Vulnerability management: Why it's no match for modern threat actors

As every security professional knows, software vulnerabilities are a fact of life. Anyone who uses any kind of software is, to some extent, putting themselves and their data at risk due to vulnerabilities that may or may not have been discovered, documented and fixed. While we can manage vulnerabilities, we can never be rid of them outright.

That’s why one of the oldest and best-known forms of security testing is vulnerability scanning, or vulnerability management - a technique used to scan networks and applications for vulnerabilities, then flag them so fixes can be scheduled and implemented.

On the surface, vulnerability management sounds like it should be the key building block of an organization’s security validation program. And, for a long time, many organizations have treated it as such. After all, isn’t the starting point for a great security posture to have patched and up-to-date software and services?

Well - the reality in 2020 is a little more complicated than that. Read on for our pros and cons of vulnerability management.

Find out more about improving your security testing in our whitepaper, Breach and Attack Simulation: A Novel Cybersecurity Validation Approach.

The pros of vulnerability management

So why should this 25-year old technology still be treated as an essential part of the security validation process?

Unpatched vulnerabilities are common - and commonly exploited

Firstly, an obvious one: there is plenty of evidence that organizations simply aren’t very good at patching vulnerabilities in their systems, and therefore need all the help they can get from automated tools such as vulnerability scanners.

According to a 2019 report from Kenna Security, for example, just 25% of vulnerabilities are currently patched in the first four weeks after a patch is released. Another full quarter (25%) of vulnerabilities, meanwhile, remain open for more than a year after security teams are handed the means to address them.

It’s no surprise, then, that so many high-profile data breaches can be traced back to known vulnerabilities that were never patched, and a clear argument for the use of vulnerability management tools and techniques.

Vulnerability scanning helps pinpoint problems fast

One of the holy grails of security testing is that it should be continuous - that is, it should offer real-time insight into the strengths, weaknesses and vulnerabilities in your IT environment, not just a snapshot from the time of your most recent pentest.

With automated vulnerability scanning tools, security teams theoretically have the means to identify unpatched vulnerabilities in their systems as soon as those vulnerabilities are disclosed to the public.

Helps enable communication and collaboration

An effective security validation solution should have clear outputs that are easy for different teams and stakeholders to understand and action. By their nature, vulnerability management tools are built to help flag and report on tangible, fixable problems that could - in theory - be used to mount an attack on the business.

The cons of vulnerability management

Despite all the above, vulnerability management tools still have some significant drawbacks. Crucially, a lot of time has passed since the first vulnerability management tools appeared, and both IT environments and the wider threat landscape are far more sophisticated than they were even a decade ago. For an effective security validation program in 2020, it’s not enough simply to patch vulnerabilities - security teams need to be much more informed about the behavior of threats themselves.

Here are three common issues when it comes to vulnerability management.

Even with vulnerability management, rolling out patches takes too long

While vulnerability management tools can help security teams identify new vulnerabilities almost in real time, that’s as much as they can automate. It’s still a job for the security team itself (however time and resource-poor it may be) to plan, schedule and roll out patches and fixes. And, even with the best tools in the world, this often takes far longer than it ideally should - and far longer than it might take for a threat actor to take advantage.

Some of the reasons security teams struggle to reduce the window of opportunity include:

  • Given the size and complexity of most modern IT environments, and the resource constraints faced by security teams, some level of prioritization is inevitable
  • Some fixes can lead to downtime or disruption for the business, so there are hoops to jump through in terms of getting a fix scheduled
  • Not every vulnerability flagged by a vulnerability scanner or vulnerability management tool is a legitimate issue, so time can be wasted looking into false positives. See below.

Without context, false positives are a problem

False positives are a common problem with vulnerability scanners. They normally occur because the scanner has access to some, but not all of, the information required to determine whether a vulnerability is present, or it lacks context on other factors such as existing control capabilities or the actual business use of the software or service. Faced with blind spots like this, most vulnerability management tools have a reputation for flagging countless false positives that take time and effort to filter out.

Vulnerabilities don’t cause data breaches - attackers do

Finally, perhaps the greatest drawback of traditional vulnerability management tools is that they only address vulnerabilities - not the real-world threat behavior that poses a legitimate risk to the business.

Most security teams simply don’t have - and will never have - the resource or capability to instantly patch every vulnerability that affects their systems. Security leaders therefore need to continually review and prioritize what to fix and when, and make plans for future investment based on real knowledge of how threats behave.

Vulnerability scanners will help them identify known issues with the software and services running in their environment. However, that’s not a measure of risk - it’s divorced from the all-important context of the tactics and techniques currently in use by threat actors, and the trends seen in recent data breaches that can help security teams identify which areas of their business could be targeted and what the fallout might be.

Modern threat actors are sophisticated. They don’t just rely on newly discovered vulnerabilities - they use a large arsenal of techniques and tools to get what they want by any means necessary. Your security testing strategy needs to account for that.

Find out more about different security testing solutions in our whitepaper, Breach and Attack Simulation: A Novel Cyber Security Validation Approach.