The effect of compliance requirements on vulnerability management strategies

In this Help Net Security interview, Steve Carter, CEO of Nucleus Security, discusses the ongoing challenges in vulnerability management, including prioritizing vulnerabilities and addressing patching delays.

Carter also covers compliance requirements and how automation can streamline vulnerability management processes.

Why do you think challenges like prioritizing vulnerabilities and patching delays persist despite technological advances?

The increasing complexity of enterprise infrastructure, expanding attack surface, and improved vulnerability and exposure detection capabilities have all led to a drastic increase in the volume of findings that must be triaged. For example, we are nearing a quarter of a million published CVEs at a 16 percent annual growth rate. Most organizations are not adequately staffed, nor do they have the appropriate technologies, to respond to the continuous stream of vulnerabilities. In many ways, it’s a numbers game, and security teams simply cannot keep up.

Risk-based vulnerability management has been increasingly emphasized. What strategies do you recommend for prioritizing vulnerabilities effectively?

An enterprise-wide prioritization process that accounts for all types of vulnerabilities, exposures, and security findings is key. Vulnerability scanners and posture management tools are inconsistent with their severity ratings and risk scores, so they cannot be used for a consistent approach to prioritization. There must be clarity on exactly what must be true for a vulnerability or security finding to be categorized as a Critical or High risk in each organization.

Vulnerability intelligence can provide security teams with the necessary details to determine which vulnerabilities command their attention. For example, knowing whether the vulnerability is being actively exploited, which threat actors have been seen using it, and if there is an available patch can help vulnerability management analysts determine the threat level. This intelligence, when weighed against an organization’s established risk threshold, provides a strong foundation for decision-making.

How do compliance requirements impact vulnerability management strategies, and what are some compliance challenges organizations often overlook?

Compliance generally influences vulnerability management strategies in highly regulated industries such as healthcare, financial services and government by mandating vulnerability mitigation timelines and imposing specialized reporting requirements. Vulnerability detection and exposure management capabilities have broadened to now include assessments of identity, data management, and SaaS systems, which has significantly increased the volume and types of findings that must be tracked and reported on, which is often overlooked by security and compliance teams.

One unfortunate but common consequence of regulation is that it often becomes the sole focus of security efforts. Organizations, in their quest for compliance, may opt for the most cost-effective route, which can be detrimental to the overall security program. It’s crucial not to lose sight of the ultimate objectives: minimizing risk and safeguarding the organization’s most critical assets.

Automation is often seen as a solution to vulnerability management challenges. In your opinion, where does automation have the most impact, and what are its limitations?

The only way to scale vulnerability and exposure management programs is through increased automation. One of the biggest impacts automation can have is in the unification, enrichment, and organization of vulnerabilities and security findings. These are the most time consuming steps of the prioritization process and are highly prone to human error when done manually. The automation of these steps enables a consistent approach to vulnerability categorization and prioritization.

Automation is also highly impactful in driving remediation workflows to include ticketing and incident response. Historically, tasking remediation and mitigation activities were performed manually because each organization has a custom workflow to determine who should fix the vulnerability, when the fix should be completed, what information is needed, etc. Technologies now exist to automate these processes and track remediation through to completion, which accelerates the process and eliminates human error.

The biggest limitation of automation, in the context of vulnerability management, is the full automation of patching and configuration changes in response to vulnerability detection. Particularly, in operational environments, updating certain critical applications and services must be tightly managed to avoid disruption.

What are some emerging trends in vulnerability management that you believe organizations need to prepare for in the near future?

The increase in publicly disclosed vulnerabilities has no end in sight. We expect that AI’s ability to discover vulnerabilities in both open source software and commercial products will only exacerbate the issue. Furthermore, we expect time to exploitation (post disclosure) to be accelerated due to attackers’ use of AI. Organizations must develop a strategy and plan that will enable them to accelerate vulnerability triage and response times enterprise-wide in order to adapt to this evolving threat landscape.