It’s a common challenge for today’s security teams to find themselves stuck in a never-ending cycle of identifying, prioritizing, and mitigating vulnerabilities. Oftentimes, what goes overlooked during this perpetual process is security debt. Similar to technical debt, security debt is the increasing total of unresolved vulnerabilities within an organization’s software and systems. As more vulnerabilities are identified, and the higher risk ones are prioritized for remediation, the remaining list of vulnerabilities continues to grow.
Through risk-based vulnerability management, the focus on remediating higher priority vulnerabilities sounds like a great idea. But wrapped up in the shadow of what you do fix, there is also a passive decision of what not to fix, which creates a large backlog of ‘lower’ risk vulnerabilities, which over time, can tax an organization’s resources. The standard process of discovery and response for vulnerabilities usually has organizations remediating two out of every 10 new vulnerabilities, while the remaining 80%, which pose less risk, but not none, are pushed back as the cycle repeats itself to address the latest batch of ‘critical’ vulnerabilities first.
Security Debt’s Impact
When organizations repeatedly leave lower priority vulnerabilities unaddressed, it creates security debt, which can have a few negative effects:
•Increased Attack Surface: As more vulnerabilities are left exposed, over time those vulnerabilities can increase in risk, so it broadens the attack surface, allowing attackers to exploit weak points and infiltrate systems over the long term.
•Resource Drain: Managing ongoing security debt can be a drain on resources, as security teams are in a constant state of prioritizing and patching vulnerability after vulnerability, without being able to take any proactive steps to address the sheer volume of existing vulnerabilities that continues to grow. Vulnerabilities are generally least expensive to fix the more recent they are, so a long tail of remediation can defer increased costs over time.
•Compliance Risks: Depending on the geography and industry of a business, compliance regulations may require a certain vulnerability remediation promptness. Security debt via unpatched vulnerabilities can lead to non-compliance, resulting in the loss of business, fines, legal repercussions, and damage to a brand’s reputation.
•Complex Remediation: The more security debt is accumulated, the more complex remediation becomes. This complexity only slows down the process further, including for addressing critical vulnerabilities. This decreases an organization’s resiliency to new threats.
It’s critical for organizations to understand the adverse effects of security debt and its compounding nature. The more the list of unaddressed security vulnerabilities grows, the more risk, the more complexity, and the more cost involved in trying to get that security debt back down.
Expedited vs. Efficient Remediation
Risk-based vulnerability management is a strategy that emphasizes remediating the highest risk vulnerabilities right away. The focus of this remediation strategy is to fix the most urgent items first, thus described as ‘expedited’ remediation. While it remains critical to resolve vulnerabilities most likely to result in breaches, expedited remediation can’t be the only approach an organization takes to vulnerability management.
This is where another approach called efficient remediation comes in. It’s an opportunity for security and IT teams to work together to alleviate security debt. Rather than focusing on individual items, this strategy involves looking at higher order patterns on where root cause analysis can be used to wipe away debt at the source. Additionally, this involves giving Dev and IT teams visibility into vulnerability scoring, and allowing them to evaluate the backlog of vulnerabilities that exist at their organization regularly during sprints or other development lifecycles. The most common example of this approach is “Patch Tuesday” where a single day every month eliminates a large percentage of vulnerabilities all in one go. But you can push the boundaries even further, and create high level strategies to eliminate entire groups of vulnerabilities at a time. A common next step is to group vulnerabilities by your technology stack and see which technologies are creating the most risk to your organization. You can leverage this to make business decisions about where your resources will be most effective at resolving risk.
Solving Security Debt
As businesses uncover new vulnerabilities, security debt will grow, impacting the ability to defend against attacks and keep data secure. While risk-based vulnerability management will make sure the most critical risks are addressed right away, efficient remediation must be done in tandem. Together, security, IT, and Engineering teams working side-by-side can remediate more total vulnerabilities, reducing security debt and their organization’s potential exposure to attacks.
Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group “Information Security Community”!