Every time there is a major security breach every cybersecurity professional gets the same queasy feeling in the pit of their stomach. They all know the difference between their organization and the unfortunate victims of attacks like the ones against JBS and Colonial Pipeline has as much to do with luck and happenstance as it does the cybersecurity defenses they have in place.
However, while everyone else in the organization is focused on the impact a breach might have on the organization, cybersecurity professionals have one additional concern that uniquely affects them. It’s up to their teams to clean up the mess left behind by a malware infestation. As it turns out, most organizations don’t seem to have a lot of the tools and processes in place to take on that challenge, even though most would concede that some type of cybersecurity breach is now all but inevitable.
Ability to remediate is a weak spot
A survey of more than 100 enterprise security executives across North America, Europe, the Middle East, and Africa conducted by Vulcan Security, a provider of a remediation platform, in collaboration with Pulse, an online community for conducting IT research, finds more than half of organizations (56%) lack the ability to remediate vulnerabilities at the rate of speed and the scale the business requires. Moreover, nearly 80% said they do not have the proper tooling to proactively orchestrate and automate vulnerability remediation.
Only about a third (34%) said they have a defined, effective process for detecting and responding to vulnerabilities, with another third (33%) admitting they lack an effective or comprehensive process entirely. The single biggest determinant for the rate at which vulnerabilities are addressed is the criticality of a vulnerability and the available bandwidth of IT and security teams (44%). Only 21% of the organizations surveyed are proactively remediating vulnerabilities as quickly as possible. Nearly one-third of respondents (31%) said their organizations do not prioritize vulnerabilities at all. Nearly half (46%) either don't measure vulnerability risk or rely on “gut feel.”
Only just over a quarter of organizations (26%) use a combination of inputs from Common Vulnerability Scoring System (CVSS) scores, threat intelligence, and risk to business assets to prioritize vulnerabilities.
The fact that organizations are not able to address vulnerabilities doesn’t excuse the predatory behavior of cybercriminals. That’s roughly equivalent to blaming a victim of a mugging because they happen to be walking through a neighborhood there a lot of violent crimes take place. Nevertheless, we live in a world where precautions are an everyday part of life.
In many ways it’s understandable why there is not as much focus on remediation as there should be. Cybersecurity teams have always been more focused on thwarting attacks in the hope that remediation would hopefully be made unnecessary. In reality, a balance needs to be struck between prevention and remediation. Many organizations now just assume malware is lying dormant somewhere in their enterprise IT environment waiting to be activated. The goal is to find and remove as much of it as possible before that happens. At the same time, the adoption of DevSecOps best practices could one day reduce the number of vulnerabilities that cybercriminals can exploit.
IT organizations will always need to be able to thwart a cybersecurity attack. The challenge and the opportunity now is to limit the number of instances where attacks can be made.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.