Becoming vulnerability agnostic

Don't let the constant barrage of vulnerability announcements play with your emotions and drive up your stress levels.

We only got two days into 2018 before the industry was set on its ear by the announcement of the Meltdown and Spectre vulnerabilities. The vulnerabilities themselves were just the tip of the iceberg, as confusion reigned over which patches worked, and what the negative consequences were over installing others. Based on recent trends, it will not likely be long before the next major vulnerability announcement. This seems to be the norm today, with those of us in information security living from one vulnerability to the next.

When the inevitable announcement happens, a tremendous strain is placed on corporate America, in their efforts to quickly remediate the issues. In my case, working with a large healthcare organization, we convened a team from across the organization, began twice daily meetings, immediately started patch testing, and implemented plans to roll out patches as quickly as possible. With that effort came the news to all departments that they should expect increased downtime, and possibly diminished performance on their systems.

If one day we are able to quantify the industry cost in responding to such a vulnerability, I suspect it would be enormous. These dollars reduce the revenue to the impacted organizations, which in turn will likely result in increased costs to the customers. Put more simply, take out your wallet and prepare to pay.

So, what do we do?  Meltdown and Spectre are vulnerabilities that have existed for years and were only recently discovered. It is likely that many other such historical issues exist, not counting the new ones we are creating each week. Where does it end?

At this point, I wish I had an encouraging prediction everyone, but the reality is that this problem will not go away. The best we can do is to insulate ourselves from the possible impacts and have a good plan to address any such announcement that comes up as efficiently as possible. In other words, we need to become vulnerability agnostic.

While I am stretching the definition of the word agnostic from its religious roots, I think it works in this context. To be vulnerability agnostic is to know that these issues will come up, without losing sleep over them. When they happen, we forge ahead with correcting the problem routinely, trusting that the design of our security systems will protect us from immediate effects, while we calmly move forward with whatever exotic fix our system providers may have.

What does it take to become vulnerability agnostic?  I would suggest the following:

Know what you have

It seems in information security, we always stub our toe in the area of having a solid inventory. Unfortunately, device and software inventory is foundational to good information security. We cannot assess the possible impact to the organization from a vulnerability, let alone remediate it, without knowing what devices we have. With a proper inventory, we can quickly determine which of our systems are affected. This needs to be the starting point for all of us.

Have a plan, and test the plan

Having a production background, I am fascinated with the recent live television programs staged by some of the networks. I watched the recent live version of A Christmas Story, not because I am a fan of the original, but because I was interested in seeing how their planning and rehearsal would result in a tight production.

We in the industry should learn from this. By the time they got to the day of the production, nobody was particularly nervous (well, perhaps the Director), because they had a plan, and had rehearsed it many times. For major vulnerability announcements, we need to have a plan, and we need to do periodic desktop simulations of it. This plan needs to include how we communicate with our user base, vendors, and customers, so we can keep them informed without panic.

Have an assessment and tracking tool

Once the routine remediation effort begins, we must have some way to assess and track our progress. Vulnerability management tools, such as Qualys, can be beneficial for this. Using Qualys as an example, a dashboard for tracking Meltdown and Spectre was available within days of the announcement. Remediation tacking is not something that can practically be done manually for organizations of any size.

Have a defense in depth strategy to provide protection against the unknown

Many of the recent vulnerability announcements have been theoretical, in that no known exploits existed at the time of the announcement to take advantage of them. Thus, while patches have been developed, we cannot be absolutely certain that they will work, until someone actually tries an exploit. Further, we cannot guarantee that the side effects of a given patch will not necessitate us ignoring them. Thus, if our sole approach to protection from vulnerabilities is waiting on a patch, we may neither have good protection, or sound sleep.

The concept of defense in depth involves having a variety of overlapping security systems and strategies, ensuring that security gaps are minimized. Using Meltdown and Spectre again as examples, we can mitigate their impact using browser settings and updates. Endpoint anti-malware and anti-virus products can prevent some possible attacks, along with intrusion protection systems. Security Incident and Event Management Systems (SIEM), like Splunk, can monitor for indications that exploits are being attempted for them, and issue alerts. Orchestration activities tied to these alerts can help to lock systems down before any damage is done.

Bottom line – don't let the constant barrage of vulnerability announcements play with your emotions and drive your stress level up. Instead, make your organization vulnerability agnostic, and get some sleep.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.