In the time it takes for some companies to determine which vulnerabilities to patch, attackers will have already launched their malicious strike.
In cybersecurity, we see this all the time. A major company was breached through a vulnerability that had a patch available for over 6 months. The patch wasn’t applied due to internal process delays, competing priorities, and fear of system downtime. Unluckily, the attacker exploited both the vulnerability and the delay in patching.
This type of scenario occurs more often than companies want to admit. Finding system weaknesses is just the beginning. When it comes to making those findings count, it’s not about how many vulnerabilities you have. It’s about acting on the right ones fast.
The Anatomy of a Breach
Breaches happen fast. Google Mandiant stated that the average Time-to-Exploit (TTE) dropped from 32 days to just five days. With these kinds of time constraints, organizations are more responsible than ever to find the vulnerabilities attackers are going after and fix them first. Here’s how those opportunities can fall through the cracks.
Timeline of Missed Opportunities
Here’s how it often goes:
Patch release date: A patch gets released (ideally on the day the vulnerability is made public). Up until this time, attackers with secret knowledge of the CVE have the full advantage, but it’s safe to say many are not aware until the patch comes out.
At this point, it’s like a starting gun for threat actors, who move into high gear to exploit those vulnerabilities before companies apply the fix. Unfortunately, these patch announcements do not garner the same attention within most organizations. These delays can prove fatal.
Internal process delays: On the organizations’ side, the announcement of a patch means a long and complex process is set into motion. Think approval cycles, garnering the right signatures, getting the right teams on board and available, scheduling teams when they can work, etcetera.
While attackers rush to the scene of the crime, many organizations treat patch releases more like scheduling a routing doctor’s visit than speeding out in an ambulance. This mentality needs to change.
Competing priorities and lack of clarity on risk: Next, many security teams will just add this patch to the lineup. With over, 40,000 CVEs disclosed last year, it’s no wonder SOCs get overwhelmed and throw patches “in the pile.”
Who can blame them? Applying patches (especially by hand) requires every worker to shut down and restart their machine every time one rolls out. Could you imagine doing this 40,000 times per year — or explaining to higher-ups the operational cost?
The problem is that there is no sense of which CVEs are critically important (to your company’s safety), and which can be left on the back burner. Automated VM solutions can help assign this criticality, giving SOCs the guidance they need to go after the “big ones” first.
Breach execution: By this time, attackers have already made their move. While patches are waiting in committee, threat actors — not burdened by excessive oversight, chains of command, or approval structures — have moved quickly and decisively, closing in on gaping security holes. Even waiting a week can be too long; with an average TTE of just five days (and nearly 30 percent getting exploited within 24 hours), companies need a wake-up call.
Impact on the Organization
These breaches, made possible by waiting on the part of the enterprise, can cause disruptions to the business that undermines any value gained from putting off the patch. Those include:
Data loss: The obvious one. Threat actors use those first critical hours to infiltrate, exfiltrate, and possibly deliver a ransom note. Even after paying the ransom, many cybercriminal gangs will post the compromised data anyway, ruining reputations and damaging trust in the brand.
Service interruption: Consider the loss incurred by downed services and the inability to operate. No POS systems online in many cases (no sales), no ability to place orders (grocery store supply chain halts), no critical health services (as evidenced here), and more. With critical infrastructure like power, water, and transportation, service interruptions can get even uglier. All this for failure to patch.
Financial and reputational damage: All of these issues culminate in the obvious bottom-line busts: financial and reputational damage. More than half of US consumers would be unwilling to do business with an organization following a breach, and almost one in five SMBs risk going under following a cyberattack.
With the natural fallout that occurs after any breach goes public — especially an “easily preventable” one — organizations should consider the cost to benefit ratio of waiting to patch, or not getting their patching priorities together.
Why Everything Went Wrong
To be clear, these time-related data breaches didn’t happen because the organization was unprepared, unable to handle things, unaware of the danger, or somehow lacking in the skills necessary to apply the patch and protect its customers’ sensitive data.
And yet this is what the public may be prone to think when news of the data breach gets out. Or, even worse, the truth that the waiting game was played, coupled with confusion on where to strike first, could come out and reveal deep and systemic process errors that could end up looking just as bad.
Because of internal friction, fear of downtime, and unclear prioritization, breaches like the one in this “hypothetical” scenario are no stranger to headlines. Investing the time to address these problems, which are sure to pop up every time a patch does, will help companies allay the even bigger problems waiting down the road if they don’t.
The Role of Prioritization
This is exactly why prioritization in vulnerability management is absolutely essential. Most VM programs will produce a laundry list of CVEs to fix. However, risk-based VM solutions will systematically vet them, determine their risk to the enterprise, and assign criticality, prioritizing in a manner that is more relevant to the organization than the CVSS score.
Side Note: The comprehensive danger posed to the enterprise can only be further determined incorporating offensive security measures. Penetration testing can reveal which vulnerabilities can be exploited to gain access , and red teaming can simulate the behavior of a malicious actor once they’ve gained access to your environments.
Sometimes, the most critical threats to an enterprise are things like excessive permissions, shadow IT, and even physical access. Either way, determining a prioritized approach ensures security resources are put in the right place at the right time.
Tools & Tactics
Security teams need swift and accurate ways to determine which vulnerabilities are most worthy of immediate attention. The following capabilities are key in a risk-based VM solution to help team accelerate time-to-remediation for the weaknesses that matter:
Risk scoring: This functionality assesses how great of a risk each vulnerability brings into the company, based on the following:
How important the asset is to overall business objectives.
Whether or not it is actively being exploited in the wild (or if it is largely ignored).
How likely it is to be exploited (again, pen testing can provide this).
How big of an impact on overall business and operations its exploitation will cause.
Threat intel integration: By using a VM solution that incorporate advanced threat intelligence, teams can ensure that each vulnerability is assessed from a multi-point angle. It may be a CVE with a relatively low CVSS score, but one that is being popularly exploited in the wider global community.
Understanding the criminal groups that are leveraging this weakness, and how they are doing so, could move remediation up in the calendar and decrease the chances of an impending attack.
Asset correlation: IP Addresses and configuration change constantly in today’s dynamic environments. It’s important that your VM solution has built-in asset correlation to ensure consistent asset tracking and visibility.
View the Ultimate Vulnerability Management Buyer’s Guide for more insight.
Outcome-Oriented Security
Lastly, in order to fully embrace the new approach, new expectations will need to be set and met — at the executive level, if need be.
Instead of judging success based on how many fixes were administered total, teams should think more in terms of how quickly the most high-impact vulnerabilities were able to be taken offline. This more accurately reflects total good to the enterprise, or how much true impact security efforts have made.
This is where Fortra VM’s Security GPA comes in. It offers a simple, human-readable security score ideal for communicating with executives and stakeholders.
Conclusion
In light of recent events, security leaders need to reassess their own vulnerability triage approach and see if it moves fast enough to outpace attackers. Attackers are not waiting on anything. Security teams can't afford to, either. By adopting smarter, risk-based remediation strategies, organizations can address exploitable security gaps before attackers ever get the chance.
Ready to play smarter?
Audit your vulnerability triage process and adopt automated VM today.
