Automatic for the people: AI technologies could act as a temporary bridge for vulnerability triage, but not a replacement for a stable CVE system, according to experts consulted by CSO.”Automation and AI-based tools can also enable real-time discovery of new vulnerabilities without over-relying on standard CVE timelines,” said Haris Pylarinos, founder and chief executive of cybersecurity training program Hack The Box. “Organizations that continue to be resilient are the ones that consider vulnerability management as an ongoing, multi-layered process underpinned by continuous threat exposure management, not a quick, single-source solution.”
Risk management: Rik Ferguson, vice president of security intelligence at cybersecurity vendor Forescout, warned that organizations relying principally or solely on the CVSS metric to prioritize their vulnerability remediation programs need to rethink their approach.”Risk without context is just noise,” Ferguson told CSO. “Intelligence without relevance is just data.””Understanding third-party exposure is essential, but what’s often missing in these analyses is the operational context,” Ferguson added.With so many vulnerabilities, assets, and suppliers in play, especially in environments that include OT, IoT, and medical devices, prioritization quickly becomes overwhelming.Vulnerability management has moved far beyond managing Microsoft’s Patch Tuesday updates, penetrative software, and network device security updates. Businesses need to be concerned about accounting for software a vendor hasn’t patched in six months or the open-source component quietly sitting in production, for example.Ferguson said enterprises not only have a software asset inventory but knowledge about every device, its role, and its criticality to mission or operations.”If you are responsible for a hospital environment for example, you absolutely need to know which fridge stores the sandwiches and which one stores the blood or meds,” Ferguson explained. “That’s the level of precision security teams need to move from awareness to action.”
Countermeasures: Hack The Box’s Pylarinos agreed that detailed oversight of the hardware and software running within an organisation is essential before applying robust patch management processes, which remain a dull headache that won’t go away.Following best practices for network security design is also important because a foundationally secure architecture can reduce risk related to both known and unknown vulnerabilities. These best practices include measures such as strong network segmentation, least privilege access, and multi-factor authentication.Pylarinos added: “There are several proactive steps that security teams can also take to mitigate vulnerabilities. If this news shows us anything, it’s the insecurity of relying solely on CVE data moving forward. CISA’s KEV [Known Exploited Vulnerabilities], vendor advisories, and private threat feeds, for example, can all be used to provide further context and a wider view of the vulnerability landscape.”Pairing solid security fundamentals with active, real-time intelligence is enterprise security’s best bet.”The integration of live threat intelligence, threat-informed training, and investment in internal penetration testing and threat modelling provides security teams with a more comprehensive overview of current threat levels and better identification of vulnerabilities,” Pylarinos concluded.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3980423/cve-funding-crisis-offers-chance-for-vulnerability-remediation-rethink.html
