Visibility is key to effective vulnerability management, but do not rely too much on automated solutions to solve your problems.
Speaking at Infosecurity Europe, Edgescan CEO Eoin Keary talked about “moving the cybersecurity dial” when it comes to vulnerabilities and patching. Referring to statistics that Edgescan released earlier this year, he said that 20% of issues they see are related to the SMB protocol, and even after that was exploited by the NotPetya ransomware in 2017, Keary said “we are still finding that”, although not everyone is vulnerable to NotPetya.
He also said that Edgescan is still finding issues with SSL “which is broken from a implementation perspective” and that is why users should move to TLS sooner rather than later, and often legacy systems are found where SSL problems are not being fixed.
Looking at the Bluekeep vulnerability, Keary said that when a patch is issued for Windows XP “you probably want to get worried.”
In terms of how to “move the dial” and improve things, Keary pointed at the main areas. The first was to visibility, especially on ports and servers and what you are not patching, and gain visibility on live hosts and APIs. “Get an idea on your attack surface based on vulnerabilities” and get a base understanding of your infrastructure, and understand your risk posture at any state of time.
“Visibility is about alerting what matters to you and what is deployed, it is also about a bill of materials and remuneration for tech stack and web apps,” he said.
The second point was around patching, as while businesses are good at doing this in the operating system, they are not so good with Struts or servers, and it is worth considering automated patch management and consider using Inspec and GitLab.
The third point was around secure application development, which Keary said “build as securely as you can.” He also recommended rather than “shifting left” to push in both directions, as if it is static system and you are not “pumping code in,” systems can become vulnerable. “Pushing left doesn’t fix this, you need to push right too,” he said.
He also recommended not relying too much on automation, “using augmentation of humans and technology where you can” but “don’t use automation at the cost of accuracy”. Keary concluded by saying: “Don’t sweat the zero days, the majority of vulnerabilities are old and most zero days are from 2015.”