Disparate interconnected systems and now remote employees across the globe increase our exposure and opportunity for cybercrime. Security teams here in Australia, particularly in Australian Federal and State Government departments, are continually battling headwinds to adopt and maintain the advice and requirements given from the Australian Cyber Security Centre (ACSC) in the form of the ISM Essential Eight.
Recent conversations we’ve had with agencies on reducing the cost and effort of security hygiene have highlighted continued challenges around operating system and application patching, and other such “fundamental” practices that security teams struggle to get out from underneath. Despite access to mature technologies that detect and advise on how to keep systems and COTS applications up to date, and a sprint program designed to help NCCE’s improve their Essential Eight maturity, questions remain on whether the ramifications of vulnerability management findings are fully understood, and where to spend the effort of already stretched resources for the greatest return on risk mitigation.
Vulnerability management is of course a key practice in every security team’s arsenal and should be a bedrock of any defence strategy, which is made evident by its inclusion in the original Top 4 from 2011 and its continued relevance in the expanded Essential 8. However, due to the growing complexity of infrastructure, application architectures, and software vulnerabilities, agencies are unable or finding it increasingly difficult to patch every vulnerability in the timeframes outlined, often hamstrung in deploying patches due to fear of breaking their applications or disrupting productivity.
With the level of INFOSEC-4 compliance documented in the Australian Government’s Proactive Security Policy Framework (PSPF) Compliance Report (relating to cyber and ICT system security including Strategies to Mitigate Cyber Security Incidents) remaining the lowest of all 36 mandatory requirements, and barely improving over the previous years, some are perhaps counting themselves lucky that “the Federal Government will consider only mandating the Essential Eight when cyber security maturity has increased.”
Common themes from our recent discussions with agencies include:
- The volume of software and systems, and the cadence or absence of required patches – particularly for in-house produced software
- Prioritisation with the realisation that not everything will always get patched
- The inevitability of risk accepting vulnerabilities without a full appreciation of their impact
Here are three key areas to focus on and where integrated solutions can help:
- Reprioritise based on exposure, not solely on criticality
Tradition and nature tell us to aim for what we perceive as “most critical” first. Despite having great detection tools and scoring systems that reflect the criticality of known vulnerabilities, they don’t consider a workload’s connectivity relative to other workloads in an environment. Systems with less volume or potentially lower-ranked vulnerabilities overlooked on criticality alone, that are more accessible and connected, may leave an agency open to attack. Having a volume-driven, most-recent-first approach to vulnerability management, and simply progressing through systems that appear equal in number and ranking of identified issue, won’t address the highest opportunity of exploit first. If anything, it only creates the illusion of progress and success whilst leaving the agency exposed to significant risk.
A way to help maintain minimal attack surface, and get the return from your patching efforts, is to reorder the priority list based on “exposure”. View vulnerabilities in the wider context, where the reachability of the vulnerability and the connectedness of the system plays a vital role in whether it gets seen to first. Linking your chosen vulnerability scanning tool with real-time traffic flows within your data centre helps security and IT operations teams prioritise security and patching decisions to those systems with the highest exposure scores.
- Visualised pathways to vulnerability
Without an understanding or visualisation of how a vulnerability could be reached, or could be leveraged to access other sensitive systems within your environment, security and application teams most often end up evaluating the need to or timeline for patching in silos. Because they are flying blind, they can’t appreciate the upstream and downstream effects of their decisions. This is particularly impactful when choosing to accept risk on an application that interfaces with others.
Not appreciating the wider context or indeed the effectiveness of controls adopted has likely contributed to the data presented in the PSPF Compliance Report, where the compliance to INFOSEC-3 “implement policies and procedures for the security classification and protective control of information assets” decreased by more than five percent with realisation of deficiencies in this area.
Visualisation capable of mapping out the pathways an attacker could potentially use, will arm security teams with the insight needed to ensure decisions are not made without consideration for interconnected systems. They can focus on accurately evaluating the impact a vulnerability has on the broader ecosystem, appreciating in advance the level of “exposure” one has to the exploit of such dormant vulnerabilities and ensuring the most impactful remediations are taken first.
- Option to mitigate without immediate access to patch
Patches aren’t necessarily available when you need them. Production change freezes prevent their immediate deployment or, as is often the case, project teams can’t be recommissioned to rework custom produced software. In fact, the cycles spent preparing for and testing patches so that they don’t negatively impact business service availability becomes the real inhibitor for stretched security teams, not the actual deployment itself. Teams risk leaving themselves vulnerable until they can patch and don’t have sensors to alert if traffic is detected to a vulnerable service.
The latest ACSC maturity levels prescribe goals for patch deployment durations specifically for extreme risk systems. Although agencies should be aiming for Level 3 and a 48-hour patch goal, many patches may not even make the Level 1 1-month target, and lower risk systems will not be under the same levels of scrutiny. As such, there will be windows of exposure regardless of where you are on the maturity scale. Although you may feel bogged down in the fundamentals with risk of exposure through unpatched systems, controlling how far and wide the rabbit holes go behind whatever is breached can be efficiently introduced to minimize this risk.
Micro-segmentation if done well, can be quickly mobilised to act as the underpinning compensating control – buying you that all too valuable time. If traffic is connecting into a port with a known vulnerability, alerts to inform the security operations centre (SOC) expedite response processes, and better still enforced segmentation policies would eliminate or restrict access to them without breaking applications. Isolating the vulnerable services from the rest of the network prevents threats from moving laterally and satisfies your compliance requirements until patches are applied.
As current global events and breach incidents have shown, tracking and understanding the reach of a threat, preemptive isolation, and ensuring controls are in place to “prevent” the spread or impact of an incident exploiting existing vulnerabilities in your data centre is vital. Especially when the “cure” alternatives are challenging to get tested and applied in a timely fashion.
For more information on Illumio, check out how we’re helping optimise vulnerability management regimes and enabling security teams to get out from under the burden of the fundamentals.