An excerpt from Core President & CEO Mark Hatton's latest byline in SecurityWeek.
Staying on top of your organization’s security needs is no easy task. The constant updates, patches, vulnerability assessments and maintenance activities can quickly overwhelm an IT department or security team and delay critical projects. To-do lists end up growing at an incredible pace, and even those who are able to keep up are having a hard time measuring whether their efforts truly made the organization safer.
A person who handles these issues for a Fortune 500 company recently mentioned that patching in the wake of Shellshock would likely take them upwards of eight weeks. I asked how he would determine which systems he would patch first, and which he would save for last, but he didn’t seem to have a strategy in mind. That’s a problem. Without the ability to prioritize in these situations, you may end up waiting eight weeks to apply the most important patch. You could also say the fact we were talking specifically about Shellshock indicates another prioritization problem – he was fixated on Shellshock because that was the threat making headlines at the moment. But when it comes to vulnerability management, you should be thinking beyond the “flavor of the week.” It’s about identifying the vulnerabilities that truly put your organization’s critical assets at risk.
Think of your corporate network like your home. There are probably lots of items on your "honey do" list, but they can’t all be completed today. That’s why you assess the situation and prioritize those that are the most critical and time-sensitive. In the middle of a cold New England winter, I wouldn’t have to think twice about whether it was more important to repair the furnace or repaint the kitchen walls. Every organization should be able to apply similar common-sense prioritization tactics when it comes to security, but most do not.
This isn’t a matter of laziness – lots of security teams don’t have the tools and knowledge to distinguish the “repair-the-furnace” vulnerabilities from the “repaint-the-wall” vulnerabilities. They simply do not have the information necessary for prioritization. After all, when vulnerability scanners produce reports the size of phone books, complete with thousands of vulnerabilities labeled “critical,” it’s tough to know where to start. Wondering if this problem is plaguing your team? Next time you see a vulnerability report, ask them: Which of these vulnerabilities could lead an attacker to our critical business assets? Which of these vulnerabilities are easy for attackers to exploit?