Bob Huber, Chief Security Officer, Tenable, addresses the impact of the media-fuelled hype that surrounds vulnerabilities on enterprise security efforts with reference to the Meltdown, Spectre and Apache Struts 2 vulnerabilities.
2018 was a year of headline vulnerabilities, a trend that continued through 2019 and into the beginning of 2020.
We saw ZombieLoad, RAMBleed and SPOILER all make headlines in 2019, and even 2018 vulnerabilities Meltdown and Spectre didn’t disappear, with enterprise teams fighting to put out the fires ignited by the discovery of new variants of them.
These types of high-profile vulnerabilities can implicate a wider range of stakeholders, including customers, partners and the C-suite who all want reassurance that an organisation is taking the necessary steps to mitigate the impact of critical vulnerabilities.
What we found with the Meltdown and Spectre chip-based vulnerabilities in 2018, and the new ones in 2019, is that security teams dropped everything to respond to these threats.
Yet, none of these vulnerabilities were exploited in the wild. Security teams were battling a new threat known as media-fuelled hype.
The media is tasked with finding and reporting stories of interest and has a duty to keep the public informed of potential vulnerabilities.
Simultaneously, security teams should not ignore the news surrounding vulnerabilities, especially those with a potentially high-level impact, such as Meltdown and Spectre.
It is evident that the level of attention given to these unexploited vulnerabilities by security teams was unprecedented. The threat was real, but the perceived risk was disproportionate to reality.
Security teams had the arduous task of responding to perceived rather than real risk. The result? Wasted time and budget. All of which could have been better spent on higher risk issues.
With in excess of 17,000 new Common Vulnerability and Exposure entries (CVEs) announced in 2019, security teams need to be able to determine which vulnerabilities exist within their infrastructure, the systems that are affected and the actual risk this poses to the business.
Finding and fixing everything is just untenable - not only are there not enough hours in the day, but with new vulnerabilities added daily, the list keeps growing.
Instead of wasting time fixing theoretical risks within the infrastructure, organisations need intelligence to prioritise those vulnerabilities that are being actively exploited by threat actors and take the necessary steps to remediate those vulnerabilities first.
CISOs and security professionals are the experts in these situations and act as counsellors to ensure organisations are making the best decisions based on their risk tolerance and business objectives.
Tenable recently interviewed a dozen CISOs, analysts and other security professionals who deal with vulnerability management to get their thoughts on the impact of newsworthy vulnerabilities.
What was evident from these conversations is that security professionals believe the top-down response to vulnerabilities can be disruptive. One participant referred to top-level responses as, “The classic forest fire. Someone hears something and then starts running and pointing.”
ln some instances, executives demanded systems to be fixed in 15 days despite vendors having not shipped patches yet. Interview participants noted the confusion and panic executives expressed over the risks of Meltdown and Spectre.
This resulted in security teams having to spend precious time and resources educating executives and pushing back against their demands.
In contrast, we’ve witnessed vulnerabilities that pose a greater risk to organisations, such as the Apache Struts 2 remote code execution vulnerability, receive a lower level of executive attention than Meltdown and Spectre.
This could have been a result of Struts 2 not being as novel as the hardware vulnerabilities and due to ‘vulnerability fatigue.’ However, in this case, the risk Struts 2 posed warranted a high-level executive response, and interestingly few organisations gave it that.
From listening to CISOs and security professionals discuss their concerns about the impact of media-fuelled hype, there are two key takeaways:
- Security Teams need to be prepared to manage perceived risk versus actual risk. Top-down pressure is not going anywhere and security teams need to be prepared to manage this. Quantifying and assessing the legitimate risk of a vulnerability is the first step security teams should take when determining the appropriate response. One suggestion is that organisations convene groups of technical experts who can determine the real impact of a vulnerability and develop an appropriate response.
- Communication is critical and needs to involve all stakeholders. Security teams and CISOs need to recognise that high-level executives typically do not have the technical knowledge required to understand the potential risk of a given vulnerability. Therefore, CISOs and security teams need to translate technical risk into business and real-world risk. Doing this will help to reduce the effect of perceived hype-built risk. CISOs and security teams should work towards building trust with top level executives and establishing an effective top-level response strategy to high profile vulnerabilities.
Headline vulnerabilities will continue to grab the attention of the c-suite, and it is clear we will continue to see perceived risk outweighing real risk in some cases.
But this should not mean that the top-down response to these headline-grabbing vulnerabilities creates greater problems for security teams than the vulnerabilities themselves.
It is critical that security teams take the time to manage perceived risk, particularly as headline vulnerabilities are unlikely to disappear. Doing this will enable security teams to focus on real rather than perceived risk.