cyber threats, they're only proliferating, they continue to increase in the tactics and tools available to threat. Actors are growing more and more sophisticated, but the challenges for companies pretty much remain the same.
How do you respond to so many threats and do so in a very timely manner? To quickly and effectively remediate security vulnerabilities without crippling the business. That's the real goal that we all have. In short, the volume of security vulnerabilities, it being introduced are too significant, too great for average IT companies to be able to respond to quickly and effectively. It leaves us with a gap that leaves companies exposed and oftentimes, will lead to a windows where a breach could be very possible. If you look at 2018, there were more than 16,500 vulnerabilities that were identified and reported by vendors across the industry, but only a small percentage of those had an actual exploit that was identified against those. Even fewer of those were actually weaponized to the point where they were used in larger scale attacks.
A lot of them are used in very targeted attacks and a lot less frequently. The number of vulnerabilities we have to deal with and the number of those that we should respond to in a timely fashion and treat a lot more urgently, there's a huge gap between those two numbers. That's a lot of what we want to talk about today is trying to understand the bigger problem and trying to understand how we can start to bridge the gap on many of those challenges. First, I'd like to introduce Andrew Homer from from Morphisec. He's the VP of business development. Andrew, welcome.
Andrew Homer: Hello. Thank you. Good to be here.
Chris Goettl: Also, Jeff Aboud, director of product marketing at Kenna Security. Jeff, thank you for joining us today.
Jeff Aboud: Great, thanks. Nice to meet everybody.
Chris Goettl: Last, we've got Chris. Chris is a cybersecurity engineer. Not to be confused with me, Chris. This is Chris W., is a cybersecurity engineer with a large manufacturing company that is actually a customer of Ivanti's and using some of our technologies today. We thought he'd be ideally suited to share some of his thoughts and challenges from his experiences in as a cybersecurity practitioner. Chris, tell me a little bit about this challenge overall. I mean there's a lot of threats out there. More and more coming every day. 2019 is on track to reach as many vulnerabilities as we did in 2018, so tell us a little bit about some of the day-to-day challenges that you experience trying to identify threats to your environment and being able to respond to those threats quickly and effectively.
Chris Wakulik: It's pretty big because over the past few years, I guess the status quo was more of a patch if we have to kind of thing. We have a lot of things that were, certain teams were taking care of specific items and other teams were taking care of other ones. It wasn't this one process or procedure or policy that everybody was aligned with. It's kind of like somebody caught wind of something, like we had to push it down. Then over the past year, we actually had like a specific patching project where we need to align everybody, whether it's Windows, Linux, Macs, whether it's OT or IT, everybody had to kind of like join in and be a part of the patching process instead of just one team. Kind of like ramming everything down everybody's throat, you know? That was a huge undertaking where we had to get buy-in from everybody, but like it was basically because of the WannaCry thing [inaudible 00:04:51].
That was huge. It's kind of like in everybody's face and then with all the other ransomware going around with like certain cities getting locked up or other huge companies, we don't want to be those guys. It was basically like, "You're going to do this." Now granted, I would like to be all ... You always want to be more aggressive than you are, but we don't want to break anything either, so we need to keep the lights on, but we want to make sure we're secure. It's always like, yeah, get the criticals out of the way first and then start working your way down the list. Then obviously, something where it can be executed remotely.
Then we're on top of that as fast as possible whether it's ... Originally, I think when the Spectre stuff came out it was like, well, you got to ... You can't get remote access, we don't care as much. Then when it becomes remotely accessible, then we start paying more attention to things like that. Obviously, there's other ways besides just the patch and we try to mitigate as much as we can with firewalls and the other products such as Zscaler or things like that. We try to have multiple layers of security.
Chris Goettl: Jeff, from your perspective at Kenna Security, this sounds like a lot of what you guys do. Companies are struggling to meet the massive amount of vulnerabilities that are out there. What is Kenna Security doing to help guide companies to better prioritize risks?
Jeff Aboud: Yeah, and thank you for the question. What it really comes down to is really understanding risk and taking that risk-based approach, because the number one thing whenever I talk to any perspective customer, and I ask them, first of all, nobody has ever told me, "Oh no, I've got all the people I need, I've got all the tools I need. Budget's not a problem. We're good." The problem is that the average enterprise can only actually fix one in 10 of their vulnerabilities in their environment, no matter what size they are. The reality is they're never going to have enough human or financial resources to fix everything, but that's what they're trying to do. So many of them that I talk to are trying to remediate and trying to prioritize based on like the CVSS score or the number of assets that are affected.
That's just really not doing the trick because we found, for example, CVSS is terrible at predicting any sort of risk. It's not risk aware at all. In order to really assess your vulnerabilities based on risks, you need to understand the full context of your own abilities. To do that, you really need to analyze both your internal security data, so all the data that's coming in from your scanners, your CMDB, pen testing, bug bounty programs, et cetera, and then couple that with external threat intelligence, threat and exploit intelligence, and then marry those two together. Now you actually have a full understanding of not just which vulnerabilities are more and less risky, but because you also have asset priority, asset criticality through your CMDB, now you can actually figure out which ones are the most important in your specific environment and take it from there.
Chris Goettl: You know, Jeff, there ... A follow up question to that. Chris talking about a precipitating event in this case WannaCry. Is that something you guys see as a turning point for many companies as well, where suddenly a headline-grabbing scary named vulnerability changes the mentality, the mindset of companies there. Is that a pattern that you see quite a bit?
Jeff Aboud: Yeah. You know, it's funny, in some way, yes we do, but in some ways, in the opposite way you think. Because yes, there are certainly really important ones like WannaCry, but there are also, let's face, not to try to diss the media, but a lot of times the media will kind of glamorize things and they'll name a specific vulnerability. Just because it has a name doesn't mean it's more dangerous. It certainly doesn't mean it's more dangerous in your specific environment. We've actually found a lot of people, a lot of our security and IT folks will say, "Oh, our board goes into panic mode because they watched the news and they saw that this thing is going on and now all of a sudden, they're freaking out saying, 'What do we do? Are we protected against it?'"
Having that visibility into and throughout your organization and be able to report on that, is really power. That knowledge is power to be able to not only gain but maintain the trust of your board so you don't have to go in that panic mode. If I can look at even something like WannaCry and say, "Yes, we're on it. Here's where we are in terms of remediation strategy on our most critical assets," or better yet if I can look at it and say, "Hey, we're good because yes, it's in our environment, but it's not touching anything that we really consider a nine or a 10 in terms of asset criticality," we can take our time on that. Then that really takes your team out of that emergency mode, and it helps them continue to do their jobs the way they know how to do it.
Chris Goettl: Jeff makes an interesting point. Andrew, you guys, Morphisec was just recently involved in identifying a vulnerability in an Apple product and it turns out that Apple released an update that resolved this vulnerability, which was being exploited in the wild. But out of the eight or nine vulnerabilities they released in the product and identified, this wasn't even listed. It didn't have a CVE.
Andrew Homer: Correct, and so this is sort of the dirty little truth about unknowns, right? If you look at the CVEs out there, it's probably not represented correctly because there's a lot of exploits that are just not being dealt with. That's the first piece, okay? The second piece, and if you look across the 4 million end points that we're protecting and we're blocking millions of alerts, millions of attacks, is that many of them are going back multiple generations. Even when the CVE is issued and the patch is issued, these companies are still being attacked because ultimately, it's a game of economics and a lot of these companies are failing to prioritize their business assets correctly and therefore, they're being exploited of the vulnerabilities that even have a patch available for them.
Chris Goettl: Here's another question for you, Andrew. There going back to Chris's point about a precipitating event, WannaCry. Even with a WannaCry-type event, we saw a whole bunch of systems globally, companies globally that were lagging behind in responding to this type of threat. I think Chris kind of talks about those challenges a little bit there, so getting the right prioritization is very important, so what Kenna Security does in being able to show you that risk prioritization is very important, but you may not be able to get to a patch for one reason or another. Maybe there is business critical applications or other things there.
Andrew Homer: Correct.
Chris Goettl: We need additional protection at that kind of zero-day to that window between when we can patch and resolve things fully. Talk a little bit about the challenges that companies face there that you guys are seeing.
Andrew Homer: Sure, so there could be a myriad of different reasons why you can't patch, right? It could be IT is overwhelmed. It could be that there could be a disruption in updating a patch. I think from a virtual patch standpoint, it's good to have basic controls in place so that should an attack come in. You're still protected, you might not have the patch and you're still going through the patch for the patch, but one of the things that Morphisec does prevent is without prior knowledge, without a signature, an attack that might be taking an advantage of a system that's running unprotected without a inadequate patch. One of the things that we do today is there's a lot of Windows 7 machines out there, for example, right? About 25-30% of of the environment.
We don't talk about this, but we're still finding vulnerabilities that are found in Windows 7 dating back 15 years. With Morphisec, you don't need prior knowledge. We're not doing detection, we're preventing and we're preventing one, a malicious attack tries to come into memory to exploit it. Those are what some of the challenges that folks face, nevermind prioritization, but how do they actually protect systems that are exposed that they might not even have an understanding of what type of business impact those systems and pieces of data have on the ultimate business?
Chris Goettl: I want to go back to Chris. Chris, obviously there's been a precipitating event with WannaCry, being the one cyber attack that caught the attention of other parts of your organization. Even with that, are there still pockets of groups where you've gotten a very serious business critical application or systems that are sensitive to patching? In those cases, how are you guys tackling those challenges of weighing the risks versus the potential impact to the business?
Chris Wakulik: For us, yeah. You hit the nail on the head with that. Because we do have Legacy operating systems or old applications like Java where certain apps need an older version and we're stuck with, "Okay, we're going to assume that risk on that machine," or pile of machines depending on where it is. We will try to segment things out, so certain things don't need to talk to other things. We have certain parts of our OT don't need to talk our enterprise network so we could lock it down where that way, where if they hose themselves, they're only hosing themselves, but we would still like them patched as much as possible.
Granted, if it's a Legacy OS, then it's only going to be patched with Microsoft's going to be nice about it like WannaCry or [inaudible 00:15:06], things like that, you know? Then same with the other vendors, like Java is kind of like hitting hardcore. Like, "Hey, you're going to pay us some money if you want support for things," things like that. I don't know. We need to make sure everybody's as good as they can be, and then certain teams, yes, they would have to assume risk if we need to leave it open because we need business to run, you know?
Chris Goettl: Andrew, based on what Chris was saying there, you kind of similarly talked about Windows 7. What challenges are companies facing here with January 2020 coming around? You've got Windows 7, you've got Server 2008, Server 2008 R2. There's going to be versions of SQL end-of-lifeing, Java 8 end-of-lifed earlier this year. Chris talked about Java being in their environment as well. With all of these end-of-lifed applications, some of these are going to have to continue on and many companies out there may not be able to continue patching for those. How do you see that challenge maybe growing as we get more and more of these operating systems? How do you see ... What would be some guidance for companies to try to defend better against those challenges?
Andrew Homer: Sure, it's more than a Window 7 challenge. There's going to be a lot more legacy systems out there that just don't have an available patch. I think I read earlier this this week that there's more IOT devices now than there are human beings. With that, you actually have more people writing code more than ever. Actually having an available patch, a timely patch that is available to the organization in such a way that can protect your organization, that's going to become actually more challenging. I think in the case of Windows 7, there's really expensive applications, business mission critical applications that are tied to this. Even on the server front, and so having again, a virtual patch, something that has the protection mechanism without actually having to maintain and continue patching the systems, I think is going to become more critical than ever.
Probably more so, and I think it's even much more outside the scope than just Windows and Windows 7. I mean if you even look at Windows 10, the situation is even getting worse. I think about 80 vulnerabilities last month though or down from 93, but about a quarter of those were high severity, that situation is not getting any better. As we look ahead beyond even Windows 10, now we have multiple generations that we have to take care of and I don't even think Microsoft anticipated that many Windows 7 machines being out there at this point. Again, having a strategy of how you're protecting these Legacy applications, these Legacy systems, I think is going to become much more important over the next three to five years than it is even in now, which is very, very severe in terms of the exposure that you have.
Chris Goettl: Absolutely, and yeah, you make a very good point about Windows 10. We are on the Windows 10 bandwidth or the release train. Not only is it Windows 10 but its every branch of Windows 10 that you have only so many months before that end-of-lifes, and then you've got one more OS that you have to worry about and it's no longer getting patched and it's no longer getting updates. Jeff, let me jump back over to you on this topic. As far as companies that are dealing with these sorts of challenges, yeah, there's identifying risks on the systems you've got and what needs to be updated to resolve those vulnerabilities. But what happens in the case where an application or a platform becomes end-of-lifed? How does that change the risk to that environment and what should people be looking for?
Jeff Aboud: Well, I mean what it really changes is the availability of the patches, as you guys mentioned already. That's when they have to start resorting to some of those other methodologies. It also takes longer to patch these things. They're going to have to write their own customer patch in a lot of cases. That just makes the whole process go even longer. Let's face it, I mean even when the public patch is available, the average meantime to remediation is 100 days and it kind of goes more or less depending on the size of the organization. Different verticals have different times, different methodologies but essentially in general, what we see in the market is 100 days. If you have to now write your own patch on top of that and then do the testing, that's just going to blow that out.
The critical thing is going to be obviously, not just the early detection but again, understanding what risk that particular vulnerability has, whether it's at an application level or the systematic level and infrastructure level. Because if I spend 100 days working on these things and they don't actually pose much risk to the organization, I wasted a ton of time. Let's face it, we all have ... I don't care which organization it is, they have limited resources. It's well-known that we have a very serious shortage of security and IT folks in the industry. If you're taking those very critical resources that you don't have enough of in the first place and you're putting them on things that carry little to no risk, then what you're doing is you're taking that MTTR for your critical vulnerabilities and you're just expanding out two, three, four-fold.
What they really need to do is they need to understand the risks. They need to understand what does and does not have risk. They need to understand their environment and what's critical to their particular infrastructure, and they need to really focus. That's if I really just had to sum it up in a word, it would be focused. They have to really focus on what really matters most and they need to understand that. If they understand what matters most and then you focus only on those, don't worry about the noise. Even if it's in the media. This is what I know I need to work on, and that's the way they're going to, I'd love to say that's the way they're going to win the day, but that's the way they're going to keep their head above water the best.
Chris Goettl: The last question I'd like to get into is more of a kind of looking forward, if you could paint a Nirvana, kind of a perfect world, if I understood these two or three things, it would be to make decisions to patch or not to patch incredibly easier for your organization. Whether it's telemetry or better test data, what are those things that could try to ease the burden of what you guys are running into today?
Chris Wakulik: I think the big thing, and you guys are already working on as the patch intelligence piece where I can get a better idea if it's going to hose something before I apply it, whether it's from you or another customer that have already maybe played around with it. Because our mindset is like patches come out, we let the public break stuff. Next week, we pilot things week after that. We're trying to get stuff done within a month, if we can but I'd rather be like, "Hey, if patches come out, can I go to town on this? Do I really have to like run that pilot or can I just start getting information faster?" I feel a little safer about especially things, some things you're not worried about, other things like we're going to stop business and it's going to cost the money then obviously, yeah we might [inaudible 00:22:47] ...
The patch intelligence I would say is huge, and like the automation. It's one of those things where I would love to automate more, but then we need other certain products to talk to the other products we use. Then having time to set that up correctly. It's one of those things that like every, I don't know if it's just us, but it seems like a lot of companies are having like the teams are smaller so it's trying to do more with less and that's great, but if you don't set up the automation first and it's kind of hard to get time to do that, so everything's running smoothly where you can just kind of keep an eye on things.
Chris Goettl: Kind of a couple of things in there. One is better telemetry, understanding that the impacts might have more information up front. To your point, crowd sourcing that is the only way. We can never gather enough information on our own. Crowdsourcing that is really necessary. The other part is having the automation put together so that when you get that telemetry from all those different sources from all these different places, things can happen faster. You can respond more quickly to meet that criteria, to meet ... To execute on those decisions that you've made.
Chris Wakulik: Right, so I mean, you don't want to have to wait on me or someone else to like, "Oh, I see this and here's the device that's susceptible." All right, I can create a group and go push it out. It'd be nice if it's like, oh hey, a BlueKeep or WannaCry comes in with Rapid7 and says, "Hey, these machines have, and I'm going to tell Ivanti to go patch these items." [inaudible 00:24:14] have to wait for it, but like it's a zero-day just like, "Oh, this needs zero-day?" Boom, "I'm going to take care of it right now," and they can just update me like, "Hey, we're going to do this," and whether maybe I just approve it or just let it run. Depending on how bad it is, those requirements would be nice to just be able to set up and let it go to town on something.
Chris Goettl: With Chris's kind of closing remarks about where he sees that kind of Nirvana state coming in, this sounds an awful lot like some of the challenges that kind of security, you guys are on the security side of things, operationalizing and trying to identify risks in the environment. Then you've got vendors like Ivanti that are helping to deliver on the operational portion of that. I think this is a good point for you to kind of share some of those closing thoughts of bridging the gap between security and operations and how we can help achieve that Nirvana state.
Jeff Aboud: Yeah, no, absolutely. Because obviously, and I think we all understand the intensity of the data problem. Being able to automate the analysis of all that data in order to assess the risk and understand your environment very, very rapidly, is super critical. That's going to help your security team understand the context and understand what they need to fix first. Once they do that, they're going to spend upwards of hours per vulnerability trying to understand every single vulnerability they want remediated. Then unfortunately, what most security teams I see do is they'll spend those hours, truly understand building a lot of intelligence about each specific vulnerability, and then they'll open up a ticket and just say, "Hey, fix this CVE," and they'll pitch it over the fence and then IT looks at it and they go, "Okay, they don't know what to fix, how to fix it, or why it's important or why it's a priority."
One of two things is going to happen when they do that, it's probably more likely this number one, and that is they're going to put it aside and continue working on whatever else they were working on. Because let's face it, IT wants to be a partner, but security is not 100% of their job. They've got this whole other day job. They're going to work on that first and then they'll go back and look at your ticket. Then the second thing that they're going to do is they're going to have to reinvestigate and validate and criticality and in the prioritization of that particular vulnerability, and that takes hours more.
Now all the sudden something you needed to fix right away is sitting for hours before it's even looked at and then hours longer before they actually know what it is, why it's a priority, how to fix it. They may or may not prioritize it the same way you did. Disseminating that same intelligence and fully integrating your ticketing systems, so that as soon as I write a ticket, if I'm security, it'll actually suck all that intelligence right into the ticket so that IT looks and they know exactly what to fix, how to fix it and why it's a priority. That's going to save you hours of time per vulnerability.
Chris Goettl: Yeah, and actually, that's a really good point. One of the things that we talk a lot about with our customers is that when you get that report from security, what is it you have to do to try to solve that problem? Hearing about guys who get a report of tens of thousands or even hundreds of thousands of vulnerabilities to your point, Jeff, a lot of times they just get, "Oh yeah, this CVE needs to be fixed. Go fix it. You've got X number of days. Come back and tell me how things are going." A lot of times they're burning hours. On average where we've found that our customers are telling us about eight hours per vulnerability scan that they burn just in deduplication, trying to map what needs to be done and then deciding what they're going to take action on.
That's just a day in just trying to figure out what you're going to do. That kind of brings me to an interesting closing thought that maybe, Andrew, I can pass your way.
Andrew Homer: Sure.
Chris Goettl: If you look at, and this kind of goes back over the course of about two to three years here of looking at like the Verizon data breach investigations report where I'm a big fan of that report. It gives a lot of good insight. But one of the things that struck me a couple of years ago is when they brought out the average time to exploit. If there's 100 CVEs and this year, 10 of those are going to get exploited, those 10 are going to be exploited in on average 50% of those are going to be exploited within 14 to 24 days.
Our risk window really starts at that point. Now as Jeff mentioned before, depending on your source, you could be upwards of 100 days to remediation in an environment. That leaves a huge amount of exposure time and I think again, that's where Morphisec really has a well-understood approach to how are we going to protect against those zero-days? How are we going to protect against that window of time? Because if most of us are taking more than 14 days, well half of the exploits that are happen are already in effect by the time we get to patch.
Andrew Homer: Correct. Correct, so and even is before even that point, right, because many of the zero-days that are out there don't have a known vulnerability and folks are in the wild exploiting that today. We just don't know about them. That's the first point. The second point is, look, detection, discovery is taking months in that same report. I think it was 120 days before a discovery. I think another report I saw at 25% of vulnerabilities still exist after nine years, right? The problem that we have is, and it's a major one, there's a huge disconnect. It's the fact that exfiltration, the damage is happening within minutes, okay? You have this gap between months and minutes in which a fast link can steal all your data, right, and take down your end points.
I think we've sort of relied on this crutch of detection, detection, fast detection against these attacks. I think we need to shift our mindset towards how do we prevent and how do we prevent in a smarter way that doesn't have to be relying on known behaviors because the adversary is very, very smart and they can morph and they can change their own behaviors and we need to basically stay ahead of them. Because it is economic warfare against the adversary, right? They have a limited amount of resources and people just like we do. We need to be preventing at the front end versus the downstream steps of detection response, which is really struggling to keep up in the organization.
Jeff Aboud: The other piece of it that we really didn't touch on is more the predictive technologies. In order to kind of get ahead of that threat and try to operationalize that, so because let's face it, you are in a race with the adversaries because as soon as the CVE becomes public, they know it the same day you know it, and even though they have limited resources, they have many more than you do and they share information and tools. That's one of the main things that we actually face with those guys is there's a lot more of them, they don't have day jobs. This is their day job, and there are a lot of them. In order to beat them at this game, because to them it is a game, we really have to include predictive technologies as well.
Chris Goettl: Yeah, absolutely. One of the things that I think, to try to wrap things up, there's a balance that we do have to strike. We need to figure out how do we balance preventative measures? How do we balance detect and response capabilities? What is that right balance there? How do we make more efficient the process of moving across the different silos within IT? The security team, identifying of risks to the environment, prioritizing those risks and then being able to respond to those risks and all throughout that, having the right preventative measures in place so that as things are happening, because many of us are working for companies that are big, slow moving behemoths as those processes are in place to try to resolve these vulnerabilities. We do need to have that ability to respond quickly with upfront preventative measures that will help defend against the the day-to-day threats that we're going to encounter.
I do appreciate you guys all joining us here today. Andrew, Jeff, Chris, very much appreciate it. Thank you for sharing your wisdom, your industry knowledge here with all of our listeners here today, and everybody out there watching, you're going to be able to catch presentations from Andrew and Jeff throughout the day as well. Thank you again for joining us here.
Andrew Homer: You bet.
Chris Wakulik: Thank you.
Jeff Aboud: It was a lot of fun.
Andrew Homer: Thanks so much.