(Cross-Post of the Securonix blog)
Vulnerability management is one of the most fundamental security techniques that organizations must implement to prevent hacker attacks. But even as a primary security check, it is not so easy to carry them out successfully. I was reporting on VM in the Gartner era, and it was sad to see how many organizations were doing it wrong.
Many security experts see VM as a boring subject and generally treat it as a simple scan and repair cycle. While much of a typical VM program can in fact be based on vulnerability analysis and patching, there are many other things that need to be done to achieve the desired results.
One of the most important elements is the prioritisation of the results. For most organisations, it is clear that it is simply not possible to address all open vulnerabilities. If you can’t fix it, what do you have to fix first? There are many interesting achievements in this area. What used to be based solely on the severity of the vulnerability (the old CVSS value) is now a more complex process that uses multiple data points, including threat data. Kenna Security’s EPSS research is an excellent example of how the practice of prioritising vulnerabilities developed in the old days of CVSS.
But even if you can decide what you want to repair, there are times when the repair isn’t just a patch. Some vulnerabilities are not only related to the bug, but also to other things, such as the existence of outdated software and protocols in the environment. These situations generally require a more complex approach, and here the extra part of the VM process that compensates the control is important.
Compensatory controls are used to address the risk of vulnerability when a full solution is not possible. The use of IPS, for example, is a typical compensation check. You can use them when you cannot apply a patch, for example when a patch is unavailable, or to reduce the risk until you feel comfortable enough (usually after testing, during a maintenance window) to apply it. Normally we consider certain security controls that avoid or reduce the impact of vulnerability abuse as ideal candidates for risk mitigation, but there is one thing I always like to think about in this discussion: Surveillance.
Think about it for a second. You have a public vulnerability that you still can’t fix. The exploitation is available and there is a lot of information about its use. Even if you can’t get around it, you can use all of this information to create a case where security surveillance is focused on exploiting that specific vulnerability. They’re here, and there’s a chance she could be exploited. Then why don’t you set up a device to look for this operation? You can give priority to the alerts generated in this use case, knowing that you are currently vulnerable to these types of attacks.
A good example of using security monitoring as part of a VM process is what happens with the new Windows Zerologon EP (ZEP) vulnerability (CVE-2020-1472). The issue is complex and requires more than just a patch of land. Our Vice President for Threat Investigation, Oleg Kolesnikov, has written an important article on deployment and detection details and capabilities. In short, Microsoft has provided a solution to the immediate problem, but some third-party systems may still use an older and more vulnerable version of Netlogon’s secure connection. In order not to disrupt the functionality of existing systems, Microsoft has included new events in its logs to identify the use of these older versions and has announced that they will go into rollout mode, which will not be accepted after February 2021.
At this stage, it is so important to coordinate supervision with the recovery process. New events added by Microsoft can help identify attempted attacks and identify other vulnerable systems on the network. A predetermined process for coordinating the use of monitoring tools and infrastructure as additional compensating controls for VM can help in situations where a vulnerability management plan also requires monitoring.
*** This is the syndicated blog Security Bloggers Network from Security Balance – Augusto Barros, written by Unknown. Read the original message at http://feedproxy.google.com/~r/SecurityBalance/~3/jyX6ppH4g-w/monitoring and-vulnerability-management.html.
qualys pune,qualys self service,qualys cloud platform,qualys login,qualys certification,qualys vulnerability management