It’s not a sexy, cutting-edge algorithm, but research shows comprehensive asset management is your best tool to mitigate the most commonly exploited vulnerabilities. A Joint Cybersecurity Advisory, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), presented the top 30 vulnerabilities routinely exploited in 2020. The importance of keeping software assets patched and compliant becomes abundantly clear.
This article will detail key findings from the joint advisory, discuss techniques to ensure you are tracking all of your software asset inventory, and ultimately highlight how enhanced visibility leads to faster remediation timelines. Our upcoming webinar on October 5th will provide a demo of how Uptycs simplifies software asset management.
The Top Routinely Exploited Vulnerabilities advisory revealed that four of the top 12 CVEs most commonly exploited in 2020 were disclosed during the year 2020. Given that many of these CVEs were disclosed in the middle of the year, attackers wasted no time adding these tools to their arsenal. Zooming out the timeline shows that all of the top 12 CVEs were disclosed within the previous three years, 2017-2020.Bluntly, this research shows that critical CVEs disclosed within the past few weeks are very likely to be exploited.
Bluntly, this research shows that critical CVEs disclosed within the past few weeks are very likely to be exploited.
If you are waiting more than six weeks to patch or update your systems, it’s too late. Organizations often have laborious patching cycles that take weeks to months. Extended patching cycles are ripe opportunities for attackers to take advantage of security gaps.
Effective asset management needs to be dynamic and reactive to today’s emerging threats. That’s why the industry standard 18 CIS Controls (formerly the SANS Top 20) prioritize software and hardware asset inventory as the two most important focus areas for your security practice, helping to create a continuous vulnerability management system.
What Gets Measured, Gets Done
Compared to traditional vendors with point-in-time tools, Uptycs provides a comprehensive unified platform to inventory and secure cloud, container, and traditional endpoint assets. With this single tool, you can gather real-time asset inventory and gain insight into what is happening in your organization’s environment.
Uptycs normalizes the stream of data from your assets into a database of easily queried SQL tables. Meaning whether you have a question on your container configurations, are performing a live audit of applications, or searching for information on a specific software package, the Uptycs platform can provide an immediate answer.
Start with a dashboard overview of your assets, then seamlessly drill down into in-depth insights on a single asset.
When combating emerging threats, the Uptycs platforms makes your team faster at analyzing, detecting, and taking action. Uptycs goes beyond visibility: you can configure the Uptycs platform to perform the heavy lifting for your team and get real-time insights for overclocked resources, security failures, and so much more.
Reconstruct historical configurations to understand the previous state of your posture. We store historical data for the previous 7, 30, or 90 days. Historical data becomes a powerful tool to determine risk over time and gives you the power to run queries looking at the real-time or previous states of your machines.
Breaking down how visibility can speed up the remediation lifecycle
In the context of emerging critical vulnerabilities, the Uptycs platform can turn a multi-month remediation and patching cycle into fractions of that time. Let’s break down a traditional vulnerability management cycle, then identify the areas where improved asset visibility relieves pressure from IT staff and allows for a faster remediation turnaround.
The traditional method of remediating software vulnerabilities:
- A new critical CVE emerges. The security team tends to be informed as new headline grabbing critical CVEs emerge, but this finding is related to a smaller vendor and so doesn’t get the same headlines as a Microsoft or large network infrastructure exploit.
- You have a traditional vulnerability scanning tool to capture a point-in-time analysis of all software on your assets where the agent is deployed. This scan causes a spike in resource utilization, so you can only run once daily or weekly. Your team is already understaffed and overworked, so you have a meeting to monitor scan results on a weekly or bi-weekly basis. You have alerts and a dashboard configured, but the backlog of CVEs to be remediated makes the noise drown out the new findings from stirring any news in your channel.
- A week has passed, your team sees the new finding. It appears relevant but the prioritization it deserves is unclear. The team decides to raise it as an item to be discussed in the upcoming meeting.
- The finding is brought up in the bi-weekly meeting. Questions arise such as: What assets are running this software? Who maintains the assets this software is running on? Who has the bandwidth to take this up? How bad does the finding appear? Is it on internet-facing assets? If so, how many? Are those assets carrying any sensitive data? In fact, is there a list of all the assets this software is running on? Lets connect with the Dev or Ops team and understand how changing the configuration or upgrading might affect the current stable build.
- It takes a couple more days to get the full picture of where this software is running, what the assets it's running on are using it for, and exposure these assets have to the internet. Two weeks after being released, the team finally determines that this finding is present and relevant to their environment.
- Your team begins the remediation phase. Despite the urgency of this finding, you have business-critical production operations that can’t be interrupted. You will need a multi-week to multi-month process to go through the steps of implementing a fix in the lowest testing environment to monitor for performance impact. Then after ensuring it is stable in testing environments, you will look into moving it into progressively higher environments up to production.
- Finally, after this multi-month cycle comes to an end with a production fix, you have successfully mitigated the new CVE through upgrading or re-configuring your assets as recommended.
In this scenario, you can see how much time elapses between the CVE being published, becoming noticed internally, understanding the full picture, getting the fix prioritized, and getting the fix implemented and tested. Though hopefully all the steps above may not perfectly reflect your own company's current practices, the key here is what Uptycs can do to reduce time taken to achieve the phases of 1) understanding the full picture and 2) implementing the fix with confidence. Uptycs can help you to quickly answer the questions of scope and priority, and also provide visibility into the operational impact of any patch or upgrade.
Though hopefully all the steps above may not perfectly reflect your own company's current practices, the key here is what Uptycs can do to reduce time taken to achieve the phases of 1) understanding the full picture and 2) implementing the fix with confidence.
Enhanced visibility and insight lets teams immediately understand the full picture and answer key questions around asset ownership, data sensitivity, and ultimately prioritization. Traditional methods over rely on cross-team communication or key individuals. With Uptycs single pane of glass, security teams quickly assess their entire fleet to filter down in real-time into what assets are the highest priority.
During the remediation phase, implementing a fix takes time as you monitor and incrementally roll out patches or updated configurations. These delays give more time for attackers to infiltrate your environment and extract sensitive data. Uptycs security analytics comprehensively monitors the performance of your assets by using normalized data spanning over 275 unique tables, reducing the time needed to confidently validate a fix and roll out updates to your entire fleet.
No one can predict what the next threat will look like, but we can prepare our teams with the best tools and processes to react confidently against any type of CVE. With Uptycs unique insights and real-time asset management, arm your team to be ready for tomorrow’s threats.
Want to learn more about vulnerability management? Click here to check out Jeremy's talk.