Have a one-minute conversation with any security manager in charge of vulnerability management programs and ask these three questions …
- How long does it take to scan your entire infrastructure for vulnerabilities?
- How long does it take to analyze and prioritize the scan results, and produce an accurate, manageable list of fixes?
- How long does it take for vulnerabilities to make their way through the remediation queue?
Add up the responses.
If your results are like mine, typical answers range from “A week or two for critical vulnerabilities in the DMZ” to “About three months on average”. Vulnerability scans typically take most enterprises a few days to a week per zone, and many groups use a ‘round robin’ approach to scan just one zone at a time. Add security analysis and patching, and total cycle time (scan, evaluate, remediate) is measured in months. (A Skybox Security survey of the vulnerability management habits of 200 IT professionals agrees with this.)
What difference does it make if the vulnerability remediation cycle time takes months instead of days?
The answer is simple. The vulnerability remediation cycle time is the single biggest factor in determining the size of the attack surface, and therefore the risk exposure the organization is facing.
Let’s consider the attack surface – a concept that indicates the total sum of all of the ways an organization can be attacked. It’s like a balloon that can expand and contract with the introduction and remediation of new vulnerabilities. Time is critical because the attack surface grows with every new vulnerability, and is intensified by the number of systems affected by that vulnerability. If exposed vulnerabilities linger unresolved for weeks and months, the likelihood of exploitation is exponentially growing. A larger attack surface offers more entry points for attackers, and more lateral moves available once perimeter defenses have been breached.
When you remediate vulnerabilities or consolidate parts of the network, your attack surface diminishes, and so does your risk.
To illustrate, there were 58 critical/high vulnerabilities reported in the Skybox Vulnerability Database for December 2013. But if you work on a 90-day vulnerability management cycle, you need to look at critical and high vulnerabilities for October 1 – December 31, 2013 … which was 286. A 90-day cycle would leave hundreds of unpatched vulnerabilities available to hackers for weeks or months.
Yes, that initial push to get from a 90-day cycle to a 30-day cycle requires re-engineering your vulnerability management processes. Focus on shrinking the vulnerability management cycle time by considering faster ways of finding vulnerabilities (like our scanless vulnerability assessment), adding in tools to automate analysis and eliminate irrelevant data, and streamlining remediation handoffs between teams. Changing your vulnerability management cycle time can be challenging, but the overall risk reduction is well worth the effort.