![]() Qualys: Asset visibility, vulnerability management and threat prioritization ![]() That way, the focus isn’t just on reducing false positives, but rather on assessing critical data points and metrics to attain an understanding of risk, according to Zelonis. Ultimately, organizations should evolve from vulnerability management to vulnerability risk management. The goal here is to make these other teams aware of the real risk and potential business impact of particular vulnerabilities. “This is a major gap we see with organizations who are struggling to get items patched: The security team’s priorities aren’t echoed nor understood outside of the security team,” he said. It’s also important to communicate this information not just to the higher-ups, but also horizontally across other IT teams such as operations, and across business units, because vulnerability remediation requires cross-functional collaboration. “Once you’ve made it relevant to them, they’re going to need to understand what you’re doing to mitigate the situations and perhaps allocate additional budget where necessary,” he said. Threat intelligence is also essential for security teams to be able to communicate effectively with C-level executives and board members, who are increasingly interested in staying informed about the organization’s security posture and strategy. “It’s important to understand how a vulnerability can be exploited so you can take a look at at the assets within your organization to figure out where patches need to be prioritized and applied,” Zelonis said. In vulnerability management, it’s also helpful to use threat intelligence not just to detect threats, but to also preemptively patch using threat landscape trends as a guide. However, remediating that same vulnerability may not be a top priority when it’s present in an asset of medium or low importance. When assigning remediation priorities, it’s key to examine the severity of the vulnerabilities in the context of each asset.įor example, it should be a top priority to remediate a critical vulnerability in an asset that’s highly important. Vulnerability management and prioritization tipsĪccording to Zelonis, the vulnerability risk management process has four main steps: Read on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge. “In a post-Equifax world, VM is coming under increased scrutiny,” Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before. “This is really representative of the problems we’re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,” he said. ![]() Among those, 41% of the breaches were carried out by exploiting a vulnerability. ![]() Zelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. “One of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,” Josh Zelonis, a Forrester Research analyst, said during a recent webcast. However, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it’s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately. If they identify the vulnerabilities that pose the highest risk to their organization’s most critical assets, they’ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment. Given this large number of severe vulnerabilities, it’s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations’ IT environment. Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |