There are never enough hours in the day to do everything. I think we all have a to-do list that is at least twice as long as the time available to complete it. To cope, we prioritize what’s “on fire” or what has the most potential to immediately cause damage if it’s not taken care of. Often the things we “should” focus on fall to the wayside as they are outshined by what we must do immediately. This is especially true when the ”should do” tasks are tedious and time-consuming.
Unfortunately, CVE management for network devices often falls into the “should do” category.
I doubt you could find a security professional who would say that just hoping CVEs are resolved is a good strategy. Yet, for many companies, that’s exactly what happens. I met a CIO recently at a very high-profile Fortune 100 company who reluctantly admitted that they have no idea if they’ve resolved all the high-risk CVEs affecting their network; without data, they rely on hope and assure the rest of the team that everything will be OK. This CIO fully recognizes that this approach is unacceptable, but given current tools and circumstances, it’s the best they can do.
Why is CVE management such a burden?
CVE management is highly complex due to the ever-increasing volume of CVEs issued overlayed with the complexity of networks.
CVEs issued by year:
Source: CVE Details
Each of these CVEs is not only specific to a device but also to the operating system version and the enabled features on that device or specific deployment as outlined in the CVE. In some instances, network administrators would need to go to a vendor site for details on which configurations are vulnerable, which makes remediating them exponentially more complex.
There are several common reasons for deprioritizing CVE remediation:
- Resource Constraints: CVE management is extremely labor-intensive. IT departments are facing flat budgets and a talent shortage. While the importance of CVE remediation is never in question, teams need to prioritize addressing the most significant and likely to be exploited vulnerability; CVEs don’t often make this threshold.
- Complexity: Many enterprises have multiple teams that work to assess and remediate CVEs. In some cases, the process involves several highly skilled engineers and can take weeks.
- Lack of Communication: CVE management is never the responsibility of an individual – or even a single team. Many IT departments don’t have effective collaboration mechanisms in place, and a lack of effective communication creates delays in remediating vulnerabilities.
What are the risks of CVE mismanagement?
The most obvious risk is falling victim to a cyber-attack by a bad actor or a data breach. Both of which can lead to tens of millions of dollars in losses. Additional concerns include compliance violations (which come with exorbitant fines, legal costs, and loss of trust) or outages that lead to loss of revenue and customer dissatisfaction.
How does a digital twin improve CVE management?
The most obvious way a digital twin helps is through advanced vulnerability analysis. Advanced digital twin technology safely collects config and state information on every device in the network. The digital twin then knows which devices in the network are impacted by a CVE based on their OS version, configuration, and enabled features. Additionally, the digital twin also leverages the vendor-specific data not included in the NIST database to provide a comprehensive risk assessment. Based on the OS version, configuration, and enabled features, it knows which devices are most exposed to the internet (ergo, which devices have the most significant risk).
Forward Networks takes this information and compares it against the NIST database and vendor-specific announcements, such as the Cisco Security Advisories, to deliver an at-a-glance prioritized remediation plan. Enhanced analysis increases the likelihood that a device reported as potentially vulnerable is actually vulnerable, which helps with prioritizing remediation efforts. This information is always up to date, and with integrations such as ServiceNow, we can automatically open tickets for resolution that include all the pertinent information. To learn more about how we do this, read the use case.
For a full demonstration of the technology, meet us at the RSA Conference in San Francisco, April 24 – 27 in booth 4225. Enjoy an energizing cold brew while you talk security with our experts.