Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/26/2020
10:00 AM
Wayne Reynolds
Wayne Reynolds
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Ways to Up Your Threat Management Game

Good security programs start with a mindset that it's not about the tools, it's what you do with them. Here's how to get out of a reactive fire-drill mode with vulnerability management.

The basis of a good security program starts with a mindset that it's not about the tools, it's what you do with them. This mindset is most evident when critical vulnerabilities are released and everyone scrambles to mitigate exploitation.

Most recently, we saw this following the release of the latest critical Windows vulnerability (CVE-2020-0610 and others), which some folks have nicknamed CurveBall. The vulnerability affects Windows CryptoAPI and how Windows handles Elliptical Curve Ciphers (ECC) as part of this service. Microsoft also released two Remote Code Execution (RCE) bugs that are equally important. 

It's critical that companies get out of a reactive fire-drill mode and work toward cyber resiliency. Here are five recommendations for getting there.

Develop a VTM Strategy
One of the most important business strategies for a security program should be around vulnerability threat management (VTM). VTM strategies should include effective, timely, and collaborative reporting of actionable metrics. Avoid simple items such as the number of vulnerabilities on Windows systems and focus on meaningful items such as remediation rates of exploitable vulnerabilities on critical systems.

It's important to keep in mind that VTM is a culture and an operational mindset. An effective VTM program should be implemented in concert with the larger security operations organization to mitigate threats and reduce threat actors' overall attack landscape. It goes beyond scanning for vulnerabilities and telling IT ops to "not suck at patching."

I recommend splitting your VTM strategy into two phases: detection and response. Detection aims to ensure effective, risk-based reporting and prioritized vulnerability mitigation by gathering all your data, validating the results, and applying a business risk. Automation can make this process easier. Further, using the Observe-Orient-Decide-Act (OODA) loop continually reduces the time it takes to locate and inform IT ops and development teams where corrective action needs to take place.

Response is where the rubber meets the road and where many of us pass on the work to other businesses to assist in applying patches or hardening systems. To that end, ensure the correct solution (mitigation or corrective action) is recommended by the VTM team and that the agreed-upon solution has been tested and won't break production.

In deploying the solution, it's critical that IT ops and development get prioritized patching and that we provide as few false positives as possible. Trust is earned through transparency and repetition, but it can be destroyed through bad data in an instant.

Know Your Inventory
Knowing where your assets are and who owns them is the basis of an effective and efficient VTM program. Inventory management is a common struggle, partially because VTM teams use a combination of sources to identify where assets live. There are widely available tools to automate and integrate inventory systems so you can avoid time-consuming inventory pulls or maintaining manual spreadsheets. I also recommend partnering with the leaders across your business lines to ensure that when new systems are spun up, the VTM program is effective.

Implement, Then Continually Improve
Don't wait for the sky to fall to realize that you needed to practice. Just like any other part of an effective security organization, your VTM program should constantly improve. I've been a big fan of OODA loops for years.

They are highly effective when leveraged to continually improve an operational program where every initial Observation exits the loop with an Action to adjust the next Observation. If you've seen the same thing twice, you're failing. Leverage cyclical processes to continually improve VTM operations and continually measure your own effectiveness.

Step Up Your Vendor Management
While we cannot simply run vulnerability scans or penetration tests against our vendors, we can put contractual obligations in place with vendors that have access to our sensitive data to secure it appropriately.

Rights to audit are key in any contract. I see many large financial institutions conducting audits on client programs. It's a great way to validate how effective a program is, but keep in mind that it's also very expensive to operationalize.

Finally, don't be shy in working with your vendors. Build relationships with their security and IT organizations so that when a critical vulnerability is released, you know whom to call, and it's also not the first time you have spoken.

Build a Professional Network
When I first entered the security field several decades ago, collaboration between security organizations in different companies was taboo. Today, it's required. This sounds simple but is key: As a CISO or security leader, you must have an external network of peers to collaborate with. We must put egos aside and ask each other simple questions around the common problems we all face.

The release of new security vulnerabilities is only going to continue in the coming weeks and months. The most successful (and secure) companies will be able to look outside their network for actionable information and develop internal strategies to stay ahead of increasing threats.

Related Content:

 

Wayne Reynolds is an Advisory CISO for Kudelski Security, where he works with executives and program leaders to help businesses drive security programs to align with the business and maximize proactive threat mitigation to best serve the enterprise as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...