Vulnerability Remediation is Broken
Security Teams can at least offload 50% of their workload by utilizing vulnerability patch prioritization which can significantly enhance security outcomes for organizations. This has been demonstrated in our recent research on Asset Context-aware vulnerability patch prioritization, the methodology and findings of which shall be made available as an open-source project.
What you don’t know CAN hurt you.
So what is the problem? Lack of holistic Lifecycle Visibility, the dynamic nature of the Cloud, the speed of development, and the proclivity towards creating fast-moving, highly autonomous teams more often than not lead to this situation. Organizations of any size over time will lose track of what is in the Cloud and resource relationships and interdependencies. No one knows what is in the Cloud holds quite true. Cloud Risk grows, we simply cannot protect what we do not know. End result remediation is quite literally broken and the Cloud Risk goes unmanaged.
What's in the Cloud?
“No one knows what’s in the Cloud, especially your Cloud.”
As an industry, we have focused on the shiny new things, the best of breed, whatever is in the news while neglecting the fundamentals. Fundamentals, basic hygiene. Asset management and tracking, program management. Cloud has aggravated this situation. Deployments and the need to generate value quickly are so high that there is a constant churn in most Cloud environments. In that backdrop most organizations struggle with answering basic questions like:
How many cloud applications and workloads do we have in the Cloud?
What are their business severity and risk? What data is processed by each?
Where are they deployed? When were they last updated?
What is the deployed architecture? Does it match the designed architecture? What was changed?
What is the relationship between deployed applications and the underlying infrastructure?
If I see a URL, can I track it back to my infrastructure and back to my code?
Democratize Security
The organizational, functional, and technology silos create partitions with unequal access to data, conversations, strategy, and team priorities. Creating what some refer to as “Chaos” — Not chaos, just business running at the speed of business. Teams often play catch-up with each other. There is an abundance of meetings to get everyone on the “same page.” Folks are often leveraging personal connections across the organization to stay informed. Not uncommon to be put in a difficult situation to meet unrealistic timelines requiring heroic efforts — we all have a proverbial “Brent” from the Phoenix Project in every organization. Over-reliance on human expertise and human connection and frequently failing to match the speed of business.
Just Enough Asset Management
Seven common mistakes of Secure Software Development Programs