Improving Automated Vulnerability Remediation

Given the incredibly small window afforded IT managers for patching vulnerable systems, security experts recommend getting help in categorizing vulnerabilities as well as in determining which are actually present.

When it comes to software vulnerabilities, knowing which flaws to fix first is critical. Because attackers are more likely to exploit severe threats—to more easily gain system-level access to PCs—security experts recommend remediating the worst flaws first.

According to Symantec, however, the average time between when a vulnerability is announced and when attack code to exploit that vulnerability is released, is now just six days. That’s down from 6.4 days six months ago.

Given the incredibly small window afforded IT managers for patching vulnerable systems, security experts recommend organizations get help not only in categorizing vulnerabilities but in determining which are actually present in their organizations.

In other words, the days when security managers could just maintain a good perimeter defense and not worry about the internal network are long gone. Today’s networks are too large and dispersed for organizations to just trust perimeter security controls, says Scott Crawford, a senior analyst at Enterprise Management Associates.

Furthermore “attacks are becoming increasingly more sophisticated, coordinated, and insidious,” he says. “Cyber criminals have moved beyond the nuisance attack and are directly targeting the enterprise applications and databases where valuable data is stored.” In short, focusing only on perimeter attacks leaves organizations vulnerable to attacks which propagate internally, including the viruses, worms, and other malware now favored by attackers for stealing sensitive information.

Coping with Vulnerabilities

Persistent software vulnerabilities are a fact of life. Worse, Symantec notes, it takes vendors an average of 54 days to issue a patch once a vulnerability appears. That leaves companies open to attack for an average of 48 days per vulnerability—not counting the time it takes IT managers to test and install a fix once it’s available.

That long vulnerability period is why Gartner also recommends organizations automate vulnerability scanning and remediation, then cross-reference such efforts with outside security information feeds and scans of the internal network. Unless organizations know exactly which systems they have, they won’t know what to fix.

Gaining such perspective, however, can be difficult without automating parts of the problem. “An enterprise typically generates millions of events per day from a diverse and growing number of security devices,” notes Ron Hardy, the chief strategy officer of Intellitactics, which makes software to analyze security data and logs, so security managers can correlate suspicious activity.

The ideal, however, is to seamlessly automate everything from watching for intrusions to finding flaws to fixing them. To begin to do that, says Gartner, vulnerability management products need to “factor near-real-time threat information into vulnerability prioritization and alert functions.”

Today such all-in-one tools are scarce. Enterprise security management consoles, such as Symantec’s Enterprise Security Manager, offer some of that functionality—they can ensure corporate systems meet compliance standards and are vulnerability free. Other companies offer point products which, when used together, also automate pieces of the puzzle.

For the future, Intellitactics and Secure Elements have announced they’re developing a suite to take output from vulnerability scanners and other security devices, cross-reference it with an information security data feed, and have automated vulnerability remediation software tackle high-risk vulnerabilities first.

Analysts expect other vendors to similarly combine such functionality. “Having information that helps you focus on the high-impact attacks, by targeting critical assets, represents a significant benefit to a company in terms of performance and productivity,” notes Crawford—especially when it’s automated.

Related Article:

Zero Day Initiative Trades “Points” for Vulnerabilities

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.