Best Practice and Automation for Security Vulnerability Management
In the second of a three-part series, Matthew Flanagan and Ryan Green take a closer look how you can be proactive to the increasing frequency of security vulnerabilities; warning of the risks associated with inaction, now that Australian mandatory data breach laws are in effect.
The frequency of critical vulnerabilities being reported reached a historic peak in 2017, with 40 vulnerabilities on average per day being reported, compared with 17 per day in 2016. This highlights the need to no longer address patching as a one-off task performed begrudgingly when required, but as a systematic, methodical, and ideally, automated process.
Proactive patch management keeps you ahead of the curve
Security researchers and vendors often work in a coordinated manner to release patches months in advance of the security vulnerability being publicly announced. This embargo period is to allow time for customers to apply patches before the announcement and inevitable development of an exploit.
The impact of a breach can be significant – resulting in data loss and/or leakage, financial loss, and damage to the organisation’s brand and reputation. With the Australian Federal Government’s mandatory data breach notification legislation taking effect on the 22nd of February 2018, the stakes are now even higher.
The key considerations you need to make
Managing vulnerability in an IT environment requires the following key considerations:
- Operational visibility – What systems and infrastructure are in place, what is their status, what are their dependencies and how do they interact?
- Configuration and release management – Configuration and patch levels need to be maintained to remediate vulnerabilities and optimize security
- Logging – Log data is the first place to look when attempting to identify the timing, source, method and path of intrusion across the environment. Its important that log data is available when its needed, often it isn’t until some time after the occurrence that compromise is uncovered
- Centralized log management – This type of tooling can be extremely useful when trying to correlate events across various infrastructure and software solution components
- Reliable data protection – Backup and disaster recovery solutions are critical, offering a last resort for recovering from disruptive or catastrophic incidents
- Automated analytical analysis – Log data can be leveraged to implement a Security Incident Event Management (SIEM) system that alerts the business to unusual activities that may occur due successful and/or attempted security breaches.
- IT security policies – Like all operational policies, these must be clear, concise and continually updated to ensure appropriate proactive and reactive approaches are maintained.
Treating security as an ad-hoc process is fraught with danger, and costly
It is extremely important that the business understands that security is an ongoing process that must be managed and approaches that are continually reviewed. If the business treats it as an ad-hoc exercise then the next month when an equally severe vulnerability is reported, IT staff will need to drop what they are doing and respond again, leading to lost productivity, unplanned overtime, unplanned downtime and cost to the business.
No single security control will stop a determined attacker. Multiple lines of defense are required in order to limit an attacker’s reach or slow them down. With the right tooling, policy, people and training the risk of compromise can be lowered and allow the organisation to rapidly respond to new vulnerabilities and security incidents.
We recommend that organisations align with the ASD Essential 8 Maturity Model for Operating System and Application patching. Customers should aim for a minimum maturity level of 1 which includes monthly patch cycles for server and desktop environments. Higher maturity levels with more frequent patching should be considered for more sensitive environments.
How can CSA help?
We have a team of certified security experts who proactively undertake vulnerability management for dozens of organisations through our Managed Security and Monitor + Manage services. If you don’t have the right skills in your team we can help you access the expertise and capability you need. We can also help scale your existing team to meet demand cycles – and provide insights and advice for deploying automation. Start a conversation with one of our experts using the form below to find out how we can help you.
- Article 1 in this series: Dealing with the fallout from Meltdown and Spectre
- Article 3 in this series: The Definitive Guide to Patch and Release Management
- Meltdown and Spectre: Everything you need to know
- Official Meltdown and Spectre website
About the Authors
Matthew Flanagan is Platform Lead – Network and Security at CSA. Matt has over 20 years industry experience in a wide range of technologies focused around Internet and enterprise infrastructures. He specialises in Internet infrastructures, UNIX, security, network architecture and design. Matthew is a Member of the GIAC Advisory Board and holds the GIAC GXPN Certification for Exploit Research and Advanced Penetration Testing.Matthew Flanagan
Ryan Green is Portfolio Manager – Datacentre & Cloud at CSA and has over 20 years industry experience in a wide range of technologies. With a background supporting, operating (DevOps) and consulting in closed and open source environments, both locally and abroad, the last 10 years have seen him focus on Datacentre and Cloud solutions, Data Management and Disaster Recovery. With habitual interest in keeping abreast of technology, Ryan specialises in identifying complementary technologies, architecting solution offerings.Ryan Green