Nov 20, 2021
93 Views
0 0

Gartner guidance moves away from prioritizing critical CVEs, focuses on exploitability

Written by

Vulnerability management cannot be simplified to only patching, Gartner says. It’s an entire system weighing active threats against business continuity, and not all vulnerabilities will have patches. 
Companies do not have to concern themselves with the threat landscape at large, only where a business and threats meet. “What we would like to do is actually change the threat landscape for the first time in two decades,” Schneider said. 
“If you can move to a situation where your attack surface is so high, that only a sophisticated zero day and or intelligence agency in another country is able to get in, you’ve just broken something,” he said. Threat actors will struggle to gain access. 
Scanning and exploiting vulnerabilities became the top infection vector in 2020, replacing phishing as the top vector in 2019, IBM X-Force found. Researchers estimate that more than 1,600 vulnerabilities met the critical severity outlined by the CVSS last year
The Cybersecurity and Infrastructure Security Agency (CISA) is aiming to make vulnerability management easier by making its federal catalog for known exploited vulnerabilities accessible to the public. CISA’s catalog moves away from the CVSS, as it’s meant to only capture CVEs with active exploits underway to avoid the possibility of prioritizing patches less critical than others. 
The catalog provides federal civilian agencies with due dates for updates, the first deadline for 99 of the initial 291 CVEs were due Wednesday. CISA also sent out an updated catalog Wednesday. 
“Organizations really need to start thinking about and considering Plan B options when patching is not feasible,” Schneider said. But companies run into communication issues when infrastructure and operations versus security view patching as the other’s responsibility. Security tends to view management by how it makes the organization more secure. Infrastructure and operations are more focused on reliability and service interruptions. 
Vulnerability management is a shared responsibility among business units, and does not require one dedicated team, according to Schneider. The project manager, however, should be from security. 
IT has changed through DevOps, containers, and off-premise solutions, which means vulnerability management is not one-size-fits all like it used to be for an entire environment. “All this discussion about vulnerability management will make you think that exposure is all about vulnerabilities,” said Schneider. But other considerations are cloud misconfigurations or third-party security postures. 
“There is no way to know and manage exposure without proper visibility,” he said. Vulnerability assessment vendors are beginning to offer vulnerability prioritization technology capabilities, which Gartner expects to converge with vulnerability assessment in the next two years or so. 
“Prioritization is the most important concept. And this was the lightbulb moment and what changed Gardner’s entire perspective around doing vulnerability management,” Schneider said. “If you take the vulnerabilities in your environment, and focus on the ones that are being exploited in the wild, this will be an exponential improvement in your security posture.”
Follow on Twitter
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Subscribe to Cybersecurity Dive for top news, trends & analysis
Want to share a company announcement with your peers?
Get started
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.