A key goal for IT teams is improving performance and resiliency around security, ultimately making it as difficult as possible for a “bad actor” to break into an environment and wreak havoc. But this is easier said than done. Industry reports like the Verizon Data Breach Investigations Report (DBIR) continue to underscore just how many balls IT and security teams must juggle to ensure that their organizations’ crown jewels are protected from malicious actors. For example, the Verizon DBIR revealed that the increase in ransomware attacks last year was higher than the increase for the last five years combined. It also pointed to the fact that exploitation of vulnerabilities is a top three attack vector for attackers gaining a foothold in an organization’s environment.Did you know that the increase in ransomware attacks last year was higher than the increase for the last 5 years combined?! #infosec #ITSM Click To Tweet
These data points unveil just how sophisticated – and often successful – attackers are becoming, and so it’s critical that organizations get their IT management processes running as efficiently as possible. These processes include actions like creating change requests quickly, assigning them to the rightful owners or teams, patching quickly, ensuring best practices around access control are in place, and that fast responses to new issues are possible.
These practices are well-established and should be the default. However, this is not always the case.With just how sophisticated – and often successful – ransomware attackers are becoming, it's never been more important to get your IT mgmt processes running as efficiently as possible. This article by @MehulRevankar explores. #ITSM… Click To Tweet
So what are the problems?
No matter how good a job security teams may do in detecting vulnerabilities, they are rarely the team responsible for implementing remediation tactics. This job often rolls to the IT teams responsible for managing any change in an IT infrastructure – this can include IT operations, desktop management, service delivery and/or service providers. In other words, the teams handling IT service management (ITSM) would typically be responsible for implementing changes (e.g., deploying a patch) as quickly as possible to ensure that security issues do not develop.
This approach can severely complicate remediation processes, leaving organizations to deal with tens of thousands of vulnerabilities in their environments. Instead, vulnerability and patch management should be intertwined for enhanced efficiency and overseen by the security team, as they’re ultimately responsible for managing business risk.
Improving security and ITSM collaboration
With so many security issues to deal with – and with so many software patches coming through to implement at scale – improving the relationship between those that detect issues and those that manage changes will go a long way when looking to improve security hygiene. To make this relationship and process work as efficiently as possible, step one is to get full visibility into the security issues that exist and have a shared context for operating.
On the technology side, integrating the tools that both teams use on a daily basis will help to streamline processes and make communication and visibility far more accessible. For instance, a security team will use vulnerability scanning tools, but they’ll not typically handle ticketing, tracking changes, or managing implementations. These tasks usually take place within the ITSM tool. Automating the handover process between these types of item makes it easier for both teams to collaborate on a change process, particularly around large-scale projects such as applying patches to hundreds or thousands of desktops.Improving the relationship between those that detect issues and those that manage changes will go a long way when looking to improve security hygiene – @MehulRevankar #infosec #ITSM Click To Tweet
ITSM teams should look at the information they can glean from security teams to include IT asset and configuration details. On the other end, security teams should provide information on the potential risk level that a vulnerability represents. This type of information sharing and visibility across tools can help both sides to prioritize fixes.
Knowing where to put your efforts
When it comes to security and risks, prioritization is a huge headache for enterprises. The number of vulnerabilities and patches coming to fruition every day makes it difficult and overwhelming to rank issues based on the risk they pose to your specific environment. Without tailored guidance, teams could spend a significant amount of their time on lower-level issues or on those that might seem more of a risk to the business than they actually are. Having information around prioritization available to both security teams and the ITSM function will enable the organization to understand which risks to consider first and how the two teams can collaborate to mitigate the most pressing threats.In this article @MehulRevankar discusses how latest research puts a significant emphasis on getting the basics right when it comes to collaboration between #security and #ITSM. Click To Tweet
The ITSM function prioritizes issues and tickets based on the impact that they may have on the business, how quickly they must be fixed, and how to meet service levels. However, it’s difficult to know which security issues are the most pressing without the right frame of reference. Simply relying on standard security issue scoring like the Common Vulnerability Scoring System (CVSS) is not enough, as it represents the technical severity, not the risk the vulnerabilities pose to an enterprise. For example, out of the universe of 185,446 known vulnerabilities, only 29% have exploits, just 2% have weaponized exploit code, and threat actors are actively leveraging only 0.16%. These are the vulnerabilities that pose the highest risk and should be prioritized immediately.
Instead, security teams should analyze deployments to see how issues affect their company. They can then provide specific recommendations on which vulnerabilities are priorities to fix immediately, which ones should be on the list next, and which ones can be mitigated or added to the patching backlog for later deployments.
Improving all the time
The Verizon DBIR points to the fact that the industry is improving regarding addressing vulnerabilities and patching faster and more efficiently. However, in tandem, the volume of issues coming to fruition and the number of threats we face are increasing. During the 2021 calendar year alone, more than 20,000 individual vulnerabilities were discovered and announced. By May 2022, more than 10,000 issues had been released, and this trend shows no sign of slowing down.
Using the standard figure for the weaponization of exploits, 0.16% of 10,000 issues should mean that there will be around 16 new and different threats with significant risk to the business in the first half of 2022 alone. This puts significant emphasis on getting the basics right when it comes to collaboration between security and ITSM.
While it might solve many security issues, simply “patching everything” is unrealistic in most real-world environments. Many companies still don’t have effective asset inventories or up-to-date configuration management databases (CMDBs) that enable them to know what is even in an environment and whether it is secure.While it might solve many security issues, simply 'patching everything' is unrealistic in most real-world environments – @MehulRevankar #infosec #ITSM Click To Tweet
For those that do have this data, prioritizing what must be patched immediately and what needs to be fixed over time is the next step to improving security. But this often depends on effective collaboration between ITSM and security teams, to ensure processes are carried out as efficiently as possible.
Automation and integration between the teams across tools, processes, and people will make the whole job easier. This must take real-world environments into account, so that each team can get their jobs done efficiently, and the whole organization can benefit. By making it easier to collaborate, teams involved in the whole lifecycle around security and change management can deliver faster.
To find out more about how companies organize their IT security and operations teams to work together around assets, including a Q&A video with the teams at AT&T and Informatica, please click here: https://www.qualys.com/apps/cybersecurity-asset-management/
Mehul Revankar is Vice President, Product Management at Qualys. He has spent seventeen years in product management and vulnerability research, covering security operations and policy compliance. His experience is in quantitative risk analysis and cyber risk management.